diff --git a/default.nix b/default.nix
index 6fe5f00..4970af1 100644
--- a/default.nix
+++ b/default.nix
@@ -26,8 +26,8 @@ in
{
networking.nameservers = [
- "9.9.9.9"
- "1.1.1.1"
+ "141.56.1.1"
+ "141.56.1.2"
];
boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -38,7 +38,7 @@ in
"nix-command"
"flakes"
];
- trusted-users = [ "administration" ];
+ # trusted-users = [ "administration" ];
auto-optimise-store = true;
};
optimise.automatic = true;
@@ -60,11 +60,12 @@ in
};
users.users = {
- administration = {
- isNormalUser = true;
- extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
- openssh.authorizedKeys.keys = keys;
- };
+ # erstmal nur mit root
+ # administration = {
+ # isNormalUser = true;
+ # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+ # openssh.authorizedKeys.keys = keys;
+ # };
root = {
openssh.authorizedKeys.keys = keys;
};
diff --git a/flake.nix b/flake.nix
index 3b422b3..ddd788f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,30 +47,8 @@
# run nixos-rebuild switch on the target system
# the config will be built locally and copied over
"${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" ''
- nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
+ nixos-rebuild switch --flake .#${name} --target-host root@${(builtins.head (nixosConfigurations.${name}.config.networking.interfaces.${builtins.head (builtins.attrNames nixosConfigurations.${name}.config.networking.interfaces)}.ipv4.addresses)).address}
'';
-
- # copy install image to testserver and deploy the specified configuration to it
- "${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" ''
- FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
- scp ${
- self.packages.x86_64-linux."installer-iso".outPath
- }/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
- ssh 10.1.0.17 "qm create $1 --name ${
- nixosConfigurations.${name}.config.networking.fqdn
- } --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm
${
- nixosConfigurations.${name}.config.networking.fqdn
- }\""
- ssh 10.1.0.17 "qm start $1"
-
- # hardcoded deployment ip
- # wait until a connection to port 22 on the deployment ip is reachable
- until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
-
- # run nixos-anywhere on the deployment address with the specified configuration
- nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
- '';
-
}
)
{ }
@@ -129,7 +107,7 @@
authentik.nixosModules.default
mailserver.nixosModules.mailserver
{
- _module.args = { inherit modulesPath; };
+ _module.args = { inherit self modulesPath; };
}
];
};
diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix
deleted file mode 100644
index c7e1c3f..0000000
--- a/hosts/auth/authentik.nix
+++ /dev/null
@@ -1,74 +0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
-{
- users.groups.authentik = { };
- users.users.authentik = {
- isSystemUser = true;
- extraGroups = [ "docker" ];
- group = "authentik";
- };
-
- virtualisation.docker.enable = true;
-
- systemd.services = {
- authentik-secrets-setup = {
- enable = true;
- };
- };
- services.authentik-ldap = {
- enable = true;
- environmentFile = "/var/lib/authentik-ldap-env";
- };
- services.authentik = {
- enable = true;
- # The environmentFile needs to be on the target host!
- # Best use something like sops-nix or agenix to manage it
- environmentFile = "/var/lib/authentik_secret";
- settings = {
- email = {
- host = "mail.${config.networking.domain}";
- port = 25;
- username = "authentik@${config.networking.domain}";
- use_tls = false;
- use_ssl = false;
- from = "authentik@${config.networking.domain}";
- };
- disable_startup_analytics = true;
- avatars = "initials";
- };
- };
-
- systemd.services.authentik-secrets-generator = {
- enable = true;
- requiredBy = [
- "authentik-secrets-setup.service"
- "authentik-worker.service"
- ];
- script = ''
- echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
- '';
- };
-
- services.nginx = {
- enable = true;
- virtualHosts = {
- "auth.${config.networking.domain}" = {
- enableACME = true;
- forceSSL = true;
- locations."/" = {
