vskilet/nixos-config
1
0
Fork 0
forked from nyanloutre/nixos-config
Code Issues Pull Requests Releases Wiki Activity

Modularisation HAproxy

Browse Source
This commit is contained in:
nyanloutre 2018-04-12 20:36:46 +02:00
parent 9d68ecb525
commit ad6720fe82
2 changed files with 126 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
haproxy-acme.nix Normal file
View File

@ -0,0 +1,113 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.haproxy-acme;
nginx_port = 54321;
in
{
options.services.haproxy-acme = {
enable = mkEnableOption "HAproxy + ACME";
domaine = mkOption {
type = types.string;
example = "example.com";
description = ''
Sous domaine à utiliser
Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
'';
};
services = mkOption {
type = types.attrsOf types.attrs;
example = ''
haproxy_backends = {
example = { ip = "127.0.0.1"; port = 1234; auth = false; };
};
'';
description = "Liste des noms de domaines associés à leur backend";
};
};
config = mkIf cfg.enable {
services.haproxy.enable = true;
services.haproxy.config = "
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
option forwardfor
option http-server-close
timeout client 10s
timeout connect 4s
timeout server 30s
userlist LOUTRE
user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem
mode http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
use_backend letsencrypt-backend if letsencrypt-acl
${concatStrings (
mapAttrsToList (name: value:
" acl ${name}-acl hdr(host) -i ${name}.${cfg.domaine}\n"
+ " use_backend ${name}-backend if ${name}-acl\n"
) cfg.services)}
backend letsencrypt-backend
mode http
server letsencrypt 127.0.0.1:${toString nginx_port}
${concatStrings (
mapAttrsToList (name: value:
''
backend ${name}-backend
mode http
server ${name} ${value.ip}:${toString value.port}
${(if value.auth then (
"\n acl AuthOK_LOUTRE http_auth(LOUTRE)\n"
+ " http-request auth realm LOUTRE if !AuthOK_LOUTRE\n"
) else "")}
''
) cfg.services)}
";
services.nginx.enable = true;
services.nginx.virtualHosts = {
"acme" = {
listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
locations = { "/" = { root = "/var/www/challenges"; }; };
};
};
security.acme.certs = {
${cfg.domaine} = {
extraDomains = mapAttrs' (name: value:
nameValuePair ("${name}.${cfg.domaine}") (null)
) cfg.services;
webroot = "/var/www/challenges/";
email = "paul@nyanlout.re";
user = "haproxy";
group = "haproxy";
postRun = "systemctl reload haproxy";
};
};
security.acme.directory = "/var/lib/acme";
};
}

102
services.nix
View File

@ -3,8 +3,18 @@
with lib; with lib;
let let
domaine = "tars.nyanlout.re";
in
haproxy_backends = { {
imports = [
./haproxy-acme.nix
./mail-server.nix
];
services.haproxy-acme.enable = true;
services.haproxy-acme.domaine = domaine;
services.haproxy-acme.services = {
grafana = { ip = "127.0.0.1"; port = 3000; auth = false; }; grafana = { ip = "127.0.0.1"; port = 3000; auth = false; };
emby = { ip = "127.0.0.1"; port = 8096; auth = false; }; emby = { ip = "127.0.0.1"; port = 8096; auth = false; };
radarr = { ip = "127.0.0.1"; port = 7878; auth = false; }; radarr = { ip = "127.0.0.1"; port = 7878; auth = false; };
@ -13,91 +23,8 @@ let
syncthing = { ip = "127.0.0.1"; port = 8384; auth = true; }; syncthing = { ip = "127.0.0.1"; port = 8384; auth = true; };
}; };
domaine = "tars.nyanlout.re"; services.mailserver.enable = true;
services.mailserver.domaine = domaine;
in
{
imports = [
./mail-server.nix
];
services.haproxy.enable = true;
services.haproxy.config = ''
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
option forwardfor
option http-server-close
timeout client 10s
timeout connect 4s
timeout server 30s
userlist LOUTRE
user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /var/lib/acme/${domaine}/full.pem
mode http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
use_backend letsencrypt-backend if letsencrypt-acl
${concatStrings (
mapAttrsToList (name: value:
"
acl ${name}-acl hdr(host) -i ${name}.${domaine}
use_backend ${name}-backend if ${name}-acl
") haproxy_backends)}
backend letsencrypt-backend
mode http
server letsencrypt 127.0.0.1:54321
${concatStrings (
mapAttrsToList (name: value:
''
backend ${name}-backend
mode http
server ${name} ${value.ip}:${toString value.port}
${(if value.auth then (
"
acl AuthOK_LOUTRE http_auth(LOUTRE)
http-request auth realm LOUTRE if !AuthOK_LOUTRE
") else "")}
''
) haproxy_backends)}
'';
services.nginx.enable = true;
services.nginx.virtualHosts = {
"acme" = {
listen = [ { addr = "127.0.0.1"; port = 54321; } ];
locations = { "/" = { root = "/var/www/challenges"; }; };
};
};
security.acme.certs = {
${domaine} = {
extraDomains = mapAttrs' (name: value:
nameValuePair ("${name}.${domaine}") (null)
) haproxy_backends;
webroot = "/var/www/challenges/";
email = "paul@nyanlout.re";
user = "haproxy";
group = "haproxy";
postRun = "systemctl reload haproxy";
};
};
security.acme.directory = "/var/lib/acme";
services.influxdb.enable = true; services.influxdb.enable = true;
services.influxdb.dataDir = "/var/db/influxdb"; services.influxdb.dataDir = "/var/db/influxdb";
@ -166,9 +93,6 @@ backend ${name}-backend
services.murmur.imgMsgLength = 0; services.murmur.imgMsgLength = 0;
services.murmur.textMsgLength = 0; services.murmur.textMsgLength = 0;
services.mailserver.enable = true;
services.mailserver.domaine = domaine;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 443 # HAProxy 80 443 # HAProxy
# 111 2049 4000 4001 4002 # NFS # 111 2049 4000 4001 4002 # NFS