merge config with unit for haproxy
This commit is contained in:
parent
e41918a1a7
commit
a670d691bc
7 changed files with 82 additions and 146 deletions
|
@ -12,10 +12,7 @@ let
|
||||||
PostgresDB = callPackage ./postgresdb {};
|
PostgresDB = callPackage ./postgresdb {};
|
||||||
mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;};
|
mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;};
|
||||||
|
|
||||||
HaproxyConfig = callPackage ./haproxy/config.nix {inherit utils;};
|
mkHaproxyService = callPackage ./haproxy/unit.nix {inherit utils;};
|
||||||
mkHaproxyConfig = callPackage ./haproxy/mkconfig.nix {inherit HaproxyConfig;};
|
|
||||||
HaproxyService = callPackage ./haproxy/unit.nix {inherit utils;};
|
|
||||||
mkHaproxyService = callPackage ./haproxy/mkunit.nix {inherit HaproxyService;};
|
|
||||||
|
|
||||||
CaddyConfig = callPackage ./caddy/config.nix {inherit utils;};
|
CaddyConfig = callPackage ./caddy/config.nix {inherit utils;};
|
||||||
CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
|
CaddyService = callPackage ./caddy/unit.nix {inherit utils;};
|
||||||
|
|
|
@ -1,28 +0,0 @@
|
||||||
{ stdenv
|
|
||||||
, pkgs
|
|
||||||
, lib
|
|
||||||
, utils
|
|
||||||
}:
|
|
||||||
{ configDir ? "/etc/haproxy"
|
|
||||||
, configFile ? "haproxy.cfg"
|
|
||||||
, user
|
|
||||||
, group
|
|
||||||
, config
|
|
||||||
}:
|
|
||||||
dependsOn:
|
|
||||||
|
|
||||||
with builtins;
|
|
||||||
with lib.attrsets;
|
|
||||||
with lib.lists;
|
|
||||||
with lib.strings;
|
|
||||||
let
|
|
||||||
|
|
||||||
configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;};
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
utils.mkConfigFile {
|
|
||||||
name = configFile;
|
|
||||||
dir = configDir;
|
|
||||||
content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
|
|
||||||
}
|
|
|
@ -1,23 +0,0 @@
|
||||||
{ HaproxyConfig
|
|
||||||
}:
|
|
||||||
{ name
|
|
||||||
, configDir
|
|
||||||
, configFile
|
|
||||||
, user
|
|
||||||
, group
|
|
||||||
, config
|
|
||||||
, dependsOn ? {}
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
inherit name configDir configFile;
|
|
||||||
inherit user group;
|
|
||||||
|
|
||||||
pkg = HaproxyConfig {
|
|
||||||
inherit configDir configFile;
|
|
||||||
inherit config;
|
|
||||||
inherit user group;
|
|
||||||
};
|
|
||||||
|
|
||||||
inherit dependsOn;
|
|
||||||
type = "fileset";
|
|
||||||
}
|
|
|
@ -1,17 +0,0 @@
|
||||||
{ HaproxyService
|
|
||||||
}:
|
|
||||||
{ name
|
|
||||||
, configDir
|
|
||||||
, configFile
|
|
||||||
, dependsOn ? {}
|
|
||||||
}:
|
|
||||||
|
|
||||||
{
|
|
||||||
inherit name configDir configFile;
|
|
||||||
pkg = HaproxyService {
|
|
||||||
inherit configDir configFile;
|
|
||||||
};
|
|
||||||
|
|
||||||
inherit dependsOn;
|
|
||||||
type = "systemd-unit";
|
|
||||||
}
|
|
130
haproxy/unit.nix
130
haproxy/unit.nix
|
@ -1,75 +1,91 @@
|
||||||
{ stdenv
|
{ pkgs
|
||||||
, pkgs
|
|
||||||
, utils
|
, utils
|
||||||
}:
|
}:
|
||||||
{ configDir ? "/etc/haproxy"
|
{ name
|
||||||
, configFile ? "haproxy.cfg"
|
, user
|
||||||
|
, group
|
||||||
|
, config
|
||||||
, pidfile ? "/run/haproxy/haproxy.pid"
|
, pidfile ? "/run/haproxy/haproxy.pid"
|
||||||