- proxyPass = "http://localhost:9000";
- proxyWebsockets = true;
- recommendedProxySettings = true;
- extraConfig = ''
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- '';
- };
- };
- };
- };
-}
diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix
deleted file mode 100644
index 5954d64..0000000
--- a/hosts/auth/default.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
-{
- imports = [
- ./hardware-configuration.nix
- ./authentik.nix
- ];
-
- networking.hostName = "auth";
- networking.interfaces.ens18.ipv4.addresses = [
- {
- address = "141.56.51.96";
- prefixLength = 24;
- }
- ];
-
- networking.defaultGateway.address = "141.56.51.254";
- networking.nameservers = [
- "9.9.9.9"
- "1.1.1.1"
- ];
-
- networking.firewall.allowedTCPPorts = [
- 80
- 443
- 3389
- ];
-
- system.stateVersion = "25.05";
-}
diff --git a/hosts/auth/hardware-configuration.nix b/hosts/auth/hardware-configuration.nix
deleted file mode 100644
index b92ae55..0000000
--- a/hosts/auth/hardware-configuration.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}:
-
-{
- imports = [
- (modulesPath + "/profiles/qemu-guest.nix")
- ];
-
- boot.initrd.availableKernelModules = [
- "ata_piix"
- "uhci_hcd"
- "virtio_pci"
- "virtio_scsi"
- "sd_mod"
- "sr_mod"
- ];
- boot.initrd.kernelModules = [ ];
- boot.kernelModules = [ ];
- boot.extraModulePackages = [ ];
-
- # fileSystems."/" =
- # {
- # device = "/dev/sda1";
- # fsType = "ext4";
- # };
-
- # swapDevices = [ ];
-
- nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
diff --git a/hosts/auth/hetzner-disk.nix b/hosts/auth/hetzner-disk.nix
deleted file mode 100644
index a679e7c..0000000
--- a/hosts/auth/hetzner-disk.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- disko.devices = {
- disk = {
- main = {
- type = "disk";
- device = "/dev/sda";
- content = {
- type = "gpt";
- partitions = {
- boot = {
- size = "1M";
- type = "EF02"; # for grub MBR
- };
- ESP = {
- priority = 1;
- name = "ESP";
- start = "1M";
- end = "512M";
- type = "EF00";
- content = {
- type = "filesystem";
- format = "vfat";
- mountpoint = "/boot";
- mountOptions = [ "umask=0077" ];
- };
- };
- root = {
- size = "100%";
- content = {
- type = "btrfs";
- extraArgs = [ "-f" ]; # Override existing partition
- subvolumes = {
- "/rootfs" = {
- mountpoint = "/";
- };
- "/home" = {
- mountOptions = [ "compress=zstd" ];
- mountpoint = "/home";
- };
- # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
- "/nix" = {
- mountOptions = [
- "compress=zstd"
- "noatime"
- ];
- mountpoint = "/nix";
- };
- };
- };
- };
- };
- };
- };
- };
- };
-}
diff --git a/hosts/git/default.nix b/hosts/git/default.nix
index 178a8eb..7673e79 100644
--- a/hosts/git/default.nix
+++ b/hosts/git/default.nix
@@ -4,25 +4,6 @@
pkgs,
...
}:
-let
- generatedAliases = pkgs.writeText "generated-aliases" (
- lib.concatStringsSep "\n" (
- lib.mapCartesianProduct
- ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de")
- {
- aliases = [
- "abuse"
- "hostmaster"
- "noreply"
- "postmaster"
- "webmaster"
- ];
- domain = config.mailserver.domains;
- }
- )
- );
-
-in
{
imports = [
./hardware-configuration.nix
@@ -39,10 +20,8 @@ in
defaultGateway.address = "141.56.51.254";
firewall.allowedTCPPorts = [
- 25
80
443
- 597
];
};
diff --git a/hosts/git/hardware-configuration.nix b/hosts/git/hardware-configuration.nix
deleted file mode 100644
index b92ae55..0000000
--- a/hosts/git/hardware-configuration.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}:
-
-{
- imports = [
- (modulesPath + "/profiles/qemu-guest.nix")
- ];
-
- boot.initrd.availableKernelModules = [
- "ata_piix"
- "uhci_hcd"
- "virtio_pci"
- "virtio_scsi"
- "sd_mod"
- "sr_mod"
- ];
- boot.initrd.kernelModules = [ ];
- boot.kernelModules = [ ];
- boot.extraModulePackages = [ ];
-
- # fileSystems."/" =
- # {
- # device = "/dev/sda1";
- # fsType = "ext4";
- # };
-
- # swapDevices = [ ];
-
- nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
diff --git a/hosts/git/hetzner-disk.nix b/hosts/git/hetzner-disk.nix
deleted file mode 100644
index a679e7c..0000000
