{ self, config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ./hetzner-disk.nix ]; networking = { hostName = "proxy"; interfaces.ens18.ipv4.addresses = [ { address = "141.56.51.1"; prefixLength = 24; } ]; defaultGateway.address = "141.56.51.254"; firewall = { allowedTCPPorts = [ 22 53 # DNS 80 443 1005 2142 ]; allowedUDPPorts = [ 53 # DNS 123 # NTP ]; }; nftables = { enable = true; }; }; # wenn instanzen in die flake migriert sind könnte man das autogenerierien services = let # Documentation site from flake package docsSite = self.packages.x86_64-linux.docs-site; # jeder Block beschreibt eine Weiterleitung von port 80 und 443 für einen fqdn forwards = { docs = { dest = "127.0.0.1"; domain = "docs.adm.htw.stura-dresden.de"; httpPort = 8080; httpsPort = 8443; }; plone = { dest = "141.56.51.3"; domain = "stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; }; plone_alt = { dest = "141.56.51.3"; domain = "www.stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; }; plone_neu = { dest = "141.56.51.3"; domain = "www.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; plone_neu2 = { dest = "141.56.51.3"; domain = "htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; post = { dest = "141.56.51.56"; domain = "post.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; vot = { dest = "141.56.51.57"; domain = "vot.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; mail = { dest = "141.56.51.14"; domain = "mail.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; lists = { dest = "141.56.51.14"; domain = "lists.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; dat = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; pro = { dest = "141.56.51.15"; domain = "pro.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; cloud = { dest = "141.56.51.16"; domain = "cloud.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; beach = { dest = "141.56.51.51"; domain = "beach.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; studicloud = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; }; } # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert // (builtins.foldl' ( prev: name: let cfg = self.nixosConfigurations.${name}.config; vhosts = builtins.attrNames cfg.services.nginx.virtualHosts; address = (builtins.head # dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses ).address; in prev // (builtins.foldl' ( val: vhost: val // { "${vhost}" = { dest = address; domain = vhost; httpsPort = 443; httpPort = 80; }; } ) { } vhosts) ) { } ( # alle nixosConfigurations auswählen, die nginx enabled haben builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable) ( builtins.attrNames self.nixosConfigurations ) ) ); indexPage = pkgs.writeTextFile { name = "index.html"; text = '' StuRa HTWD Index

Du hast dich scheinbar verlaufen. Können wir dir hier möglicherweise weiter helfen?

''; }; in { # BIND DNS recursive resolver for the internal network bind = { enable = true; cacheNetworks = [ "127.0.0.0/8" "141.56.51.0/24" ]; # forwarders = [ # "9.9.9.9" # "1.1.1.1" # ]; listenOn = [ "141.56.51.1" "127.0.0.1" ]; listenOnIpv6 = [ ]; zones = { "htw.stura-dresden.de" = { master = true; file = pkgs.writeText "htw.stura-dresden.de.zone" '' $TTL 3600 @ IN SOA proxy.htw.stura-dresden.de. hostmaster.htw.stura-dresden.de. ( 2026031301 ; Serial (YYYYMMDDNN) 3600 ; Refresh (1 hour) 1800 ; Retry (30 minutes) 604800 ; Expire (1 week) 86400 ) ; Minimum TTL (1 day) ; Name servers @ IN NS proxy.htw.stura-dresden.de. ; Proxy host - main IPv4 gateway proxy IN A 141.56.51.1 proxy IN AAAA 2a01:4f8:1c19:96f8::1 ; Auto-generated CNAME records for all subdomains pointing to proxy ${lib.foldlAttrs ( prev: name: value: let zoneSuffix = ".htw.stura-dresden.de"; # Check if this domain belongs to our zone isInZone = lib.hasSuffix zoneSuffix value.domain; # Extract subdomain by removing the zone suffix subdomain = lib.removeSuffix zoneSuffix value.domain; in if isInZone && subdomain != "" && subdomain != "htw.stura-dresden.de" then prev + "${subdomain}${" "}IN${" "}CNAME${" "}proxy.htw.stura-dresden.de.