diff --git a/haproxy-acme.nix b/haproxy-acme.nix new file mode 100644 index 0000000..221babf --- /dev/null +++ b/haproxy-acme.nix @@ -0,0 +1,113 @@ +{ lib, config, pkgs, ... }: + +with lib; + +let + cfg = config.services.haproxy-acme; + + nginx_port = 54321; +in +{ + options.services.haproxy-acme = { + enable = mkEnableOption "HAproxy + ACME"; + + domaine = mkOption { + type = types.string; + example = "example.com"; + description = '' + Sous domaine à utiliser + + Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur + ''; + }; + + services = mkOption { + type = types.attrsOf types.attrs; + example = '' + haproxy_backends = { + example = { ip = "127.0.0.1"; port = 1234; auth = false; }; + }; + ''; + description = "Liste des noms de domaines associés à leur backend"; + }; + }; + + config = mkIf cfg.enable { + + services.haproxy.enable = true; + + services.haproxy.config = " +global + log /dev/log local0 + log /dev/log local1 notice + user haproxy + group haproxy + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets +defaults + option forwardfor + option http-server-close + timeout client 10s + timeout connect 4s + timeout server 30s +userlist LOUTRE + user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy. +frontend public + bind :::80 v4v6 + bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem + mode http + acl letsencrypt-acl path_beg /.well-known/acme-challenge/ + redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl + use_backend letsencrypt-backend if letsencrypt-acl + +${concatStrings ( + mapAttrsToList (name: value: + " acl ${name}-acl hdr(host) -i ${name}.${cfg.domaine}\n" + + " use_backend ${name}-backend if ${name}-acl\n" + ) cfg.services)} + +backend letsencrypt-backend + mode http + server letsencrypt 127.0.0.1:${toString nginx_port} + +${concatStrings ( + mapAttrsToList (name: value: + '' + backend ${name}-backend + mode http + server ${name} ${value.ip}:${toString value.port} + ${(if value.auth then ( + "\n acl AuthOK_LOUTRE http_auth(LOUTRE)\n" + + " http-request auth realm LOUTRE if !AuthOK_LOUTRE\n" + ) else "")} + + '' + ) cfg.services)} + "; + + services.nginx.enable = true; + services.nginx.virtualHosts = { + "acme" = { + listen = [ { addr = "127.0.0.1"; port = nginx_port; } ]; + locations = { "/" = { root = "/var/www/challenges"; }; }; + }; + }; + + security.acme.certs = { + ${cfg.domaine} = { + extraDomains = mapAttrs' (name: value: + nameValuePair ("${name}.${cfg.domaine}") (null) + ) cfg.services; + webroot = "/var/www/challenges/"; + email = "paul@nyanlout.re"; + user = "haproxy"; + group = "haproxy"; + postRun = "systemctl reload haproxy"; + }; + }; + security.acme.directory = "/var/lib/acme"; + + }; +} diff --git a/services.nix b/services.nix index f86758b..a539a68 100644 --- a/services.nix +++ b/services.nix @@ -3,8 +3,18 @@ with lib; let + domaine = "tars.nyanlout.re"; +in - haproxy_backends = { +{ + imports = [ + ./haproxy-acme.nix + ./mail-server.nix + ]; + + services.haproxy-acme.enable = true; + services.haproxy-acme.domaine = domaine; + services.haproxy-acme.services = { grafana = { ip = "127.0.0.1"; port = 3000; auth = false; }; emby = { ip = "127.0.0.1"; port = 8096; auth = false; }; radarr = { ip = "127.0.0.1"; port = 7878; auth = false; }; @@ -13,91 +23,8 @@ let syncthing = { ip = "127.0.0.1"; port = 8384; auth = true; }; }; - domaine = "tars.nyanlout.re"; - -in - -{ - imports = [ - ./mail-server.nix - ]; - - services.haproxy.enable = true; - - services.haproxy.config = '' - global - log /dev/log local0 - log /dev/log local1 notice - user haproxy - group haproxy - ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - defaults - option forwardfor - option http-server-close - timeout client 10s - timeout connect 4s - timeout server 30s - userlist LOUTRE - user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy. - frontend public - bind :::80 v4v6 - bind :::443 v4v6 ssl crt /var/lib/acme/${domaine}/full.pem - mode http - acl letsencrypt-acl path_beg /.well-known/acme-challenge/ - redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl - use_backend letsencrypt-backend if letsencrypt-acl - - ${concatStrings ( - mapAttrsToList (name: value: - " - acl ${name}-acl hdr(host) -i ${name}.${domaine} - use_backend ${name}-backend if ${name}-acl - ") haproxy_backends)} - - backend letsencrypt-backend - mode http - server letsencrypt 127.0.0.1:54321 - - ${concatStrings ( - mapAttrsToList (name: value: - '' - -backend ${name}-backend - mode http - server ${name} ${value.ip}:${toString value.port} - ${(if value.auth then ( - " - acl AuthOK_LOUTRE http_auth(LOUTRE) - http-request auth realm LOUTRE if !AuthOK_LOUTRE - ") else "")} - '' - ) haproxy_backends)} - ''; - - services.nginx.enable = true; - services.nginx.virtualHosts = { - "acme" = { - listen = [ { addr = "127.0.0.1"; port = 54321; } ]; - locations = { "/" = { root = "/var/www/challenges"; }; }; - }; - }; - - security.acme.certs = { - ${domaine} = { - extraDomains = mapAttrs' (name: value: - nameValuePair ("${name}.${domaine}") (null) - ) haproxy_backends; - webroot = "/var/www/challenges/"; - email = "paul@nyanlout.re"; - user = "haproxy"; - group = "haproxy"; - postRun = "systemctl reload haproxy"; - }; - }; - security.acme.directory = "/var/lib/acme"; + services.mailserver.enable = true; + services.mailserver.domaine = domaine; services.influxdb.enable = true; services.influxdb.dataDir = "/var/db/influxdb"; @@ -166,9 +93,6 @@ backend ${name}-backend services.murmur.imgMsgLength = 0; services.murmur.textMsgLength = 0; - services.mailserver.enable = true; - services.mailserver.domaine = domaine; - networking.firewall.allowedTCPPorts = [ 80 443 # HAProxy # 111 2049 4000 4001 4002 # NFS