--- a/hosts/git/hetzner-disk.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- disko.devices = {
- disk = {
- main = {
- type = "disk";
- device = "/dev/sda";
- content = {
- type = "gpt";
- partitions = {
- boot = {
- size = "1M";
- type = "EF02"; # for grub MBR
- };
- ESP = {
- priority = 1;
- name = "ESP";
- start = "1M";
- end = "512M";
- type = "EF00";
- content = {
- type = "filesystem";
- format = "vfat";
- mountpoint = "/boot";
- mountOptions = [ "umask=0077" ];
- };
- };
- root = {
- size = "100%";
- content = {
- type = "btrfs";
- extraArgs = [ "-f" ]; # Override existing partition
- subvolumes = {
- "/rootfs" = {
- mountpoint = "/";
- };
- "/home" = {
- mountOptions = [ "compress=zstd" ];
- mountpoint = "/home";
- };
- # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
- "/nix" = {
- mountOptions = [
- "compress=zstd"
- "noatime"
- ];
- mountpoint = "/nix";
- };
- };
- };
- };
- };
- };
- };
- };
- };
-}
diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix
deleted file mode 100644
index 75b5f84..0000000
--- a/hosts/mail/default.nix
+++ /dev/null
@@ -1,206 +0,0 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
-let
- generatedAliases = pkgs.writeText "generated-aliases" (
- lib.concatStringsSep "\n" (
- lib.mapCartesianProduct
- ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de")
- {
- aliases = [
- "abuse"
- "hostmaster"
- "noreply"
- "postmaster"
- "webmaster"
- ];
- domain = config.mailserver.domains;
- }
- )
- );
-
-in
-{
- imports = [
- ./hardware-configuration.nix
- ];
-
- security.pam.loginLimits = [
- {
- domain = "*";
- type = "soft";
- item = "nofile";
- value = "8192";
- }
- ];
- # nix.settings.trusted-users = [ "administration" ];
- # nix.settings.download-buffer-size = 6710886400;
- # boot.loader.grub.enable = true;
- # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
- # boot.loader.grub.enable = true;
- # boot.loader.grub.efiSupport = true;
- # boot.loader.grub.efiInstallAsRemovable = true;
-
- networking.hostName = "mail";
- networking.domain = "test.htw.stura-dresden.de";
- networking.interfaces.ens18.ipv4.addresses = [
- {
- address = "141.56.51.95";
- prefixLength = 24;
- }
- ];
-
- networking.defaultGateway.address = "141.56.51.254";
- networking.nameservers = [
- "9.9.9.9"
- "1.1.1.1"
- ];
-
- services.nginx.virtualHosts = {
- "lists.${config.networking.domain}" = {
- enableACME = true;
- forceSSL = true;
- # locations."/" = {
- # proxyPass = "http://127.0.0.1:18507";
- # };
- };
- };
- services.automx2 = {
- enable = true;
- domain = "${config.networking.domain}";
- settings = {
- automx2 = {
- db_uri = "sqlite:////var/lib/automx2/db.sqlite";
- proxy_count = 1;
- };
- };
- };
- services.mailman = {
- enable = true;
- hyperkitty = {
- enable = true;
- };
- serve.enable = true;
- webHosts = [
- "lists.${config.networking.domain}"
- ];
- };
-
- services.mailman.siteOwner = "mailman@${config.networking.domain}";
- mailserver = {
- enable = true;
- fqdn = "mail.${config.networking.domain}";
- domains = [
- "${config.networking.domain}"
- "lists.${config.networking.domain}"
- ];
- ldap = {
- enable = true;
- bind = {
- # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
- dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io";
- passwordFile = "/var/lib/dovecot_ldap_passwd";
- };
- dovecot = {
- userFilter = "(&(objectClass=posixAccount)(mail=%u))";
- passFilter = "(&(objectClass=posixAccount)(mail=%u))";
- userAttrs = "cn";
- };
- postfix = {
- filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))";
- mailAttribute = "mail";
- uidAttribute = "cn";
- };
- #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
- searchBase = "DC=ldap,DC=goauthentik,DC=io";
- uris = [
- "ldap://auth.test.htw.stura-dresden.de:3389"
- ];
- };
-
- certificateScheme = "acme-nginx";
- enableImap = true;
- enableImapSsl = true;
- enableManageSieve = true;
- enableSubmission = true;
- enableSubmissionSsl = true;
- extraVirtualAliases = { };
- lmtpSaveToDetailMailbox = "no"; # DOS potential
- mailboxes = {
- Drafts = {
- auto = "subscribe";
