From 069759f8d97a4a3044762069515d1899124d23d2 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 01:04:24 +0100 Subject: [PATCH 01/20] haproxy default page --- hosts/proxy/default.nix | 48 ++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 2db90b4..228e23f 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -105,23 +105,25 @@ name = "index.html"; text = '' - - - StuRa HTWD Index - - - - - - + + + StuRa HTWD Index + + + +

+ Du hast dich scheinbar verlaufen. Können wir dir hier möglicherweise weiter helfen? +

+ + ''; }; @@ -190,11 +192,13 @@ ${lib.foldlAttrs ( prev: name: value: - prev + "use_backend ${name}_80 if is_${name}\n" + prev + '' + use_backend ${name}_80 if is_${name} + http-request redirect scheme https code 301 if !is_acme is_${name} + '' ) "" forwards} - http-request redirect scheme https code 301 if !is_acme - + default_backend default_backend frontend ssh_jump_alt bind *:2142 @@ -216,6 +220,10 @@ prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" ) "" forwards} + backend default_backend + mode http + http-request return status 200 content-type "text/html" file ${indexPage} + backend ssh_srs2 mode tcp timeout server 30m From 4b7bd856f923706548a84b2722f1fe0e38d821fd Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:09:08 +0100 Subject: [PATCH 02/20] fix studicloud forward --- hosts/proxy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 228e23f..adbf383 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -65,8 +65,8 @@ httpsPort = 443; }; dat = { - dest = "141.56.51.81"; - domain = "dat.htw.stura-dresden.de"; + dest = "141.56.51.17"; + domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; From 65e6d0d5a0dc7674edaf7b2ae95f6cba093da5bf Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:09:53 +0100 Subject: [PATCH 03/20] ssh ist per default an --- hosts/proxy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index adbf383..cd05338 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -130,7 +130,7 @@ in { openssh = { - enable = true; + # admin ssh access port listenAddresses = [ { addr = "141.56.51.1"; From 65589c1586b0a399067c1fbacd8419be092afdcf Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:10:09 +0100 Subject: [PATCH 04/20] haproxy server static file, nginx is no longer needed --- hosts/proxy/default.nix | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index cd05338..dacd122 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -138,29 +138,15 @@ } ]; }; - nginx = { - enable = true; - virtualHosts."localhost" = { - listen = [ - { - addr = "127.0.0.1"; - port = 6942; - } - ]; - locations."/" = { - extraConfig = '' - try_files ${indexPage} =404; - ''; - }; - }; - }; haproxy = { enable = true; config = '' global + # schreibe globalen log ins journal ip -> app log /dev/log format raw local0 maxconn 50000 - #stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners tune.bufsize 32762 defaults From 45ab9376f5f83e1991e8b9313775351fdf86c72b Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:10:42 +0100 Subject: [PATCH 05/20] try to explain haproxy i guess --- hosts/proxy/default.nix | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index dacd122..95149dc 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -157,6 +157,7 @@ timeout client 30s timeout server 30s +# stats seite zeigt backend connection status, wenn check gesetzt ist frontend stats bind 127.0.0.1:8404 mode http @@ -170,12 +171,16 @@ frontend http-in bind *:80 + # hier wird eine regel pro domain aus der forwarder liste generiert ${lib.foldlAttrs ( prev: name: value: prev + "acl is_${name} hdr(host) -i ${value.domain}\n" ) "" forwards} + + # ist request eine acme challenge? acl is_acme path_beg /.well-known/acme-challenge/ + # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist ${lib.foldlAttrs ( prev: name: value: prev + '' @@ -184,11 +189,15 @@ '' ) "" forwards} + # das default backend zeigt die liste aller redirects an + # die liste darf nicht auf 443 redirected werden, da cert fehlt default_backend default_backend + # ssh redirect srs2 frontend ssh_jump_alt bind *:2142 mode tcp + # gönn mal session timeout timeout client 30m log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " use_backend ssh_srs2 @@ -197,19 +206,22 @@ frontend sni_router bind *:443 mode tcp + # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht tcp-request inspect-delay 1s tcp-request content accept if { req_ssl_hello_type 1 } - # terminated here + # tcp redirect der anwendung basierend auf ssl_sni handshake parameter ${lib.foldlAttrs ( prev: name: value: prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" ) "" forwards} + # default backend http static file generated above backend default_backend mode http http-request return status 200 content-type "text/html" file ${indexPage} + # ssh srs2 backend backend ssh_srs2 mode tcp timeout server 30m @@ -217,6 +229,7 @@ option tcpka server srs2 141.56.51.2:80 check + # ein backend pro forwards eintrag für port 80 und 443 ${lib.foldlAttrs ( prev: name: value: prev @@ -236,8 +249,6 @@ }; environment.systemPackages = with pkgs; [ - openvpn - tcpdump ]; system.stateVersion = "25.11"; From 67f9a3cee7c19d2a396b5f2b6f2e4526adda9cbd Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:14:53 +0100 Subject: [PATCH 06/20] comment and fix umlauts --- hosts/proxy/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 95149dc..3b579f4 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -39,6 +39,7 @@ services = let + # jeder Block beschreibt eine Weiterleitung von port 80 und 443 für einen fqdn forwards = { plone = { dest = "141.56.51.3"; @@ -112,7 +113,7 @@

- Du hast dich scheinbar verlaufen. Können wir dir hier möglicherweise weiter helfen? + Du hast dich scheinbar verlaufen. Können wir dir hier möglicherweise weiter helfen?

