diff --git a/nixos/hosts/frankfurt-linode-01/firewall.nix b/nixos/hosts/frankfurt-linode-01/firewall.nix index 26612ccd..df3e5938 100644 --- a/nixos/hosts/frankfurt-linode-01/firewall.nix +++ b/nixos/hosts/frankfurt-linode-01/firewall.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ pkgs, ... }: { networking = { firewall = { enable = true; @@ -50,6 +50,8 @@ }; }; + environment.systemPackages = [ pkgs.cacert ]; + services.haproxy = { enable = true; config = '' @@ -57,23 +59,30 @@ timeout connect 10s timeout client 30s timeout server 30s - maxconn 30000 - log global + maxconn 3000 + log global frontend http mode http bind :80 - option forwardfor + bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem + http-request redirect scheme https unless { ssl_fc } default_backend backend_http - + backend backend_http + mode http + option forwardfor + option forwarded + server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host) + frontend tcp mode tcp - bind :42420 - bind :25565 - bind :4443 - bind :443 - option forwardfor - default_backend backend_tcp + bind :42420 + bind :25565 + bind :4443 + default_backend backend_tcp + backend backend_tcp + mode tcp + server warsaw-ovh-01 10.100.0.2 frontend mail mode tcp @@ -84,24 +93,9 @@ bind :993 bind :4190 default_backend backend_mail - backend backend_mail mode tcp - option forwarded - option forwardfor if-none server mailserver-wg 10.100.1.3 - - backend backend_tcp - mode tcp - option forwarded - option forwardfor if-none - server warsaw-ovh-01 10.100.0.2 - - backend backend_http - mode http - option forwarded - option forwardfor if-none - server warsaw-ovh-01 10.100.0.2 ''; }; } diff --git a/nixos/hosts/osaka-linode-01/firewall.nix b/nixos/hosts/osaka-linode-01/firewall.nix index bcb87994..78a4a619 100644 --- a/nixos/hosts/osaka-linode-01/firewall.nix +++ b/nixos/hosts/osaka-linode-01/firewall.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ pkgs, ... }: { networking = { firewall = { enable = true; @@ -50,6 +50,8 @@ }; }; + environment.systemPackages = [ pkgs.cacert ]; + services.haproxy = { enable = true; config = '' @@ -65,11 +67,12 @@ bind :80 bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem http-request redirect scheme https unless { ssl_fc } - option forwardfor default_backend backend_http backend backend_http mode http - server framework-server 10.100.0.2:443 ssl verify required ca-file @system-ca + option forwardfor + option forwarded + server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host) frontend tcp mode tcp