- specialUse = "Drafts";
- };
- Sent = {
- auto = "subscribe";
- specialUse = "Sent";
- };
- Spam = {
- auto = "subscribe";
- specialUse = "Junk";
- };
- Trash = {
- auto = "subscribe";
- specialUse = "Trash";
- };
- };
- maxConnectionsPerUser = 10;
- messageSizeLimit = 10 * 1000 * 1024; # 10 MiB
-
- stateVersion = 3;
- };
-
- # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
- services.postfix =
- let
- submissionOptions = {
- # hash:/etc/postfix/virtual,
- smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
- smtpd_client_restrictions = "permit_sasl_authenticated,reject";
- };
- in
- {
- masterConfig = {
- submission = {
- args = [ "-v" ];
- };
- submissions = {
- args = [ "-v" ];
- };
- };
- settings.main = {
- unknown_local_recipient_reject_code = 550;
- relay_domains = [
- "hash:/var/lib/mailman/data/postfix_domains"
- ];
- transport_maps = [
- "hash:/var/lib/mailman/data/postfix_lmtp"
- ];
- local_recipient_maps = [
- "hash:/var/lib/mailman/data/postfix_lmtp"
- ];
- };
- # mapFiles = {
- # "valias" = lib.mkForce "/var/lib/postfix/valias";
- # "virtual" = lib.mkForce "/var/lib/postfix/virtual";
- # };
- submissionOptions = submissionOptions;
- submissionsOptions = submissionOptions;
- };
-
- security.acme.acceptTerms = true;
- security.acme.defaults.email = "cert@stura.htw-dresden.de";
-
- networking.firewall.allowedTCPPorts = [
- 25
- 80
- 443
- 597
- ];
-
- system.stateVersion = "24.11";
-
-}
diff --git a/hosts/mail/hardware-configuration.nix b/hosts/mail/hardware-configuration.nix
deleted file mode 100644
index b92ae55..0000000
--- a/hosts/mail/hardware-configuration.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{
- config,
- lib,
- pkgs,
- modulesPath,
- ...
-}:
-
-{
- imports = [
- (modulesPath + "/profiles/qemu-guest.nix")
- ];
-
- boot.initrd.availableKernelModules = [
- "ata_piix"
- "uhci_hcd"
- "virtio_pci"
- "virtio_scsi"
- "sd_mod"
- "sr_mod"
- ];
- boot.initrd.kernelModules = [ ];
- boot.kernelModules = [ ];
- boot.extraModulePackages = [ ];
-
- # fileSystems."/" =
- # {
- # device = "/dev/sda1";
- # fsType = "ext4";
- # };
-
- # swapDevices = [ ];
-
- nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
diff --git a/hosts/mail/hetzner-disk.nix b/hosts/mail/hetzner-disk.nix
deleted file mode 100644
index a679e7c..0000000
--- a/hosts/mail/hetzner-disk.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- disko.devices = {
- disk = {
- main = {
- type = "disk";
- device = "/dev/sda";
- content = {
- type = "gpt";
- partitions = {
- boot = {
- size = "1M";
- type = "EF02"; # for grub MBR
- };
- ESP = {
- priority = 1;
- name = "ESP";
- start = "1M";
- end = "512M";
- type = "EF00";
- content = {
- type = "filesystem";
- format = "vfat";
- mountpoint = "/boot";
- mountOptions = [ "umask=0077" ];
- };
- };
- root = {
- size = "100%";
- content = {
- type = "btrfs";
- extraArgs = [ "-f" ]; # Override existing partition
- subvolumes = {
- "/rootfs" = {
- mountpoint = "/";
- };
- "/home" = {
- mountOptions = [ "compress=zstd" ];
- mountpoint = "/home";
- };
- # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
- "/nix" = {
- mountOptions = [
- "compress=zstd"
- "noatime"
- ];
- mountpoint = "/nix";
- };
- };
- };
- };
- };
- };
- };
- };
- };
-}
diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix
index 2db90b4..e69bdd3 100644
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@@ -1,4 +1,5 @@
{
+ self,
config,
lib,
pkgs,
@@ -37,8 +38,10 @@
};
};
+ # wenn instanzen in die flake migriert sind könnte man das autogenerierien
services =
let
+ # jeder Block beschreibt eine Weiterleitung von port 80 und 443 für einen fqdn
forwards = {
plone = {
dest = "141.56.51.3";
@@ -52,6 +55,18 @@
httpPort = 80;
httpsPort = 443;
};
+ plone_neu = {
+ dest = "141.56.51.3";
+ domain = "www.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ plone_neu2 = {
+ dest = "141.56.51.3";
+ domain = "htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
@@ -65,8 +80,8 @@
httpsPort = 443;
};
dat = {
- dest = "141.56.51.81";
- domain = "dat.htw.stura-dresden.de";