    ${lib.foldlAttrs ( From 2b0277f86e9d89283cb290c4af0fcad66f5a5202 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:21:23 +0100 Subject: [PATCH 07/20] links more readable --- hosts/proxy/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 3b579f4..06fa2fa 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -37,6 +37,7 @@ }; }; + # wenn instanzen in die flake migriert sind könnte man das autogenerierien services = let # jeder Block beschreibt eine Weiterleitung von port 80 und 443 für einen fqdn @@ -120,7 +121,7 @@ prev: name: value: prev + '' -
  • ${name}
    • +
  • ${value.domain}
    • '' ) "" forwards}
From c5eb1353affeb8c28f7660bda74e7d9d44fb3de7 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:30:41 +0100 Subject: [PATCH 08/20] currently only this is allowed --- default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/default.nix b/default.nix index 6fe5f00..4d494dd 100644 --- a/default.nix +++ b/default.nix @@ -26,8 +26,8 @@ in { networking.nameservers = [ - "9.9.9.9" - "1.1.1.1" + "141.56.1.1" + "141.56.1.2" ]; boot.kernelPackages = pkgs.linuxPackages_latest; From df593b467e2155f92d8fab8c98fc312294f4f8a3 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:34:05 +0100 Subject: [PATCH 09/20] kein admin user anlegen --- default.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/default.nix b/default.nix index 4d494dd..4970af1 100644 --- a/default.nix +++ b/default.nix @@ -38,7 +38,7 @@ in "nix-command" "flakes" ]; - trusted-users = [ "administration" ]; + # trusted-users = [ "administration" ]; auto-optimise-store = true; }; optimise.automatic = true; @@ -60,11 +60,12 @@ in }; users.users = { - administration = { - isNormalUser = true; - extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - openssh.authorizedKeys.keys = keys; - }; + # erstmal nur mit root + # administration = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # openssh.authorizedKeys.keys = keys; + # }; root = { openssh.authorizedKeys.keys = keys; }; From c927f8675b3a87b3efe7b19d1624038b35ce0a71 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 02:59:56 +0100 Subject: [PATCH 10/20] this will be developed on a separate branch --- hosts/auth/authentik.nix | 74 --------- hosts/auth/default.nix | 34 ----- hosts/auth/hardware-configuration.nix | 38 ----- hosts/auth/hetzner-disk.nix | 56 ------- hosts/mail/default.nix | 206 -------------------------- hosts/mail/hardware-configuration.nix | 38 ----- hosts/mail/hetzner-disk.nix | 56 ------- 7 files changed, 502 deletions(-) delete mode 100644 hosts/auth/authentik.nix delete mode 100644 hosts/auth/default.nix delete mode 100644 hosts/auth/hardware-configuration.nix delete mode 100644 hosts/auth/hetzner-disk.nix delete mode 100644 hosts/mail/default.nix delete mode 100644 hosts/mail/hardware-configuration.nix delete mode 100644 hosts/mail/hetzner-disk.nix diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix deleted file mode 100644 index c7e1c3f..0000000 --- a/hosts/auth/authentik.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - users.groups.authentik = { }; - users.users.authentik = { - isSystemUser = true; - extraGroups = [ "docker" ]; - group = "authentik"; - }; - - virtualisation.docker.enable = true; - - systemd.services = { - authentik-secrets-setup = { - enable = true; - }; - }; - services.authentik-ldap = { - enable = true; - environmentFile = "/var/lib/authentik-ldap-env"; - }; - services.authentik = { - enable = true; - # The environmentFile needs to be on the target host! - # Best use something like sops-nix or agenix to manage it - environmentFile = "/var/lib/authentik_secret"; - settings = { - email = { - host = "mail.${config.networking.domain}"; - port = 25; - username = "authentik@${config.networking.domain}"; - use_tls = false; - use_ssl = false; - from = "authentik@${config.networking.domain}"; - }; - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - - systemd.services.authentik-secrets-generator = { - enable = true; - requiredBy = [ - "authentik-secrets-setup.service" - "authentik-worker.service" - ]; - script = '' - echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret - ''; - }; - - services.nginx = { - enable = true; - virtualHosts = { - "auth.