Mapping wizardry

services.nix

@@ -1,7 +1,24 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  haproxy_backends = {
+    grafana = { ip = "127.0.0.1"; port = 3000; auth = false; };
+    emby = { ip = "127.0.0.1"; port = 8096; auth = false; };
+    radarr = { ip = "127.0.0.1"; port = 7878; auth = false; };
+    transmission = { ip = "127.0.0.1"; port = 9091; auth = true; };
+    syncthing = { ip = "127.0.0.1"; port = 8384; auth = true; };
+  };
+
+  domaine = "tars.nyanlout.re";
+
+in
 
 {
   services.haproxy.enable = true;
+
   services.haproxy.config = ''
     global
       log /dev/log local0
@@ -22,44 +39,38 @@
       user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
     frontend public
       bind :::80 v4v6
-      bind :::443 v4v6 ssl crt /var/lib/acme/tars.nyanlout.re/full.pem
+      bind :::443 v4v6 ssl crt /var/lib/acme/${domaine}/full.pem
       mode http
       acl letsencrypt-acl path_beg /.well-known/acme-challenge/
       redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
       use_backend letsencrypt-backend if letsencrypt-acl
-      acl grafana-acl hdr(host) -i grafana.tars.nyanlout.re
+
-      acl emby-acl hdr(host) -i emby.tars.nyanlout.re
+    ${concatStrings (
-      acl radarr-acl hdr(host) -i radarr.tars.nyanlout.re
+      mapAttrsToList (name: value:
-      acl transmission-acl hdr(host) -i transmission.tars.nyanlout.re
+        "
-      acl syncthing-acl hdr(host) -i syncthing.tars.nyanlout.re
+  acl ${name}-acl hdr(host) -i ${name}.${domaine}
-      use_backend grafana-backend if grafana-acl
+  use_backend ${name}-backend if ${name}-acl
-      use_backend emby-backend if emby-acl
+        ") haproxy_backends)}
-      use_backend radarr-backend if radarr-acl
+
-      use_backend transmission-backend if transmission-acl
-      use_backend syncthing-backend if syncthing-acl
     backend letsencrypt-backend
       mode http
       server letsencrypt 127.0.0.1:54321
-    backend grafana-backend
+
-      mode http
+    ${concatStrings (
-      server grafana 127.0.0.1:3000 check
+      mapAttrsToList (name: value:
-    backend emby-backend
+        ''
-      mode http
+
-      server emby 127.0.0.1:8096 check
+backend ${name}-backend
-    backend radarr-backend
+  mode http
-      mode http
+  server ${name} ${value.ip}:${toString value.port}
-      server radarr 127.0.0.1:7878 check
+  ${(if value.auth then (
-    backend transmission-backend
+    "
-      mode http
+  acl AuthOK_LOUTRE http_auth(LOUTRE)
-      acl AuthOK_LOUTRE http_auth(LOUTRE)
+  http-request auth realm LOUTRE if !AuthOK_LOUTRE
-      http-request auth realm LOUTRE if !AuthOK_LOUTRE
+    ") else "")}
-      server transmission 127.0.0.1:9091 check
+        ''
-    backend syncthing-backend
+        ) haproxy_backends)}
-      mode http
+    '';
-      acl AuthOK_LOUTRE http_auth(LOUTRE)
-      http-request auth realm LOUTRE if !AuthOK_LOUTRE
-      server syncthing 127.0.0.1:8384 check
-  '';
 
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
@@ -70,14 +81,10 @@
   };
 
   security.acme.certs = {
-    "tars.nyanlout.re" = {
+    ${domaine} = {
-      extraDomains = {
+      extraDomains = mapAttrs' (name: value:
-        "grafana.tars.nyanlout.re" = null;
+        nameValuePair ("${name}.${domaine}") (null)
-        "emby.tars.nyanlout.re" = null;
+      ) haproxy_backends;
-        "radarr.tars.nyanlout.re" = null;
-        "transmission.tars.nyanlout.re" = null;
-        "syncthing.tars.nyanlout.re" = null;
-      };
       webroot = "/var/www/challenges/";
       email = "paul@nyanlout.re";
       user = "haproxy";