+ dest = "141.56.51.17";
+ domain = "dat.stu.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
@@ -100,35 +115,72 @@
httpPort = 80;
httpsPort = 443;
};
- };
+ }
+ # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert
+ // (builtins.foldl'
+ (
+ prev: name:
+ let
+ cfg = self.nixosConfigurations.${name}.config;
+ vhosts = builtins.attrNames cfg.services.nginx.virtualHosts;
+ address =
+ (builtins.head
+ # dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel
+ cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses
+ ).address;
+ in
+ prev
+ // (builtins.foldl' (
+ val: vhost:
+ val
+ // {
+ "${vhost}" = {
+ dest = address;
+ domain = vhost;
+ httpsPort = 443;
+ httpPort = 80;
+ };
+ }
+ ) { } vhosts)
+ )
+ { }
+ (
+ # alle nixosConfigurations auswählen, die nginx enabled haben
+ builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable) (
+ builtins.attrNames self.nixosConfigurations
+ )
+ )
+ );
indexPage = pkgs.writeTextFile {
name = "index.html";
text = ''
-
-
- StuRa HTWD Index
-
-
-
-
-
- ${lib.foldlAttrs (
- prev: name: value:
- prev
- + ''
- - ${name}
- ''
- ) "" forwards}
-
-
+
+
+ StuRa HTWD Index
+
+
+
+
+ Du hast dich scheinbar verlaufen. Können wir dir hier möglicherweise weiter helfen?
+
+
+ ${lib.foldlAttrs (
+ prev: name: value:
+ prev
+ + ''
+ - ${value.domain}
+ ''
+ ) "" forwards}
+
+
'';
};
in
{
openssh = {
- enable = true;
+ # admin ssh access port
listenAddresses = [
{
addr = "141.56.51.1";
@@ -136,29 +188,15 @@
}
];
};
- nginx = {
- enable = true;
- virtualHosts."localhost" = {
- listen = [
- {
- addr = "127.0.0.1";
- port = 6942;
- }
- ];
- locations."/" = {
- extraConfig = ''
- try_files ${indexPage} =404;
- '';
- };
- };
- };
haproxy = {
enable = true;
config = ''
global
+ # schreibe globalen log ins journal ip -> app
log /dev/log format raw local0
maxconn 50000
- #stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+ # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
+ # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
tune.bufsize 32762
defaults
@@ -169,6 +207,7 @@
timeout client 30s
timeout server 30s
+ # stats seite zeigt backend connection status, wenn check gesetzt ist
frontend stats
bind 127.0.0.1:8404
mode http
@@ -182,23 +221,36 @@
frontend http-in
bind *:80
+ # hier wird eine regel pro domain aus der forwarder liste generiert
${lib.foldlAttrs (
prev: name: value:
- prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
+ prev + ''
+ acl is_${name} hdr(host) -i ${value.domain}
+ ''
) "" forwards}
+
+ # ist request eine acme challenge?
acl is_acme path_beg /.well-known/acme-challenge/
+ # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
${lib.foldlAttrs (
prev: name: value:
- prev + "use_backend ${name}_80 if is_${name}\n"
+ prev
+ + ''
+ use_backend ${name}_80 if is_${name}
+ http-request redirect scheme https code 301 if !is_acme is_${name}
+ ''
) "" forwards}
- http-request redirect scheme https code 301 if !is_acme
-
+ # das default backend zeigt die liste aller redirects an
+ # die liste darf nicht auf 443 redirected werden, da cert fehlt
+ default_backend default_backend
+ # ssh redirect srs2
frontend ssh_jump_alt
bind *:2142
mode tcp
+ # gönn mal session timeout
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
@@ -207,15 +259,22 @@
frontend sni_router
bind *:443
mode tcp
+ # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
- # terminated here
+ # tcp redirect der anwendung basierend auf ssl_sni handshake parameter
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards}
+ # default backend http static file generated above
+ backend default_backend
+ mode http
+ http-request return status 200 content-type "text/html" file ${indexPage}
+
+ # ssh srs2 backend
backend ssh_srs2
mode tcp
timeout server 30m
@@ -223,6 +282,7 @@
option tcpka
server srs2 141.56.51.2:80 check
+ # ein backend pro forwards eintrag für port 80 und 443
${lib.foldlAttrs (
prev: name: value:
prev
@@ -242,8 +302,6 @@
};
environment.systemPackages = with pkgs; [
- openvpn
- tcpdump
];
system.stateVersion = "25.11";