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:9000"; - proxyWebsockets = true; - recommendedProxySettings = true; - extraConfig = '' - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - ''; - }; - }; - }; - }; -} diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix deleted file mode 100644 index 5954d64..0000000 --- a/hosts/auth/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - imports = [ - ./hardware-configuration.nix - ./authentik.nix - ]; - - networking.hostName = "auth"; - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "141.56.51.96"; - prefixLength = 24; - } - ]; - - networking.defaultGateway.address = "141.56.51.254"; - networking.nameservers = [ - "9.9.9.9" - "1.1.1.1" - ]; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 3389 - ]; - - system.stateVersion = "25.05"; -} diff --git a/hosts/auth/hardware-configuration.nix b/hosts/auth/hardware-configuration.nix deleted file mode 100644 index b92ae55..0000000 --- a/hosts/auth/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = - # { - # device = "/dev/sda1"; - # fsType = "ext4"; - # }; - - # swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/auth/hetzner-disk.nix b/hosts/auth/hetzner-disk.nix deleted file mode 100644 index a679e7c..0000000 --- a/hosts/auth/hetzner-disk.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - priority = 1; - name = "ESP"; - start = "1M"; - end = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - # Sub(sub)volume doesn't need a mountpoint as its parent is mounted - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix deleted file mode 100644 index 75b5f84..0000000 --- a/hosts/mail/default.nix +++ /dev/null @@ -1,206 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - generatedAliases = pkgs.writeText "generated-aliases" ( - lib.concatStringsSep "\n" ( - lib.mapCartesianProduct - ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de") - { - aliases = [ - "abuse" - "hostmaster" - "noreply" - "postmaster" - "webmaster" - ]; - domain = config.mailserver.domains; - } - ) - ); - -in -{ - imports = [ - ./hardware-configuration.nix - ]; - - security.pam.loginLimits = [ - { - domain = "*"; - type = "soft"; - item = "nofile"; - value = "8192"; - } - ]; - # nix.settings.trusted-users = [ "administration" ]; - # nix.settings.download-buffer-size = 6710886400; - # boot.loader.grub.enable = true; - # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - # boot.loader.grub.enable = true; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - - networking.hostName = "mail"; - networking.domain = "test.htw.stura-dresden.de"; - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "141.56.51.95"; - prefixLength = 24; - } - ]; - - networking.defaultGateway.address = "141.56.51.254"; - networking.nameservers = [ - "9.9.9.9" - "1.1.1.1" - ]; - - services.nginx.virtualHosts = { - "lists.${config.networking.domain}" = { - enableACME = true; - forceSSL = true; - # locations."/" = { - # proxyPass = "http://127.0.0.1:18507"; - # }; - }; - }; - services.automx2 = { - enable = true; - domain = "${config.networking.domain}"; - settings = { - automx2 = { - db_uri = "sqlite:////var/lib/automx2/db.sqlite"; - proxy_count = 1; - }; - }; - }; - services.mailman = { - enable = true; - hyperkitty = { - enable = true; - }; - serve.enable = true; - webHosts = [ - "lists.${config.networking.domain}" - ]; - }; - - services.mailman.siteOwner = "mailman@${config.networking.domain}"; - mailserver = { - enable = true; - fqdn = "mail.${config.networking.domain}"; - domains = [ - "${config.networking.domain}" - "lists.${config.networking.domain}" - ]; - ldap = { - enable = true; - bind = { - # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de"; - dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io"; - passwordFile = "/var/lib/dovecot_ldap_passwd"; - }; - dovecot = { - userFilter = "(&(objectClass=posixAccount)(mail=%u))"; - passFilter = "(&(objectClass=posixAccount)(mail=%u))"; - userAttrs = "cn"; - }; - postfix = { - filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))"; - mailAttribute = "mail"; - uidAttribute = "cn"; - }; - #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de"; - searchBase = "DC=ldap,DC=goauthentik,DC=io"; - uris = [ - "ldap://auth.test.htw.stura-dresden.de:3389" - ]; - }; - - certificateScheme = "acme-nginx"; - enableImap = true; - enableImapSsl = true; - enableManageSieve = true; - enableSubmission = true; - enableSubmissionSsl = true; - extraVirtualAliases = { }; - lmtpSaveToDetailMailbox = "no"; # DOS potential - mailboxes = { - Drafts = { - auto = "subscribe"; - specialUse = "Drafts"; - }; - Sent = { - auto = "subscribe"; - specialUse = "Sent"; - }; - Spam = { - auto = "subscribe"; - specialUse = "Junk"; - }; - Trash = { - auto = "subscribe"; - specialUse = "Trash"; - }; - }; - maxConnectionsPerUser = 10; - messageSizeLimit = 10 * 1000 * 1024; # 10 MiB - - stateVersion = 3; - }; - - # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n"; - services.postfix = - let - submissionOptions = { - # hash:/etc/postfix/virtual, - smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - }; - in - { - masterConfig = { - submission = { - args = [ "-v" ]; - }; - submissions = { - args = [ "-v" ]; - }; - }; - settings.main = { - unknown_local_recipient_reject_code = 550; - relay_domains = [ - "hash:/var/lib/mailman/data/postfix_domains" - ]; - transport_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - local_recipient_maps = [ - "hash:/var/lib/mailman/data/postfix_lmtp" - ]; - }; - # mapFiles = { - # "valias" = lib.mkForce "/var/lib/postfix/valias"; - # "virtual" = lib.mkForce "/var/lib/postfix/virtual"; - # }; - submissionOptions = submissionOptions; - submissionsOptions = submissionOptions; - }; - - security.acme.acceptTerms = true; - security.acme.defaults.email = "cert@stura.htw-dresden.de"; - - networking.firewall.allowedTCPPorts = [ - 25 - 80 - 443 - 597 - ]; - - system.stateVersion = "24.11"; - -} diff --git a/hosts/mail/hardware-configuration.nix b/hosts/mail/hardware-configuration.nix deleted file mode 100644 index b92ae55..0000000 --- a/hosts/mail/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = - # { - # device = "/dev/sda1"; - # fsType = "ext4"; - # }; - - # swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/mail/hetzner-disk.nix b/hosts/mail/hetzner-disk.nix deleted file mode 100644 index a679e7c..0000000 --- a/hosts/mail/hetzner-disk.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - priority = 1; - name = "ESP"; - start = "1M"; - end = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - # Sub(sub)volume doesn't need a mountpoint as its parent is mounted - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} From 1a684222e216fa4a64cc734bb9dce6ff9cac8ed6 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 03:21:59 +0100 Subject: [PATCH 11/20] remove unused stuff --- hosts/git/default.nix | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/hosts/git/default.nix b/hosts/git/default.nix index 178a8eb..7673e79 100644 --- a/hosts/git/default.nix +++ b/hosts/git/default.nix @@ -4,25 +4,6 @@ pkgs, ... }: -let - generatedAliases = pkgs.writeText "generated-aliases" ( - lib.concatStringsSep "\n" ( - lib.mapCartesianProduct - ({ aliases, domain }: "${aliases}@${domain} root@test.htw.stura-dresden.de") - { - aliases = [ - "abuse" - "hostmaster" - "noreply" - "postmaster" - "webmaster" - ]; - domain = config.mailserver.domains; - } - ) - ); - -in { imports = [ ./hardware-configuration.nix @@ -39,10 +20,8 @@ in defaultGateway.address = "141.56.51.254"; firewall.allowedTCPPorts = [ - 25 80 443 - 597 ]; }; From 2197bcac3bb2f8ead78115e9b58fc42a1dd89226 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 03:23:44 +0100 Subject: [PATCH 12/20] donatiner doesnt need these --- hosts/git/hardware-configuration.nix | 38 ------------------- hosts/git/hetzner-disk.nix | 56 ---------------------------- 2 files changed, 94 deletions(-) delete mode 100644 hosts/git/hardware-configuration.nix delete mode 100644 hosts/git/hetzner-disk.nix diff --git a/hosts/git/hardware-configuration.nix b/hosts/git/hardware-configuration.nix deleted file mode 100644 index b92ae55..0000000 --- a/hosts/git/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # fileSystems."/" = - # { - # device = "/dev/sda1"; - # fsType = "ext4"; - # }; - - # swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/git/hetzner-disk.nix b/hosts/git/hetzner-disk.nix deleted file mode 100644 index a679e7c..0000000 --- a/hosts/git/hetzner-disk.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - priority = 1; - name = "ESP"; - start = "1M"; - end = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - # Sub(sub)volume doesn't need a mountpoint as its parent is mounted - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} From b0ae6a6c0f54edbdde9ba31e88a53df38e1097c7 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 03:29:52 +0100 Subject: [PATCH 13/20] erlaube modulen auf die flake zuzugreifen damit kann man dann zum beispiel aus der poxy config heraus auf alle anderen nixos Configurations verweisen --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 17a40d9..61f95b8 100644 --- a/flake.nix +++ b/flake.nix @@ -128,7 +128,7 @@ authentik.nixosModules.default mailserver.nixosModules.mailserver { - _module.args = { inherit