diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix new file mode 100644 index 0000000..a422d97 --- /dev/null +++ b/hosts/proxy/default.nix @@ -0,0 +1,126 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ]; + + networking.hostName = "proxy"; + networking.interfaces.ens18.ipv4.addresses = [ + { + address = "141.56.51.1"; + prefixLength = 24; + } + ]; + + networking.defaultGateway.address = "141.56.51.254"; + networking.nameservers = [ + "9.9.9.9" + "1.1.1.1" + ]; + security.acme = { + certs."stura.htw-dresden.de" = { + listenHTTP = "127.0.0.1:8888"; + postRun = '' + cat cert.pem key.pem > full.pem + chmod 640 full.pem + systemctl reload haproxy + ''; + }; + }; + +# give haproxy access to the cert files +users.users.haproxy.extraGroups = [ "acme" ]; + +systemd.services.haproxy = { + after = [ "acme-finished-stura.htw-dresden.de.target" ]; + wants = [ "acme-finished-stura.htw-dresden.de.target" ]; +}; + +services = { + openssh.enable = true; + haproxy = { + enable = true; + config = '' + global + log /dev/log local0 + maxconn 4096 + # for ACME/Let's Encrypt cert + key in one file: + crt-base /var/lib/acme + + defaults + log global + mode tcp + option tcplog + timeout connect 5s + timeout client 30s + timeout server 30s + + # ---- HTTP (port 80) for ACME challenges ---- + frontend http_in + bind *:80 + mode http + option httplog + + acl is_acme path_beg /.well-known/acme-challenge/ + acl is_my_domain hdr(host) -i stura.htw-dresden.de + use_backend acme_backend if is_acme is_my_domain + # redirect everything else to HTTPS + redirect scheme https code 301 if !is_acme + + backend acme_backend + mode http + server acme 127.0.0.1:8888 check + + + # ---- SNI routing (TCP, peek at handshake) ---- + frontend sni_router + bind *:443 + mode tcp + tcp-request inspect-delay 5s + tcp-request content accept if { req_ssl_hello_type 1 } + + # terminated here + use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de } + # passed through to nginx on remote host + use_backend tls_passthrough if { req_ssl_sni -i pro.stura.htw-dresden.de } + + backend terminate_plone + mode tcp + # loopback to the termination frontend below + server loopback 127.0.0.1:8443 + + backend tls_passthrough + mode tcp + server nginx_host 141.56.51.15:443 check + + frontend https_terminated + bind 127.0.0.1:8443 ssl crt /var/lib/acme/stura.htw-dresden.de/full.pem + mode http + + default_backend plone_backend + + backend plone_backend + mode http + http-request set-header Host stura.htw-dresden.de + http-request replace-uri ^/(.*)$ /VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/\1 + server plone 141.56.51.5:8080 check + +# proxy_pass "http://141.56.51.5:8080/VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/"; + ''; + }; + }; + + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + system.stateVersion = "25.11"; + +} diff --git a/hosts/proxy/hardware-configuration.nix b/hosts/proxy/hardware-configuration.nix new file mode 100644 index 0000000..b92ae55 --- /dev/null +++ b/hosts/proxy/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # fileSystems."/" = + # { + # device = "/dev/sda1"; + # fsType = "ext4"; + # }; + + # swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/proxy/hetzner-disk.nix b/hosts/proxy/hetzner-disk.nix new file mode 100644 index 0000000..a679e7c --- /dev/null +++ b/hosts/proxy/hetzner-disk.nix @@ -0,0 +1,56 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + # Sub(sub)volume doesn't need a mountpoint as its parent is mounted + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + ]; + mountpoint = "/nix"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +}