Modularisation HAproxy

2018-04-12 20:36:46 +02:00 · 2018-04-12 20:36:46 +02:00 · ad6720fe82
parent 9d68ecb525
commit ad6720fe82
2 changed files with 126 additions and 89 deletions
--- a/haproxy-acme.nix
+++ b/haproxy-acme.nix
@ -0,0 +1,113 @@
+{ lib, config, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.haproxy-acme;
+
+  nginx_port = 54321;
+in
+{
+  options.services.haproxy-acme = {
+    enable = mkEnableOption "HAproxy + ACME";
+
+    domaine = mkOption {
+      type = types.string;
+      example = "example.com";
+      description = ''
+        Sous domaine à utiliser
+
+        Il est necessaire d'avoir un enregistrement pointant sur la wildcard de ce domaine vers le serveur
+      '';
+    };
+
+    services = mkOption {
+      type = types.attrsOf types.attrs;
+      example = ''
+        haproxy_backends = {
+          example = { ip = "127.0.0.1"; port = 1234; auth = false; };
+        };
+      '';
+      description = "Liste des noms de domaines associés à leur backend";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.haproxy.enable = true;
+
+    services.haproxy.config = "
+global
+  log /dev/log local0
+  log /dev/log local1 notice
+  user haproxy
+  group haproxy
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+defaults
+  option forwardfor
+  option http-server-close
+  timeout client 10s
+  timeout connect 4s
+  timeout server 30s
+userlist LOUTRE
+  user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
+frontend public
+  bind :::80 v4v6
+  bind :::443 v4v6 ssl crt /var/lib/acme/${cfg.domaine}/full.pem
+  mode http
+  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+  redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
+  use_backend letsencrypt-backend if letsencrypt-acl
+
+${concatStrings (
+  mapAttrsToList (name: value:
+    "  acl ${name}-acl hdr(host) -i ${name}.${cfg.domaine}\n"
+  + "  use_backend ${name}-backend if ${name}-acl\n"
+  ) cfg.services)}
+
+backend letsencrypt-backend
+  mode http
+  server letsencrypt 127.0.0.1:${toString nginx_port}
+
+${concatStrings (
+  mapAttrsToList (name: value:
+    ''
+    backend ${name}-backend
+      mode http
+      server ${name} ${value.ip}:${toString value.port}
+      ${(if value.auth then (
+        "\n  acl AuthOK_LOUTRE http_auth(LOUTRE)\n"
+      + "  http-request auth realm LOUTRE if !AuthOK_LOUTRE\n"
+      ) else "")}
+
+    ''
+  ) cfg.services)}
+      ";
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts = {
+      "acme" = {
+        listen = [ { addr = "127.0.0.1"; port = nginx_port; } ];
+        locations = { "/" = { root = "/var/www/challenges"; }; };
+      };
+    };
+
+    security.acme.certs = {
+      ${cfg.domaine} = {
+        extraDomains = mapAttrs' (name: value:
+          nameValuePair ("${name}.${cfg.domaine}") (null)
+        ) cfg.services;
+        webroot = "/var/www/challenges/";
+        email = "paul@nyanlout.re";
+        user = "haproxy";
+        group = "haproxy";
+        postRun = "systemctl reload haproxy";
+      };
+    };
+    security.acme.directory = "/var/lib/acme";
+
+  };
+}
--- a/services.nix
+++ b/services.nix
@ -3,8 +3,18 @@
 with lib;

 let
+  domaine = "tars.nyanlout.re";
+in

-  haproxy_backends = {
+{
+  imports = [
+    ./haproxy-acme.nix
+    ./mail-server.nix
+  ];
+
+  services.haproxy-acme.enable = true;
+  services.haproxy-acme.domaine = domaine;
+  services.haproxy-acme.services = {
    grafana = { ip = "127.0.0.1"; port = 3000; auth = false; };
    emby = { ip = "127.0.0.1"; port = 8096; auth = false; };
    radarr = { ip = "127.0.0.1"; port = 7878; auth = false; };
@ -13,91 +23,8 @@ let
    syncthing = { ip = "127.0.0.1"; port = 8384; auth = true; };
  };

-  domaine = "tars.nyanlout.re";
-
-in
-
-{
-  imports = [
-    ./mail-server.nix
-  ];
-
-  services.haproxy.enable = true;
-
-  services.haproxy.config = ''
-    global
-      log /dev/log local0
-      log /dev/log local1 notice
-      user haproxy
-      group haproxy
-      ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-      ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-      ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-      ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-    defaults
-      option forwardfor
-      option http-server-close
-      timeout client 10s
-      timeout connect 4s
-      timeout server 30s
-    userlist LOUTRE
-      user paul password $6$6rDdCtzSVsAwB6KP$V8bR7KP7FSL2BSEh6n3op6iYhAnsVSPI2Ar3H6MwKrJ/lZRzUI8a0TwVBD2JPnAntUhLpmRudrvdq2Ls2odAy.
-    frontend public
-      bind :::80 v4v6
-      bind :::443 v4v6 ssl crt /var/lib/acme/${domaine}/full.pem
-      mode http
-      acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-      redirect scheme https code 301 if !{ ssl_fc } !letsencrypt-acl
-      use_backend letsencrypt-backend if letsencrypt-acl
-
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        "
-  acl ${name}-acl hdr(host) -i ${name}.${domaine}
-  use_backend ${name}-backend if ${name}-acl
-        ") haproxy_backends)}
-
-    backend letsencrypt-backend
-      mode http
-      server letsencrypt 127.0.0.1:54321
-
-    ${concatStrings (
-      mapAttrsToList (name: value:
-        ''
-
-backend ${name}-backend
-  mode http
-  server ${name} ${value.ip}:${toString value.port}
-  ${(if value.auth then (
-    "
-  acl AuthOK_LOUTRE http_auth(LOUTRE)
-  http-request auth realm LOUTRE if !AuthOK_LOUTRE
-    ") else "")}
-        ''
-        ) haproxy_backends)}
-    '';
-
-  services.nginx.enable = true;
-  services.nginx.virtualHosts = {
-    "acme" = {
-      listen = [ { addr = "127.0.0.1"; port = 54321; } ];
-      locations = { "/" = { root = "/var/www/challenges"; }; };
-    };
-  };
-
-  security.acme.certs = {
-    ${domaine} = {
-      extraDomains = mapAttrs' (name: value:
-        nameValuePair ("${name}.${domaine}") (null)
-      ) haproxy_backends;
-      webroot = "/var/www/challenges/";
-      email = "paul@nyanlout.re";
-      user = "haproxy";
-      group = "haproxy";
-      postRun = "systemctl reload haproxy";
-    };
-  };
-  security.acme.directory = "/var/lib/acme";
+  services.mailserver.enable = true;
+  services.mailserver.domaine = domaine;

  services.influxdb.enable = true;
  services.influxdb.dataDir = "/var/db/influxdb";
@ -166,9 +93,6 @@ backend ${name}-backend
  services.murmur.imgMsgLength = 0;
  services.murmur.textMsgLength = 0;

-  services.mailserver.enable = true;
-  services.mailserver.domaine = domaine;
-
  networking.firewall.allowedTCPPorts = [
    80 443 # HAProxy
 #    111 2049 4000 4001 4002 # NFS