modulesPath; }; + _module.args = { inherit self modulesPath; }; } ]; }; From fc39a4c73ff70f76ec87314b4ab0f6014cf63568 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 13:55:59 +0100 Subject: [PATCH 14/20] setup new domain for plone website --- hosts/proxy/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 06fa2fa..ba41d37 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -54,6 +54,18 @@ httpPort = 80; httpsPort = 443; }; + plone_neu = { + dest = "141.56.51.3"; + domain = "www.htw.stura-dresden.de"; + httpPort = 80; + httpsPort = 443; + }; + plone_neu2 = { + dest = "141.56.51.3"; + domain = "htw.stura-dresden.de"; + httpPort = 80; + httpsPort = 443; + }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; From dbc53eee65346c69a8c250e8abe6030f32a39be5 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 14:44:13 +0100 Subject: [PATCH 15/20] update systems by ip in update script --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 61f95b8..73f011a 100644 --- a/flake.nix +++ b/flake.nix @@ -46,7 +46,7 @@ # run nixos-rebuild switch on the target system # the config will be built locally and copied over "${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" '' - nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de + nixos-rebuild switch --flake .#${name} --target-host root@${(builtins.head (nixosConfigurations.${name}.config.networking.interfaces.${builtins.head (builtins.attrNames nixosConfigurations.${name}.config.networking.interfaces)}.ipv4.addresses)).address} ''; # copy install image to testserver and deploy the specified configuration to it From 99b1a87ad9ac8b9f7c1d8a88348ac27fa094f115 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 14:44:33 +0100 Subject: [PATCH 16/20] deploy test only worked for vms, not containers --- flake.nix | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/flake.nix b/flake.nix index 73f011a..3c8577d 100644 --- a/flake.nix +++ b/flake.nix @@ -48,28 +48,6 @@ "${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" '' nixos-rebuild switch --flake .#${name} --target-host root@${(builtins.head (nixosConfigurations.${name}.config.networking.interfaces.${builtins.head (builtins.attrNames nixosConfigurations.${name}.config.networking.interfaces)}.ipv4.addresses)).address} ''; - - # copy install image to testserver and deploy the specified configuration to it - "${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" '' - FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)" - scp ${ - self.packages.x86_64-linux."installer-iso".outPath - }/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME - ssh 10.1.0.17 "qm create $1 --name ${ - nixosConfigurations.${name}.config.networking.fqdn - } --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm
${ - nixosConfigurations.${name}.config.networking.fqdn - }\"" - ssh 10.1.0.17 "qm start $1" - - # hardcoded deployment ip - # wait until a connection to port 22 on the deployment ip is reachable - until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done - - # run nixos-anywhere on the deployment address with the specified configuration - nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98 - ''; - } ) { } From abb0c320e9834c93013e8442a40661d65f7b8bdd Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 15:11:55 +0100 Subject: [PATCH 17/20] generate redirects for nginx virtualhosts automatically --- hosts/proxy/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index ba41d37..bb1a9c6 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -1,4 +1,5 @@ { + self, config, lib, pkgs, @@ -114,7 +115,17 @@ httpPort = 80; httpsPort = 443; }; - }; + } // (builtins.foldl'(prev: name: let + cfg = self.nixosConfigurations.${name}.config; + in prev // { + "${name}" = { + # dest = (builtins.head cfg.networking.interfaces.eth0.ipv4.addresses).address; + dest = (builtins.head cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses).address; + domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts); + httpsPort = 443; + httpPort = 80; + }; + }) {} (builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable)(builtins.attrNames self.nixosConfigurations))); indexPage = pkgs.writeTextFile { name = "index.html"; text = '' From 86ae8197b524236f67babf538a3f501ca72de2fc Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 15:23:40 +0100 Subject: [PATCH 18/20] formatting and comments --- hosts/proxy/default.nix | 43 ++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index bb1a9c6..ffc6eb5 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -115,17 +115,38 @@ httpPort = 80; httpsPort = 443; }; - } // (builtins.foldl'(prev: name: let - cfg = self.nixosConfigurations.