, socket ? "/run/haproxy/haproxy.sock"
|
, socket ? "/run/haproxy/haproxy.sock"
|
||||||
|
, dependsOn ? {}
|
||||||
}:
|
}:
|
||||||
{...}:
|
|
||||||
|
|
||||||
# User and group are set in config.nix
|
let
|
||||||
|
configcreator = pkgs.callPackage ./configcreator.nix {inherit utils;};
|
||||||
|
|
||||||
utils.systemd.mkService rec {
|
content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
|
||||||
name = "haproxy";
|
configfile = pkgs.writeText "haproxy.cfg" content;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
inherit name;
|
||||||
|
|
||||||
content = ''
|
inherit user group;
|
||||||
[Unit]
|
|
||||||
Description=HAProxy Load Balancer
|
|
||||||
Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/
|
|
||||||
After=network.target network-online.target
|
|
||||||
Wants=network-online.target systemd-networkd-wait-online.target
|
|
||||||
|
|
||||||
StartLimitInterval=14400
|
pkg = dependsOn: utils.systemd.mkService {
|
||||||
StartLimitBurst=10
|
name = "haproxy";
|
||||||
|
|
||||||
[Service]
|
content = ''
|
||||||
Environment="CONFIG=${configDir}/${configFile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}"
|
[Unit]
|
||||||
ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
|
Description=HAProxy Load Balancer
|
||||||
ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
|
Documentation=https://www.haproxy.com/documentation/hapee/latest/onepage/
|
||||||
ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID
|
After=network.target network-online.target
|
||||||
KillMode=mixed
|
Wants=network-online.target systemd-networkd-wait-online.target
|
||||||
Restart=always
|
${utils.unitDepends "After" dependsOn}
|
||||||
SuccessExitStatus=143
|
${utils.unitDepends "Wants" dependsOn}
|
||||||
Type=notify
|
|
||||||
|
StartLimitInterval=14400
|
||||||
|
StartLimitBurst=10
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment="CONFIG=${configfile}" "PIDFILE=${pidfile}" "EXTRAOPTS=-S ${socket}"
|
||||||
|
ExecStart=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
|
||||||
|
ExecReload=${pkgs.haproxy}/bin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
|
||||||
|
ExecReload=${pkgs.coreutils}/bin/kill -USR2 $MAINPID
|
||||||
|
KillMode=mixed
|
||||||
|
Restart=always
|
||||||
|
SuccessExitStatus=143
|
||||||
|
Type=notify
|
||||||
|
|
||||||
|
|
||||||
# Restart=on-abnormal
|
# Restart=on-abnormal
|
||||||
RuntimeDirectory=haproxy
|
RuntimeDirectory=haproxy
|
||||||
|
|
||||||
# KillMode=mixed
|
# KillMode=mixed
|
||||||
# KillSignal=SIGQUIT
|
# KillSignal=SIGQUIT
|
||||||
TimeoutStopSec=5s
|
TimeoutStopSec=5s
|
||||||
|
|
||||||
LimitNOFILE=1048576
|
LimitNOFILE=1048576
|
||||||
LimitNPROC=512
|
LimitNPROC=512
|
||||||
|
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
LockPersonality=true
|
LockPersonality=true
|
||||||
NoNewPrivileges=true
|
NoNewPrivileges=true
|
||||||
PrivateDevices=true
|
PrivateDevices=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
ProtectClock=true
|
ProtectClock=true
|
||||||
ProtectControlGroups=true
|
ProtectControlGroups=true
|
||||||
ProtectHome=true
|
ProtectHome=true
|
||||||
ProtectHostname=true
|
ProtectHostname=true
|
||||||
ProtectKernelLogs=true
|
