{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; networking.hostName = "proxy"; networking.interfaces.ens18.ipv4.addresses = [ { address = "141.56.51.1"; prefixLength = 24; } ]; networking.defaultGateway.address = "141.56.51.254"; networking.nameservers = [ "9.9.9.9" "1.1.1.1" ]; security.acme = { certs."stura.htw-dresden.de" = { listenHTTP = ":8888"; extraDomainNames = [ "www.stura.htw-dresden.de" ]; group = "haproxy"; # postRun = '' # cat cert.pem key.pem > full.pem # chmod 640 full.pem # systemctl reload haproxy # ''; }; }; # give haproxy access to the cert files users.users.haproxy.extraGroups = [ "acme" ]; systemd.services.haproxy = { after = [ "acme-finished-stura.htw-dresden.de.target" ]; wants = [ "acme-finished-stura.htw-dresden.de.target" ]; }; services = { openssh.enable = true; haproxy = { enable = true; config = '' global log /dev/log local0 maxconn 4096 # for ACME/Let's Encrypt cert + key in one file: stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners crt-base /var/lib/acme defaults log global mode tcp option tcplog timeout connect 5s timeout client 30s timeout server 30s frontend stats bind 127.0.0.1:8404 mode http stats enable stats uri /stats stats refresh 10s stats auth admin:yourpassword stats show-legends stats show-node # # ---- HTTP (port 80) for ACME challenges ---- # frontend http_in # bind *:80 # mode http # option httplog # acl is_acme path_beg /.well-known/acme-challenge/ # acl is_my_domain hdr(host) -i stura.htw-dresden.de # use_backend acme_backend if is_acme is_my_domain # # redirect everything else to HTTPS # redirect scheme https code 301 if !is_acme # backend acme_backend # mode http # server acme 127.0.0.1:8888 frontend http-in bind *:80 acl is_plone hdr(host) -i stura.htw-dresden.de acl is_www_plone hdr(host) -i www.stura.htw-dresden.de acl is_pro hdr(host) -i pro.stura.htw-dresden.de use_backend plone_80 if is_plone use_backend plone_80 if is_www_plone use_backend pro_80 if is_pro default_backend plone_80 # ---- SNI routing (TCP, peek at handshake) ---- frontend sni_router bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # terminated here #use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de } use_backend plone_passthrough if { req_ssl_sni -i stura.htw-dresden.de } use_backend plone_passthrough if { req_ssl_sni -i www.stura.htw-dresden.de } # passed through to nginx on remote host use_backend tls_passthrough if { req_ssl_sni -i pro.stura.htw-dresden.de } backend terminate_plone mode tcp # loopback to the termination frontend below server loopback 127.0.0.1:8443 backend tls_passthrough mode tcp server nginx_host 141.56.51.15:443 check backend plone_passthrough mode tcp server nginx_host 141.56.51.3:443 check frontend https_terminated bind 127.0.0.1:8443 ssl crt /var/lib/acme/stura.htw-dresden.de/full.pem mode http default_backend plone_backend backend plone_80 mode http server plone 141.56.51.3:80 check backend pro_80 mode http server plone 141.56.51.15:80 check backend plone_backend mode http http-request set-header Host stura.htw-dresden.de http-request replace-uri ^/(.*)$ /VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/\1 server plone 141.56.51.5:8080 check # proxy_pass "http://141.56.51.5:8080/VirtualHostBase/https/stura.htw-dresden.de:443/Plone/VirtualHostRoot/"; ''; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; environment.systemPackages = with pkgs; [ openvpn tcpdump ]; system.stateVersion = "25.11"; }