${name}.config; - in prev // { - "${name}" = { - # dest = (builtins.head cfg.networking.interfaces.eth0.ipv4.addresses).address; - dest = (builtins.head cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses).address; - domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts); - httpsPort = 443; - httpPort = 80; - }; - }) {} (builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable)(builtins.attrNames self.nixosConfigurations))); + } + # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert + // (builtins.foldl' + ( + prev: name: + let + cfg = self.nixosConfigurations.${name}.config; + in + prev + // { + "${name}" = { + dest = + (builtins.head + # dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel + cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses + ).address; + # bisher wird ein redirect für den ersten virtualHost generiert + # TODO rediret für jeden virtualHost + domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts); + httpsPort = 443; + httpPort = 80; + }; + } + ) + { } + ( + # alle nixosConfigurations auswählen, die nginx enabled haben + builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable) ( + builtins.attrNames self.nixosConfigurations + ) + ) + ); indexPage = pkgs.writeTextFile { name = "index.html"; text = '' From 599f0803a1e3a60f5aa4cf6c6b89660a8aec6d7d Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 15:32:03 +0100 Subject: [PATCH 19/20] generate redirect for ever virtualhost --- hosts/proxy/default.nix | 209 ++++++++++++++++++++-------------------- 1 file changed, 107 insertions(+), 102 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index ffc6eb5..b4ab877 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -122,22 +122,26 @@ prev: name: let cfg = self.nixosConfigurations.${name}.config; + vhosts = builtins.attrNames cfg.services.nginx.virtualHosts; + address = + (builtins.head + # dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel + cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses + ).address; in prev - // { - "${name}" = { - dest = - (builtins.head - # dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel - cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses - ).address; - # bisher wird ein redirect für den ersten virtualHost generiert - # TODO rediret für jeden virtualHost - domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts); - httpsPort = 443; - httpPort = 80; - }; - } + // (builtins.foldl' ( + val: vhost: + val + // { + "${vhost}" = { + dest = address; + domain = vhost; + httpsPort = 443; + httpPort = 80; + }; + } + ) { } vhosts) ) { } ( @@ -187,109 +191,110 @@ haproxy = { enable = true; config = '' - global - # schreibe globalen log ins journal ip -> app - log /dev/log format raw local0 - maxconn 50000 - # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control - # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners - tune.bufsize 32762 + global + # schreibe globalen log ins journal ip -> app + log /dev/log format raw local0 + maxconn 50000 + # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + tune.bufsize 32762 - defaults - log global - mode tcp - option tcplog - timeout connect 5s - timeout client 30s - timeout server 30s + defaults + log global + mode tcp + option tcplog + timeout connect 5s + timeout client 30s + timeout server 30s -# stats seite zeigt backend connection status, wenn check gesetzt ist - frontend stats - bind 127.0.0.1:8404 - mode http - stats enable - stats uri /stats - stats refresh 10s - stats show-legends - stats show-node - stats show-modules + # stats seite zeigt backend connection status, wenn check gesetzt ist + frontend stats + bind 127.0.0.1:8404 + mode http + stats enable + stats uri /stats + stats refresh 10s + stats show-legends + stats show-node + stats show-modules - frontend http-in - bind *:80 + frontend http-in + bind *:80 - # hier wird eine regel pro domain aus der forwarder liste generiert - ${lib.foldlAttrs ( - prev: name: value: - prev + "acl is_${name} hdr(host) -i ${value.domain}\n" - ) "" forwards} + # hier wird eine regel pro domain aus der forwarder liste generiert + ${lib.foldlAttrs ( + prev: name: value: + prev + "acl is_${name} hdr(host) -i ${value.domain}\n" + ) "" forwards} - # ist request eine acme challenge? - acl is_acme path_beg /.well-known/acme-challenge/ + # ist request eine acme challenge? + acl