ProtectKernelLogs=true
|
||||||
ProtectKernelModules=true
|
ProtectKernelModules=true
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||||||
RestrictNamespaces=true
|
RestrictNamespaces=true
|
||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
RestrictSUIDSGID=true
|
RestrictSUIDSGID=true
|
||||||
|
|
||||||
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
# AmbientCapabilities=CAP_NET_BIND_SERVICE
|
# AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
|
||||||
# ProtectSystem=strict
|
# ProtectSystem=strict
|
||||||
# ReadWritePaths=/var/lib/haproxy /var/log/haproxy
|
# ReadWritePaths=/var/lib/haproxy /var/log/haproxy
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
inherit dependsOn;
|
||||||
|
type = "systemd-unit";
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
, realms ? []
|
, realms ? []
|
||||||
, every ? "10m"
|
, every ? "10m"
|
||||||
|
|
||||||
, HaproxyService
|
|
||||||
, KeycloakService
|
, KeycloakService
|
||||||
}:
|
}:
|
||||||
|
|
||||||
|
@ -16,6 +15,7 @@ rec {
|
||||||
|
|
||||||
stateDir = "keycloak-public-keys";
|
stateDir = "keycloak-public-keys";
|
||||||
downloadDir = "/var/lib/keycloak-public-keys";
|
downloadDir = "/var/lib/keycloak-public-keys";
|
||||||
|
systemdUnitFile = "keycloak-haproxy.service";
|
||||||
|
|
||||||
pkg =
|
pkg =
|
||||||
with pkgs.lib;
|
with pkgs.lib;
|
||||||
|
@ -34,8 +34,8 @@ rec {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{ HaproxyService
|
{ KeycloakService
|
||||||
, KeycloakService
|
, ...
|
||||||
}: utils.systemd.mkService rec {
|
}: utils.systemd.mkService rec {
|
||||||
name = "keycloak-haproxy";
|
name = "keycloak-haproxy";
|
||||||
|
|
||||||
|
@ -89,7 +89,6 @@ rec {
|
||||||
};
|
};
|
||||||
|
|
||||||
dependsOn = {
|
dependsOn = {
|
||||||
inherit HaproxyService;
|
|
||||||
inherit KeycloakService;
|
inherit KeycloakService;
|
||||||
};
|
};
|
||||||
type = "systemd-unit";
|
type = "systemd-unit";
|
||||||
|
|
|
@ -24,13 +24,6 @@
|
||||||
, distribution ? {}
|
, distribution ? {}
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
addressOrLocalhost = distHaproxy: service:
|
|
||||||
if (builtins.head distHaproxy).properties.hostname == service.target.properties.hostname then
|
|
||||||
"127.0.0.1"
|
|
||||||
else
|
|
||||||
service.target.properties.hostname;
|
|
||||||
|
|
||||||
|
|
||||||
mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
|
mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
|
||||||
in
|
in
|
||||||
rec {
|
rec {
|
||||||
|
@ -162,12 +155,11 @@ rec {
|
||||||
use_backend = "if acl_vaultwarden";
|
use_backend = "if acl_vaultwarden";
|
||||||
};
|
};
|
||||||
backend = {
|
backend = {
|
||||||
servers = [
|
# TODO: instead, we should generate target specific service https://hydra.nixos.org/build/203347995/download/2/manual/#idm140737322273072
|
||||||
{
|
servers = map (dist: {
|
||||||
name = "ttrss1";
|
name = "ttrss_${dist.properties.hostname}_1";
|
||||||
address = "${addressOrLocalhost distribution.HaproxyConfig service}:${builtins.toString ingress}";
|
address = "${dist.properties.hostname}:${builtins.toString ingress}";
|
||||||
}
|
}) service;
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue