From a670d691bca057a7a0c34d1d1b59d110425d02a7 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 31 Dec 2022 15:18:51 -0800 Subject: [PATCH] merge config with unit for haproxy --- all-packages.nix | 5 +- haproxy/config.nix | 28 -------- haproxy/mkconfig.nix | 23 ------- haproxy/mkunit.nix | 17 ----- haproxy/unit.nix | 130 +++++++++++++++++++++----------------- keycloak-haproxy/unit.nix | 7 +- vaultwarden/default.nix | 18 ++---- 7 files changed, 82 insertions(+), 146 deletions(-) delete mode 100644 haproxy/config.nix delete mode 100644 haproxy/mkconfig.nix delete mode 100644 haproxy/mkunit.nix diff --git a/all-packages.nix b/all-packages.nix index d0a27f0..cadc39b 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -12,10 +12,7 @@ let PostgresDB = callPackage ./postgresdb {}; mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;}; - HaproxyConfig = callPackage ./haproxy/config.nix {inherit utils;}; - mkHaproxyConfig = callPackage ./haproxy/mkconfig.nix {inherit HaproxyConfig;}; - HaproxyService = callPackage ./haproxy/unit.nix {inherit utils;}; - mkHaproxyService = callPackage ./haproxy/mkunit.nix {inherit HaproxyService;}; + mkHaproxyService = callPackage ./haproxy/unit.nix {inherit utils;}; CaddyConfig = callPackage ./caddy/config.nix {inherit utils;}; CaddyService = callPackage ./caddy/unit.nix {inherit utils;}; diff --git a/haproxy/config.nix b/haproxy/config.nix deleted file mode 100644 index 880adc7..0000000 --- a/haproxy/config.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ stdenv -, pkgs -, lib -, utils -}: -{ configDir ? "/etc/haproxy" -, configFile ? "haproxy.cfg" -, user -, group -, config -}: -dependsOn: - -with builtins; -with lib.attrsets; -with lib.lists; -with lib.strings; -let - - configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;}; - -in - -utils.mkConfigFile { - name = configFile; - dir = configDir; - content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;})); -} diff --git a/haproxy/mkconfig.nix b/haproxy/mkconfig.nix deleted file mode 100644 index 88689dd..0000000 --- a/haproxy/mkconfig.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ HaproxyConfig -}: -{ name -, configDir -, configFile -, user -, group -, config -, dependsOn ? {} -}: -{ - inherit name configDir configFile; - inherit user group; - - pkg = HaproxyConfig { - inherit configDir configFile; - inherit config; - inherit user group; - }; - - inherit dependsOn; - type = "fileset"; -} diff --git a/haproxy/mkunit.nix b/haproxy/mkunit.nix deleted file mode 100644 index 9eae110..0000000 --- a/haproxy/mkunit.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ HaproxyService -}: -{ name -, configDir -, configFile -, dependsOn ? {} -}: - -{ - inherit name configDir configFile; - pkg = HaproxyService { - inherit configDir configFile; - }; - - inherit dependsOn; - type = "systemd-unit"; -} diff --git a/haproxy/unit.nix b/haproxy/unit.nix index 577d7e6..c4b5c08 100644 --- a/haproxy/unit.nix +++ b/haproxy/unit.nix @@ -1,75 +1,91 @@ -{ stdenv -, pkgs +{ pkgs , utils }: -{ configDir ? "/etc/haproxy" -, configFile ? "haproxy.cfg" +{ name +, user +, group +, config , pidfile ? "/run/haproxy/haproxy.pid" , socket ? "/run/haproxy/haproxy.sock" +, dependsOn ? {} }: -{...}: -# User and group are set in config.nix +let + configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;}; -utils.systemd.mkService rec { - name = "haproxy"; + content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;})); + configfile = pkgs.writeText "haproxy.cfg" content; +in +{ + inherit name; - content = '' - [Unit] - Description=HAProxy Load Balancer - Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/ - After=network.target network-online.target - Wants=network-online.target systemd-networkd-wait-online.target + inherit user group; - StartLimitInterval=14400 - StartLimitBurst=10 - - [Service] - Environment="CONFIG=${configDir}/${configFile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}" - ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS - ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS - ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID - KillMode=mixed - Restart=always - SuccessExitStatus=143 - Type=notify + pkg = dependsOn: utils.systemd.mkService { + name = "haproxy"; + + content = '' + [Unit] + Description=HAProxy Load Balancer + Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/ + After=network.target network-online.target + Wants=network-online.target systemd-networkd-wait-online.target + ${utils.unitDepends "After" dependsOn} + ${utils.unitDepends "Wants" dependsOn} + + StartLimitInterval=14400 + StartLimitBurst=10 + + [Service] + Environment="CONFIG=${configfile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}" + ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS + ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS + ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID + KillMode=mixed + Restart=always + SuccessExitStatus=143 + Type=notify - # Restart=on-abnormal - RuntimeDirectory=haproxy + # Restart=on-abnormal + RuntimeDirectory=haproxy - # KillMode=mixed - # KillSignal=SIGQUIT - TimeoutStopSec=5s + # KillMode=mixed + # KillSignal=SIGQUIT + TimeoutStopSec=5s - LimitNOFILE=1048576 - LimitNPROC=512 + LimitNOFILE=1048576 + LimitNPROC=512 - PrivateDevices=true - LockPersonality=true - NoNewPrivileges=true - PrivateDevices=true - PrivateTmp=true - ProtectClock=true - ProtectControlGroups=true - ProtectHome=true - ProtectHostname=true - ProtectKernelLogs=true - ProtectKernelModules=true - ProtectKernelTunables=true - ProtectSystem=full - RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX - RestrictNamespaces=true - RestrictRealtime=true - RestrictSUIDSGID=true + PrivateDevices=true + LockPersonality=true + NoNewPrivileges=true + PrivateDevices=true + PrivateTmp=true + ProtectClock=true + ProtectControlGroups=true + ProtectHome=true + ProtectHostname=true + ProtectKernelLogs=true + ProtectKernelModules=true + ProtectKernelTunables=true + ProtectSystem=full + RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX + RestrictNamespaces=true + RestrictRealtime=true + RestrictSUIDSGID=true - # CapabilityBoundingSet=CAP_NET_BIND_SERVICE - # AmbientCapabilities=CAP_NET_BIND_SERVICE + # CapabilityBoundingSet=CAP_NET_BIND_SERVICE + # AmbientCapabilities=CAP_NET_BIND_SERVICE - # ProtectSystem=strict - # ReadWritePaths=/var/lib/haproxy /var/log/haproxy + # ProtectSystem=strict + # ReadWritePaths=/var/lib/haproxy /var/log/haproxy - [Install] - WantedBy=multi-user.target - ''; + [Install] + WantedBy=multi-user.target + ''; + }; + + inherit dependsOn; + type = "systemd-unit"; } diff --git a/keycloak-haproxy/unit.nix b/keycloak-haproxy/unit.nix index 19e0dc3..3b4e4af 100644 --- a/keycloak-haproxy/unit.nix +++ b/keycloak-haproxy/unit.nix @@ -7,7 +7,6 @@ , realms ? [] , every ? "10m" -, HaproxyService , KeycloakService }: @@ -16,6 +15,7 @@ rec { stateDir = "keycloak-public-keys"; downloadDir = "/var/lib/keycloak-public-keys"; + systemdUnitFile = "keycloak-haproxy.service"; pkg = with pkgs.lib; @@ -34,8 +34,8 @@ rec { ''; }; in - { HaproxyService - , KeycloakService + { KeycloakService + , ... }: utils.systemd.mkService rec { name = "keycloak-haproxy"; @@ -89,7 +89,6 @@ rec { }; dependsOn = { - inherit HaproxyService; inherit KeycloakService; }; type = "systemd-unit"; diff --git a/vaultwarden/default.nix b/vaultwarden/default.nix index 86454f8..67041cb 100644 --- a/vaultwarden/default.nix +++ b/vaultwarden/default.nix @@ -24,13 +24,6 @@ , distribution ? {} }: let - addressOrLocalhost = distHaproxy: service: - if (builtins.head distHaproxy).properties.hostname == service.target.properties.hostname then - "127.0.0.1" - else - service.target.properties.hostname; - - mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;}; in rec { @@ -162,12 +155,11 @@ rec { use_backend = "if acl_vaultwarden"; }; backend = { - servers = [ - { - name = "ttrss1"; - address = "${addressOrLocalhost distribution.HaproxyConfig service}:${builtins.toString ingress}"; - } - ]; + # TODO: instead, we should generate target specific service https://hydra.nixos.org/build/203347995/download/2/manual/#idm140737322273072 + servers = map (dist: { + name = "ttrss_${dist.properties.hostname}_1"; + address = "${dist.properties.hostname}:${builtins.toString ingress}"; + }) service; }; };