Update firewalls
This commit is contained in:
parent
b3bf50bf88
commit
79e2f05ebb
2 changed files with 26 additions and 29 deletions
|
@ -1,4 +1,4 @@
|
|||
{ ... }: {
|
||||
{ pkgs, ... }: {
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
|
@ -50,6 +50,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.cacert ];
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -57,23 +59,30 @@
|
|||
timeout connect 10s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
maxconn 30000
|
||||
log global
|
||||
maxconn 3000
|
||||
log global
|
||||
|
||||
frontend http
|
||||
mode http
|
||||
bind :80
|
||||
option forwardfor
|
||||
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
|
||||
http-request redirect scheme https unless { ssl_fc }
|
||||
default_backend backend_http
|
||||
|
||||
backend backend_http
|
||||
mode http
|
||||
option forwardfor
|
||||
option forwarded
|
||||
server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
|
||||
|
||||
frontend tcp
|
||||
mode tcp
|
||||
bind :42420
|
||||
bind :25565
|
||||
bind :4443
|
||||
bind :443
|
||||
option forwardfor
|
||||
default_backend backend_tcp
|
||||
bind :42420
|
||||
bind :25565
|
||||
bind :4443
|
||||
default_backend backend_tcp
|
||||
backend backend_tcp
|
||||
mode tcp
|
||||
server warsaw-ovh-01 10.100.0.2
|
||||
|
||||
frontend mail
|
||||
mode tcp
|
||||
|
@ -84,24 +93,9 @@
|
|||
bind :993
|
||||
bind :4190
|
||||
default_backend backend_mail
|
||||
|
||||
backend backend_mail
|
||||
mode tcp
|
||||
option forwarded
|
||||
option forwardfor if-none
|
||||
server mailserver-wg 10.100.1.3
|
||||
|
||||
backend backend_tcp
|
||||
mode tcp
|
||||
option forwarded
|
||||
option forwardfor if-none
|
||||
server warsaw-ovh-01 10.100.0.2
|
||||
|
||||
backend backend_http
|
||||
mode http
|
||||
option forwarded
|
||||
option forwardfor if-none
|
||||
server warsaw-ovh-01 10.100.0.2
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ ... }: {
|
||||
{ pkgs, ... }: {
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
|
@ -50,6 +50,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.cacert ];
|
||||
|
||||
services.haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
|
@ -65,11 +67,12 @@
|
|||
bind :80
|
||||
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
|
||||
http-request redirect scheme https unless { ssl_fc }
|
||||
option forwardfor
|
||||
default_backend backend_http
|
||||
backend backend_http
|
||||
mode http
|
||||
server framework-server 10.100.0.2:443 ssl verify required ca-file @system-ca
|
||||
option forwardfor
|
||||
option forwarded
|
||||
server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
|
||||
|
||||
frontend tcp
|
||||
mode tcp
|
||||
|
|
Loading…
Reference in a new issue