diff --git a/services/haproxy-acme.nix b/services/haproxy-acme.nix index 8cfa574fb..b16cf76f1 100644 --- a/services/haproxy-acme.nix +++ b/services/haproxy-acme.nix @@ -6,6 +6,78 @@ let cfg = config.services.haproxy-acme; nginx_port = 54321; + + haproxyConf = '' + global + log /dev/log local0 + log /dev/log local1 notice + user haproxy + group haproxy + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + defaults + option forwardfor + option http-server-close + timeout client 10s + timeout connect 4s + timeout server 30s + userlist LOUTRE + user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy. + frontend public + bind :::80 v4v6 + bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1 + mode http + acl letsencrypt-acl path_beg /.well-known/acme-challenge/ + acl haproxy-acl path_beg /haproxy + redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl + http-response set-header Strict-Transport-Security max-age=15768000 + use_backend letsencrypt-backend if letsencrypt-acl + use_backend haproxy_stats if haproxy-acl + + ${concatStrings ( + mapAttrsToList (name: value: + " acl ${name}-acl hdr(host) -i ${name}\n" + + " use_backend ${name}-backend if ${name}-acl\n" + ) cfg.services)} + + backend letsencrypt-backend + mode http + server letsencrypt 127.0.0.1:${toString nginx_port} + backend haproxy_stats + mode http + stats enable + stats hide-version + acl AuthOK_LOUTRE http_auth(LOUTRE) + http-request auth realm LOUTRE if !AuthOK_LOUTRE + + ${concatStrings ( + mapAttrsToList (name: value: + '' + backend ${name}-backend + mode http + ${( + if value.socket == "" then + '' + server ${name} ${value.ip}:${toString value.port} + '' + else + '' + server ${name} ${value.socket} + '' + )} + ${(if value.auth then ( + value.extraAcls + + '' + acl AUTH_OK http_auth(LOUTRE) + http-request auth realm LOUTRE if ${value.aclBool} + '' + ) else "")} + '' + ) cfg.services)} + + ''; in { options.services.haproxy-acme = { @@ -43,77 +115,7 @@ in services.haproxy.enable = true; - services.haproxy.config = '' - global - log /dev/log local0 - log /dev/log local1 notice - user haproxy - group haproxy - ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - defaults - option forwardfor - option http-server-close - timeout client 10s - timeout connect 4s - timeout server 30s - userlist LOUTRE - user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy. - frontend public - bind :::80 v4v6 - bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem alpn h2,http/1.1 - mode http - acl letsencrypt-acl path_beg /.well-known/acme-challenge/ - acl haproxy-acl path_beg /haproxy - redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl - http-response set-header Strict-Transport-Security max-age=15768000 - use_backend letsencrypt-backend if letsencrypt-acl - use_backend haproxy_stats if haproxy-acl - - ${concatStrings ( - mapAttrsToList (name: value: - " acl ${name}-acl hdr(host) -i ${name}\n" - + " use_backend ${name}-backend if ${name}-acl\n" - ) cfg.services)} - - backend letsencrypt-backend - mode http - server letsencrypt 127.0.0.1:${toString nginx_port} - backend haproxy_stats - mode http - stats enable - stats hide-version - acl AuthOK_LOUTRE http_auth(LOUTRE) - http-request auth realm LOUTRE if !AuthOK_LOUTRE - - ${concatStrings ( - mapAttrsToList (name: value: - '' - backend ${name}-backend - mode http - ${( - if value.socket == "" then - '' - server ${name} ${value.ip}:${toString value.port} - '' - else - '' - server ${name} ${value.socket} - '' - )} - ${(if value.auth then ( - value.extraAcls - + '' - acl AUTH_OK http_auth(LOUTRE) - http-request auth realm LOUTRE if ${value.aclBool} - '' - ) else "")} - '' - ) cfg.services)} - - ''; + services.haproxy.config = haproxyConf; services.nginx.enable = true; services.nginx.virtualHosts = {