111 lines
2.8 KiB
Nix
111 lines
2.8 KiB
Nix
|
{ config, pkgs, lib, ... }:
|
||
|
|
||
|
let
|
||
|
cfg = config.shb.reverseproxy;
|
||
|
in
|
||
|
{
|
||
|
options.shb.reverseproxy = {
|
||
|
sopsFile = lib.mkOption {
|
||
|
type = lib.types.path;
|
||
|
description = "Sops file location";
|
||
|
example = "secrets/haproxy.yaml";
|
||
|
};
|
||
|
|
||
|
domain = lib.mkOption {
|
||
|
description = lib.mdDoc "Domain to serve sites under.";
|
||
|
type = lib.types.str;
|
||
|
};
|
||
|
|
||
|
adminEmail = lib.mkOption {
|
||
|
description = lib.mdDoc "Admin email in case certificate retrieval goes wrong.";
|
||
|
type = lib.types.str;
|
||
|
};
|
||
|
|
||
|
sites = lib.mkOption {
|
||
|
description = lib.mdDoc "Sites to serve through the reverse proxy.";
|
||
|
type = lib.types.anything;
|
||
|
default = {};
|
||
|
example = {
|
||
|
homeassistant = {
|
||
|
frontend = {
|
||
|
acl = {
|
||
|
acl_homeassistant = "hdr_beg(host) ha.";
|
||
|
};
|
||
|
use_backend = "if acl_homeassistant";
|
||
|
};
|
||
|
backend = {
|
||
|
servers = [
|
||
|
{
|
||
|
name = "homeassistant1";
|
||
|
address = "127.0.0.1:8123";
|
||
|
forwardfor = false;
|
||
|
balance = "roundrobin";
|
||
|
check = {
|
||
|
inter = "5s";
|
||
|
downinter = "15s";
|
||
|
fall = "3";
|
||
|
rise = "3";
|
||
|
};
|
||
|
httpcheck = "GET /";
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = lib.mkIf (cfg.sites != {}) {
|
||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||
|
|
||
|
security.acme = {
|
||
|
acceptTerms = true;
|
||
|
certs."${cfg.domain}" = {
|
||
|
extraDomainNames = ["*.${cfg.domain}"];
|
||
|
};
|
||
|
defaults = {
|
||
|
email = cfg.adminEmail;
|
||
|
dnsProvider = "linode";
|
||
|
dnsResolver = "8.8.8.8";
|
||
|
group = config.services.haproxy.user;
|
||
|
# For example, to use Linode to prove the dns challenge,
|
||
|
# the content of the file should be the following, with
|
||
|
# XXX replaced by your Linode API token.
|
||
|
# LINODE_HTTP_TIMEOUT=10
|
||
|
# LINODE_POLLING_INTERVAL=10
|
||
|
# LINODE_PROPAGATION_TIMEOUT=240
|
||
|
# LINODE_TOKEN=XXX
|
||
|
credentialsFile = "/run/secrets/linode";
|
||
|
enableDebugLogs = false;
|
||
|
};
|
||
|
};
|
||
|
sops.secrets.linode = {
|
||
|
inherit (cfg) sopsFile;
|
||
|
restartUnits = [ "acme-${cfg.domain}.service" ];
|
||
|
};
|
||
|
|
||
|
services.haproxy.enable = true;
|
||
|
|
||
|
services.haproxy.config = let
|
||
|
configcreator = pkgs.callPackage ./haproxy-configcreator.nix {};
|
||
|
in configcreator.render ( configcreator.default {
|
||
|
inherit (config.services.haproxy) user group;
|
||
|
|
||
|
certPath = "/var/lib/acme/${cfg.domain}/full.pem";
|
||
|
|
||
|
stats = {
|
||
|
port = 8404;
|
||
|
uri = "/stats";
|
||
|
refresh = "10s";
|
||
|
prometheusUri = "/metrics";
|
||
|
};
|
||
|
|
||
|
defaults = {
|
||
|
default-server = "init-addr last,none";
|
||
|
};
|
||
|
|
||
|
inherit (cfg) sites;
|
||
|
});
|
||
|
};
|
||
|
}
|