\n" else prev ) "" forwards} ''; }; }; }; # Chrony NTP server for the internal network chrony = { enable = true; enableNTS = false; servers = [ "0.de.pool.ntp.org" "1.de.pool.ntp.org" "2.de.pool.ntp.org" "3.de.pool.ntp.org" ]; serverOption = "iburst"; extraConfig = '' # Allow NTP client access from local network allow 141.56.51.0/24 # Serve time even if not synced to a time source local stratum 10 ''; }; openssh = { # admin ssh access port listenAddresses = [ { addr = "141.56.51.1"; port = 1005; } ]; }; # Nginx to serve the documentation site nginx = { enable = true; virtualHosts."docs.adm.htw.stura-dresden.de" = { enableACME = true; listen = [ { addr = "127.0.0.1"; port = 8080; } ]; locations."/" = { root = docsSite; tryFiles = "$uri $uri/ $uri.html =404"; }; }; # HTTPS version for internal serving appendHttpConfig = '' server { listen 127.0.0.1:8443 ssl http2; server_name docs.adm.htw.stura-dresden.de; ssl_certificate ${config.security.acme.certs."docs.adm.htw.stura-dresden.de".directory}/cert.pem; ssl_certificate_key ${ config.security.acme.certs."docs.adm.htw.stura-dresden.de".directory }/key.pem; location / { root ${docsSite}; try_files $uri $uri/ $uri.html =404; } } ''; }; # ACME certificate for docs site haproxy = { enable = true; config = '' global # schreibe globalen log ins journal ip -> app log /dev/log format raw local0 maxconn 50000 # man könnte metriken über einen socket file statt einen lokalen port machen für user permission control # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners tune.bufsize 32762 defaults log global mode tcp option tcplog timeout connect 5s timeout client 30s timeout server 30s # stats seite zeigt backend connection status, wenn check gesetzt ist frontend stats bind 127.0.0.1:8404 mode http stats enable stats uri /stats stats refresh 10s stats show-legends stats show-node stats show-modules frontend http-in bind *:80 # hier wird eine regel pro domain aus der forwarder liste generiert ${lib.foldlAttrs ( prev: name: value: prev + '' acl is_${name} hdr(host) -i ${value.domain} '' ) "" forwards} # ist request eine acme challenge? acl is_acme path_beg /.well-known/acme-challenge/ # pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist ${lib.foldlAttrs ( prev: name: value: prev + '' use_backend ${name}_80 if is_${name} http-request redirect scheme https code 301 if !is_acme is_${name} '' ) "" forwards} # das default backend zeigt die liste aller redirects an # die liste darf nicht auf 443 redirected werden, da cert fehlt default_backend default_backend # ssh redirect srs2 frontend ssh_jump_alt bind *:2142 mode tcp # gönn mal session timeout timeout client 30m log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " use_backend ssh_srs2 # ---- SNI routing (TCP, peek at handshake) ---- frontend sni_router bind *:443 mode tcp # mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht tcp-request inspect-delay 1s tcp-request content accept if { req_ssl_hello_type 1 } # tcp redirect der anwendung basierend auf ssl_sni handshake parameter ${lib.foldlAttrs ( prev: name: value: prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" ) "" forwards} # default backend http static file generated above backend default_backend mode http http-request return status 200 content-type "text/html" file ${indexPage} # ssh srs2 backend backend ssh_srs2 mode tcp timeout server 30m timeout connect 10s option tcpka server srs2 141.56.51.2:80 check # ein backend pro forwards eintrag für port 80 und 443 ${lib.foldlAttrs ( prev: name: value: prev + '' backend ${name}_80 mode http server ${name} ${value.dest}:${builtins.toString value.httpPort} backend ${name}_443 mode tcp server ${name} ${value.dest}:${builtins.toString value.httpsPort} check '' ) "" forwards} ''; }; }; environment.systemPackages = with pkgs; [ ]; system.stateVersion = "25.11"; }