StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
stura-infra/hosts/proxy/default.nix

281 lines
8 KiB
Nix
Raw Blame History

{
self,
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./hetzner-disk.nix
];
networking = {
hostName = "proxy";
interfaces.ens18.ipv4.addresses = [
{
address = "141.56.51.1";
prefixLength = 24;
}
];
defaultGateway.address = "141.56.51.254";
nameservers = [
"9.9.9.9"
"1.1.1.1"
];
firewall = {
allowedTCPPorts = [
22
80
443
1005
2142
];
};
nftables = {
enable = true;
};
};
# wenn instanzen in die flake migriert sind könnte man das autogenerierien
services =
let
# jeder Block beschreibt eine Weiterleitung von port 80 und 443 für einen fqdn
forwards = {
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
plone_neu = {
dest = "141.56.51.3";
domain = "www.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
plone_neu2 = {
dest = "141.56.51.3";
domain = "htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.57";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.17";
domain = "dat.stu.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
beach = {
dest = "141.56.51.51";
domain = "beach.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
studicloud = {
dest = "141.56.51.17";
domain = "dat.stu.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
} // (builtins.foldl'(prev: name: let
cfg = self.nixosConfigurations.${name}.config;
in prev // {
"${name}" = {
# dest = (builtins.head cfg.networking.interfaces.eth0.ipv4.addresses).address;
dest = (builtins.head cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses).address;
domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts);
httpsPort = 443;
httpPort = 80;
};
}) {} (builtins.filter (name: self.nixosConfigurations.${name}.config.services.nginx.enable)(builtins.attrNames self.nixosConfigurations)));
indexPage = pkgs.writeTextFile {
name = "index.html";
text = ''
<html>
<head>
<title>
StuRa HTWD Index
</title>
</head>
<body>
<p>
Du hast dich scheinbar verlaufen. K&ouml;nnen wir dir hier m&ouml;glicherweise weiter helfen?
</p>
<ul>
${lib.foldlAttrs (
prev: name: value:
prev
+ ''
<li><a href="https://${value.domain}">${value.domain}</a></li>
''
) "" forwards}
</ul>
</body>
</html>
'';
};
in
{
openssh = {
# admin ssh access port
listenAddresses = [
{
addr = "141.56.51.1";
port = 1005;
}
];
};
haproxy = {
enable = true;
config = ''
global
# schreibe globalen log ins journal ip -> app
log /dev/log format raw local0
maxconn 50000
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
tune.bufsize 32762
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 30s
timeout server 30s
# stats seite zeigt backend connection status, wenn check gesetzt ist
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats show-legends
stats show-node
stats show-modules
frontend http-in
bind *:80
# hier wird eine regel pro domain aus der forwarder liste generiert
${lib.foldlAttrs (
prev: name: value:
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards}
# ist request eine acme challenge?
acl is_acme path_beg /.well-known/acme-challenge/
# pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
${lib.foldlAttrs (
prev: name: value:
prev + ''
use_backend ${name}_80 if is_${name}
http-request redirect scheme https code 301 if !is_acme is_${name}
''
) "" forwards}
# das default backend zeigt die liste aller redirects an
# die liste darf nicht auf 443 redirected werden, da cert fehlt
default_backend default_backend
# ssh redirect srs2
frontend ssh_jump_alt
bind *:2142
mode tcp
# gönn mal session timeout
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
# ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router
bind *:443
mode tcp
# mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
# tcp redirect der anwendung basierend auf ssl_sni handshake parameter
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards}
# default backend http static file generated above
backend default_backend
mode http
http-request return status 200 content-type "text/html" file ${indexPage}
# ssh srs2 backend
backend ssh_srs2
mode tcp
timeout server 30m
timeout connect 10s
option tcpka
server srs2 141.56.51.2:80 check
# ein backend pro forwards eintrag für port 80 und 443
${lib.foldlAttrs (
prev: name: value:
prev
+ ''
backend ${name}_80
mode http
server ${name} ${value.dest}:${builtins.toString value.httpPort}
backend ${name}_443
mode tcp
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
''
) "" forwards}
'';
};
};
environment.systemPackages = with pkgs; [
];
system.stateVersion = "25.11";
}
Reference in a new issue View git blame Copy permalink