Move haproxy into options

2023-06-05 15:21:11 +02:00 · 2023-06-05 15:21:11 +02:00 · 095d0c46c4
parent fdc5cdcde1
commit 095d0c46c4
3 changed files with 78 additions and 68 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -22,6 +22,7 @@
    ./services/docker-mailserver
    ./services/gitea
    ./services/grav
+    ./haproxy
    ./services/logs-share
    ./services/log-to-ram
    ./services/pipewire
--- a/modules/haproxy/default.nix
+++ b/modules/haproxy/default.nix
@ -1,77 +1,86 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  cfg = config.services.az-haproxy;
+in
 {
-  networking = {
-    enableIPv6 = false;
-    firewall.allowedTCPPorts = [ 80 443 1936 ];
+  options = {
+    services.az-haproxy.enable = lib.mkEnableOption "Enable HAProxy";
  };
-  services.haproxy = {
-    enable = true;
-    config = ''
-      defaults
-        log stdout  format raw  local0  info
-        option tcplog
-        timeout connect 5s
-        timeout client  30s
-        timeout server  30s

-      listen haproxy-monitoring
-        bind *:1936
-        mode http
-        stats enable
-        stats hide-version
-        stats realm Haproxy\ Statistics
-        stats uri /
-        stats auth admin:password
+  config = lib.mkIf cfg.enable {
+    networking = {
+      enableIPv6 = false;
+      firewall.allowedTCPPorts = [ 80 443 1936 ];
+    };
+    services.haproxy = {
+      enable = true;
+      config = ''
+        defaults
+          log stdout  format raw  local0  info
+          option tcplog
+          timeout connect 5s
+          timeout client  30s
+          timeout server  30s

-      frontend http
-        bind *:80
-        mode http
-        redirect scheme https code 301 if { hdr(host) -i mail.zweili.org ! {ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i git.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i heimdall.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i nextcloud.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i ttrss.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i webmail.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i rss-bridge.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr(host) -i www.2li.ch } !{ ssl_fc }
-        redirect scheme https code 301 if { hdr_dom(host) -i 2li.ch } !{ ssl_fc }
+        listen haproxy-monitoring
+          bind *:1936
+          mode http
+          stats enable
+          stats hide-version
+          stats realm Haproxy\ Statistics
+          stats uri /
+          stats auth admin:password

-      frontend https
-        # Listen on port 443
-        bind *:443
-        mode tcp
+        frontend http
+          bind *:80
+          mode http
+          redirect scheme https code 301 if { hdr(host) -i mail.zweili.org ! {ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i git.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i heimdall.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i nextcloud.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i ttrss.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i webmail.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i rss-bridge.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr(host) -i www.2li.ch } !{ ssl_fc }
+          redirect scheme https code 301 if { hdr_dom(host) -i 2li.ch } !{ ssl_fc }

-        tcp-request inspect-delay 5s
-        tcp-request content accept if { req_ssl_hello_type 1 }
+        frontend https
+          # Listen on port 443
+          bind *:443
+          mode tcp

-        # Figure out which backend (= VM) to use
-        use_backend git_server if { req_ssl_sni -i git.2li.ch }
-        use_backend proxy if { req_ssl_sni -i heimdall.2li.ch }
-        use_backend mail_server if { req_ssl_sni -i mail.zweili.org }
-        use_backend nextcloud_server if { req_ssl_sni -i nextcloud.2li.ch }
-        use_backend ttrss_server if { req_ssl_sni -i ttrss.2li.ch }
-        use_backend ttrss_server if { req_ssl_sni -i rss-bridge.2li.ch }
-        use_backend proxy if { req_ssl_sni -i www.2li.ch }
-        use_backend proxy if { req_ssl_sni -i 2li.ch }
+          tcp-request inspect-delay 5s
+          tcp-request content accept if { req_ssl_hello_type 1 }

-      backend grav_server
-        mode tcp
-        server server1 10.7.89.102:443 check
-      backend git_server
-        mode tcp
-        server server1 10.7.89.109:443 check
-      backend nextcloud_server
-        mode tcp
-        server server1 10.7.89.103:443 check
-      backend ttrss_server
-        mode tcp
-        server server1 10.7.89.115:443 check
-      backend mail_server
-        mode tcp
-        server server1 10.7.89.123:443 check
-      backend proxy
-        mode tcp
-        server server1 127.0.0.1:4433 check
-    '';
+          # Figure out which backend (= VM) to use
+          use_backend git_server if { req_ssl_sni -i git.2li.ch }
+          use_backend proxy if { req_ssl_sni -i heimdall.2li.ch }
+          use_backend mail_server if { req_ssl_sni -i mail.zweili.org }
+          use_backend nextcloud_server if { req_ssl_sni -i nextcloud.2li.ch }
+          use_backend ttrss_server if { req_ssl_sni -i ttrss.2li.ch }
+          use_backend ttrss_server if { req_ssl_sni -i rss-bridge.2li.ch }
+          use_backend proxy if { req_ssl_sni -i www.2li.ch }
+          use_backend proxy if { req_ssl_sni -i 2li.ch }
+
+        backend grav_server
+          mode tcp
+          server server1 10.7.89.102:443 check
+        backend git_server
+          mode tcp
+          server server1 10.7.89.109:443 check
+        backend nextcloud_server
+          mode tcp
+          server server1 10.7.89.103:443 check
+        backend ttrss_server
+          mode tcp
+          server server1 10.7.89.115:443 check
+        backend mail_server
+          mode tcp
+          server server1 10.7.89.123:443 check
+        backend proxy
+          mode tcp
+          server server1 127.0.0.1:4433 check
+      '';
+    };
  };
 }
--- a/systems/proxy/default.nix
+++ b/systems/proxy/default.nix
@ -10,12 +10,12 @@
      time = "00:00";
    })
    "${inputs.self}/modules/nginx-acme-base"
-    "${inputs.self}/modules/haproxy"
    "${inputs.self}/modules/heimdall"
  ];

  services = {
    az-grav.enable = true;
+    az-haproxy.enable = true;
    nginx = {
      commonHttpConfig = ''
        # Add HSTS header with preloading to HTTPS requests.