Ajout HAProxy

2018-04-03 21:13:18 +02:00 · 2018-04-03 21:13:18 +02:00 · b8379b3ff9
commit b8379b3ff9
parent 7822ca315d
1 changed files with 43 additions and 0 deletions
--- a/services.nix
+++ b/services.nix
@ -1,6 +1,48 @@
 { config, pkgs, ... }:

 {
+  services.haproxy.enable = true;
+  services.haproxy.config = ''
+    defaults
+      log /dev/log local0
+      log /dev/log local1 notice
+      chroot /var/lib/haproxy
+      user haproxy
+      group haproxy
+      option forwardfor
+      option http-server-close
+    frontend www-http
+      bind tars.nyanlout.re:80
+      reqadd X-Forwarded-Proto:\ http
+      default_backend www-backend
+    frontend www-https
+      bind tars.nyanlout.re:443 ssl crt /var/lib/acme/tars.nyanlout.re/fullchain.pem
+      reqadd X-Forwarded-Proto:\ https
+      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+      use_backend letsencrypt-backend if letsencrypt-acl
+      default_backend www-backend
+    backend www-backend
+      redirect scheme https if !{ ssl_fc }
+      server www-1 127.0.0.1:3000 check
+    backend letsencrypt-backend
+      server letsencrypt 127.0.0.1:54321
+  '';
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts = {
+    "acme" = {
+      listen = [ { port = 54321; } ];
+      locations = { "/" = { root = "/var/www/challenges" }; };
+    };
+  };
+
+  security.acme.certs = {
+    "tars.nyanlout.re" = {
+      webroot = "/var/www/challenges";
+      email = "paul@nyanlout.re";
+    };
+  };
+
  services.influxdb.enable = true;
  services.influxdb.dataDir = "/var/db/influxdb";

@ -64,6 +106,7 @@
  };

  networking.firewall.allowedTCPPorts = [
+    80 443 # HAProxy
    3000 # Grafana
    8096 # Emby
    111 2049 4000 4001 4002 # NFS