is_acme path_beg /.well-known/acme-challenge/ - # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist - ${lib.foldlAttrs ( - prev: name: value: - prev + '' - use_backend ${name}_80 if is_${name} - http-request redirect scheme https code 301 if !is_acme is_${name} - '' - ) "" forwards} + # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist + ${lib.foldlAttrs ( + prev: name: value: + prev + + '' + use_backend ${name}_80 if is_${name} + http-request redirect scheme https code 301 if !is_acme is_${name} + '' + ) "" forwards} - # das default backend zeigt die liste aller redirects an - # die liste darf nicht auf 443 redirected werden, da cert fehlt - default_backend default_backend + # das default backend zeigt die liste aller redirects an + # die liste darf nicht auf 443 redirected werden, da cert fehlt + default_backend default_backend - # ssh redirect srs2 - frontend ssh_jump_alt - bind *:2142 - mode tcp - # gönn mal session timeout - timeout client 30m - log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " - use_backend ssh_srs2 + # ssh redirect srs2 + frontend ssh_jump_alt + bind *:2142 + mode tcp + # gönn mal session timeout + timeout client 30m + log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " + use_backend ssh_srs2 - # ---- SNI routing (TCP, peek at handshake) ---- - frontend sni_router - bind *:443 - mode tcp - # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht - tcp-request inspect-delay 1s - tcp-request content accept if { req_ssl_hello_type 1 } + # ---- SNI routing (TCP, peek at handshake) ---- + frontend sni_router + bind *:443 + mode tcp + # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht + tcp-request inspect-delay 1s + tcp-request content accept if { req_ssl_hello_type 1 } - # tcp redirect der anwendung basierend auf ssl_sni handshake parameter - ${lib.foldlAttrs ( - prev: name: value: - prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" - ) "" forwards} + # tcp redirect der anwendung basierend auf ssl_sni handshake parameter + ${lib.foldlAttrs ( + prev: name: value: + prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" + ) "" forwards} - # default backend http static file generated above - backend default_backend - mode http - http-request return status 200 content-type "text/html" file ${indexPage} + # default backend http static file generated above + backend default_backend + mode http + http-request return status 200 content-type "text/html" file ${indexPage} - # ssh srs2 backend - backend ssh_srs2 - mode tcp - timeout server 30m - timeout connect 10s - option tcpka - server srs2 141.56.51.2:80 check + # ssh srs2 backend + backend ssh_srs2 + mode tcp + timeout server 30m + timeout connect 10s + option tcpka + server srs2 141.56.51.2:80 check - # ein backend pro forwards eintrag für port 80 und 443 - ${lib.foldlAttrs ( - prev: name: value: - prev - + '' + # ein backend pro forwards eintrag für port 80 und 443 + ${lib.foldlAttrs ( + prev: name: value: + prev + + '' - backend ${name}_80 - mode http - server ${name} ${value.dest}:${builtins.toString value.httpPort} - backend ${name}_443 - mode tcp - server ${name} ${value.dest}:${builtins.toString value.httpsPort} check + backend ${name}_80 + mode http + server ${name} ${value.dest}:${builtins.toString value.httpPort} + backend ${name}_443 + mode tcp + server ${name} ${value.dest}:${builtins.toString value.httpsPort} check - '' - ) "" forwards} + '' + ) "" forwards} ''; }; }; From 2aece2e1829ae67bc89a7dfe0f7d74f7c281d9b4 Mon Sep 17 00:00:00 2001 From: goeranh Date: Sat, 28 Feb 2026 15:42:19 +0100 Subject: [PATCH 20/20] haproxy config formatting --- hosts/proxy/default.nix | 178 ++++++++++++++++++++-------------------- 1 file changed, 90 insertions(+), 88 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index b4ab877..e69bdd3 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -191,110 +191,112 @@ haproxy = { enable = true; config = '' - global - # schreibe globalen log ins journal ip -> app - log /dev/log format raw local0 - maxconn 50000 - # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control - # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners - tune.bufsize 32762 + global + # schreibe globalen log ins journal ip -> app + log /dev/log format raw local0 + maxconn 50000 + # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + tune.bufsize 32762 - defaults - log global - mode tcp - option tcplog - timeout connect 5s - timeout client 30s - timeout server 30s + defaults + log global + mode tcp + option tcplog + timeout connect 5s + timeout client 30s + timeout server 30s # stats seite zeigt backend connection status, wenn check gesetzt ist - frontend stats - bind 127.0.0.1:8404 - mode http - stats enable - stats uri /stats - stats refresh 10s - stats show-legends - stats show-node - stats show-modules + frontend stats + bind 127.0.0.1:8404 + mode http + stats enable + stats uri /stats + stats refresh 10s + stats show-legends + stats show-node + stats show-modules - frontend http-in - bind *:80 + frontend http-in + bind *:80 - # hier wird eine regel pro domain aus der forwarder liste generiert - ${lib.foldlAttrs ( - prev: name: value: - prev + "acl is_${name} hdr(host) -i ${value.domain}\n" - ) "" forwards} + # hier wird eine regel pro domain aus der forwarder liste generiert + ${lib.foldlAttrs ( + prev: name: value: + prev + '' + acl is_${name} hdr(host) -i ${value.domain} + '' + ) "" forwards} - # ist request eine acme challenge? - acl is_acme path_beg /.well-known/acme-challenge/ + # ist request eine acme challenge? + acl is_acme path_beg /.well-known/acme-challenge/ - # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist - ${lib.foldlAttrs ( - prev: name: value: - prev - + '' - use_backend ${name}_80 if is_${name} - http-request redirect scheme https code 301 if !is_acme is_${name} - '' - ) "" forwards} + # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist + ${lib.foldlAttrs ( + prev: name: value: + prev + + '' + use_backend ${name}_80 if is_${name} + http-request redirect scheme https code 301 if !is_acme is_${name} + '' + ) "" forwards} - # das default backend zeigt die liste aller redirects an - # die liste darf nicht auf 443 redirected werden, da cert fehlt - default_backend default_backend + # das default backend zeigt die liste aller redirects an + # die liste darf nicht auf 443 redirected werden, da cert fehlt + default_backend default_backend - # ssh redirect srs2 - frontend ssh_jump_alt - bind *:2142 - mode tcp - # gönn mal session timeout - timeout client 30m - log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " - use_backend ssh_srs2 + # ssh redirect srs2 + frontend ssh_jump_alt + bind *:2142 + mode tcp + # gönn mal session timeout + timeout client 30m + log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " + use_backend ssh_srs2 - # ---- SNI routing (TCP, peek at handshake) ---- - frontend sni_router - bind *:443 - mode tcp - # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht - tcp-request inspect-delay 1s - tcp-request content accept if { req_ssl_hello_type 1 } + # ---- SNI routing (TCP, peek at handshake) ---- + frontend sni_router + bind *:443 + mode tcp + # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht + tcp-request inspect-delay 1s + tcp-request content accept if { req_ssl_hello_type 1 } - # tcp redirect der anwendung basierend auf ssl_sni handshake parameter - ${lib.foldlAttrs ( - prev: name: value: - prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" - ) "" forwards} + # tcp redirect der anwendung basierend auf ssl_sni handshake parameter + ${lib.foldlAttrs ( + prev: name: value: + prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" + ) "" forwards} - # default backend http static file generated above - backend default_backend - mode http - http-request return status 200 content-type "text/html" file ${indexPage} + # default backend http static file generated above + backend default_backend + mode http + http-request return status 200 content-type "text/html" file ${indexPage} - # ssh srs2 backend - backend ssh_srs2 - mode tcp - timeout server 30m - timeout connect 10s - option tcpka - server srs2 141.56.51.2:80 check + # ssh srs2 backend + backend ssh_srs2 + mode tcp + timeout server 30m + timeout connect 10s + option tcpka + server srs2 141.56.51.2:80 check - # ein backend pro forwards eintrag für port 80 und 443 - ${lib.foldlAttrs ( - prev: name: value: - prev - + '' + # ein backend pro forwards eintrag für port 80 und 443 + ${lib.foldlAttrs ( + prev: name: value: + prev + + '' - backend ${name}_80 - mode http - server ${name} ${value.dest}:${builtins.toString value.httpPort} - backend ${name}_443 - mode tcp - server ${name} ${value.dest}:${builtins.toString value.httpsPort} check + backend ${name}_80 + mode http + server ${name} ${value.dest}:${builtins.toString value.httpPort} + backend ${name}_443 + mode tcp + server ${name} ${value.dest}:${builtins.toString value.httpsPort} check - '' - ) "" forwards} + '' + ) "" forwards} ''; }; };