merge config with unit for haproxy
This commit is contained in:
parent
e41918a1a7
commit
a670d691bc
7 changed files with 82 additions and 146 deletions
|
@ -12,10 +12,7 @@ let
|
|||
PostgresDB = callPackage ./postgresdb {};
|
||||
mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;};
|
||||
|
||||
HaproxyConfig = callPackage ./haproxy/config.nix {inherit utils;};
|
||||
mkHaproxyConfig = callPackage ./haproxy/mkconfig.nix {inherit HaproxyConfig;};
|
||||
HaproxyService = callPackage ./haproxy/unit.nix {inherit utils;};
|
||||
mkHaproxyService = callPackage ./haproxy/mkunit.nix {inherit HaproxyService;};
|
||||
mkHaproxyService = callPackage ./haproxy/unit.nix {inherit utils;};
|
||||
|
||||
CaddyConfig = callPackage ./caddy/config.nix {inherit utils;};
|
||||
CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
{ stdenv
|
||||
, pkgs
|
||||
, lib
|
||||
, utils
|
||||
}:
|
||||
{ configDir ? "/etc/haproxy"
|
||||
, configFile ? "haproxy.cfg"
|
||||
, user
|
||||
, group
|
||||
, config
|
||||
}:
|
||||
dependsOn:
|
||||
|
||||
with builtins;
|
||||
with lib.attrsets;
|
||||
with lib.lists;
|
||||
with lib.strings;
|
||||
let
|
||||
|
||||
configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;};
|
||||
|
||||
in
|
||||
|
||||
utils.mkConfigFile {
|
||||
name = configFile;
|
||||
dir = configDir;
|
||||
content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
{ HaproxyConfig
|
||||
}:
|
||||
{ name
|
||||
, configDir
|
||||
, configFile
|
||||
, user
|
||||
, group
|
||||
, config
|
||||
, dependsOn ? {}
|
||||
}:
|
||||
{
|
||||
inherit name configDir configFile;
|
||||
inherit user group;
|
||||
|
||||
pkg = HaproxyConfig {
|
||||
inherit configDir configFile;
|
||||
inherit config;
|
||||
inherit user group;
|
||||
};
|
||||
|
||||
inherit dependsOn;
|
||||
type = "fileset";
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
{ HaproxyService
|
||||
}:
|
||||
{ name
|
||||
, configDir
|
||||
, configFile
|
||||
, dependsOn ? {}
|
||||
}:
|
||||
|
||||
{
|
||||
inherit name configDir configFile;
|
||||
pkg = HaproxyService {
|
||||
inherit configDir configFile;
|
||||
};
|
||||
|
||||
inherit dependsOn;
|
||||
type = "systemd-unit";
|
||||
}
|
130
haproxy/unit.nix
130
haproxy/unit.nix
|
@ -1,75 +1,91 @@
|
|||
{ stdenv
|
||||
, pkgs
|
||||
{ pkgs
|
||||
, utils
|
||||
}:
|
||||
{ configDir ? "/etc/haproxy"
|
||||
, configFile ? "haproxy.cfg"
|
||||
{ name
|
||||
, user
|
||||
, group
|
||||
, config
|
||||
, pidfile ? "/run/haproxy/haproxy.pid"
|
||||
, socket ? "/run/haproxy/haproxy.sock"
|
||||
, dependsOn ? {}
|
||||
}:
|
||||
{...}:
|
||||
|
||||
# User and group are set in config.nix
|
||||
let
|
||||
configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;};
|
||||
|
||||
utils.systemd.mkService rec {
|
||||
name = "haproxy";
|
||||
content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
|
||||
configfile = pkgs.writeText "haproxy.cfg" content;
|
||||
in
|
||||
{
|
||||
inherit name;
|
||||
|
||||
content = ''
|
||||
[Unit]
|
||||
Description=HAProxy Load Balancer
|
||||
Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/
|
||||
After=network.target network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.target
|
||||
inherit user group;
|
||||
|
||||
StartLimitInterval=14400
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Environment="CONFIG=${configDir}/${configFile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}"
|
||||
ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
|
||||
ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
|
||||
ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID
|
||||
KillMode=mixed
|
||||
Restart=always
|
||||
SuccessExitStatus=143
|
||||
Type=notify
|
||||
pkg = dependsOn: utils.systemd.mkService {
|
||||
name = "haproxy";
|
||||
|
||||
content = ''
|
||||
[Unit]
|
||||
Description=HAProxy Load Balancer
|
||||
Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/
|
||||
After=network.target network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.target
|
||||
${utils.unitDepends "After" dependsOn}
|
||||
${utils.unitDepends "Wants" dependsOn}
|
||||
|
||||
StartLimitInterval=14400
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Environment="CONFIG=${configfile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}"
|
||||
ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
|
||||
ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
|
||||
ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID
|
||||
KillMode=mixed
|
||||
Restart=always
|
||||
SuccessExitStatus=143
|
||||
Type=notify
|
||||
|
||||
|
||||
# Restart=on-abnormal
|
||||
RuntimeDirectory=haproxy
|
||||
# Restart=on-abnormal
|
||||
RuntimeDirectory=haproxy
|
||||
|
||||
# KillMode=mixed
|
||||
# KillSignal=SIGQUIT
|
||||
TimeoutStopSec=5s
|
||||
# KillMode=mixed
|
||||
# KillSignal=SIGQUIT
|
||||
TimeoutStopSec=5s
|
||||
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=512
|
||||
LimitNOFILE=1048576
|
||||
LimitNPROC=512
|
||||
|
||||
PrivateDevices=true
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
PrivateDevices=true
|
||||
LockPersonality=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
# AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
# AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
# ProtectSystem=strict
|
||||
# ReadWritePaths=/var/lib/haproxy /var/log/haproxy
|
||||
# ProtectSystem=strict
|
||||
# ReadWritePaths=/var/lib/haproxy /var/log/haproxy
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
'';
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
'';
|
||||
};
|
||||
|
||||
inherit dependsOn;
|
||||
type = "systemd-unit";
|
||||
}
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
, realms ? []
|
||||
, every ? "10m"
|
||||
|
||||
, HaproxyService
|
||||
, KeycloakService
|
||||
}:
|
||||
|
||||
|
@ -16,6 +15,7 @@ rec {
|
|||
|
||||
stateDir = "keycloak-public-keys";
|
||||
downloadDir = "/var/lib/keycloak-public-keys";
|
||||
systemdUnitFile = "keycloak-haproxy.service";
|
||||
|
||||
pkg =
|
||||
with pkgs.lib;
|
||||
|
@ -34,8 +34,8 @@ rec {
|
|||
'';
|
||||
};
|
||||
in
|
||||
{ HaproxyService
|
||||
, KeycloakService
|
||||
{ KeycloakService
|
||||
, ...
|
||||
}: utils.systemd.mkService rec {
|
||||
name = "keycloak-haproxy";
|
||||
|
||||
|
@ -89,7 +89,6 @@ rec {
|
|||
};
|
||||
|
||||
dependsOn = {
|
||||
inherit HaproxyService;
|
||||
inherit KeycloakService;
|
||||
};
|
||||
type = "systemd-unit";
|
||||
|
|
|
@ -24,13 +24,6 @@
|
|||
, distribution ? {}
|
||||
}:
|
||||
let
|
||||
addressOrLocalhost = distHaproxy: service:
|
||||
if (builtins.head distHaproxy).properties.hostname == service.target.properties.hostname then
|
||||
"127.0.0.1"
|
||||
else
|
||||
service.target.properties.hostname;
|
||||
|
||||
|
||||
mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
|
||||
in
|
||||
rec {
|
||||
|
@ -162,12 +155,11 @@ rec {
|
|||
use_backend = "if acl_vaultwarden";
|
||||
};
|
||||
backend = {
|
||||
servers = [
|
||||
{
|
||||
name = "ttrss1";
|
||||
address = "${addressOrLocalhost distribution.HaproxyConfig service}:${builtins.toString ingress}";
|
||||
}
|
||||
];
|
||||
# TODO: instead, we should generate target specific service https://hydra.nixos.org/build/203347995/download/2/manual/#idm140737322273072
|
||||
servers = map (dist: {
|
||||
name = "ttrss_${dist.properties.hostname}_1";
|
||||
address = "${dist.properties.hostname}:${builtins.toString ingress}";
|
||||
}) service;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue