Update firewalls

This commit is contained in:
albert 2024-08-12 09:06:47 +09:00
parent b3bf50bf88
commit 79e2f05ebb
Signed by: albert
GPG key ID: 3895DD267CA11BA9
2 changed files with 26 additions and 29 deletions

View file

@ -1,4 +1,4 @@
{ ... }: {
{ pkgs, ... }: {
networking = {
firewall = {
enable = true;
@ -50,6 +50,8 @@
};
};
environment.systemPackages = [ pkgs.cacert ];
services.haproxy = {
enable = true;
config = ''
@ -57,23 +59,30 @@
timeout connect 10s
timeout client 30s
timeout server 30s
maxconn 30000
maxconn 3000
log global
frontend http
mode http
bind :80
option forwardfor
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
http-request redirect scheme https unless { ssl_fc }
default_backend backend_http
backend backend_http
mode http
option forwardfor
option forwarded
server warsaw-ovh-01 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
frontend tcp
mode tcp
bind :42420
bind :25565
bind :4443
bind :443
option forwardfor
default_backend backend_tcp
backend backend_tcp
mode tcp
server warsaw-ovh-01 10.100.0.2
frontend mail
mode tcp
@ -84,24 +93,9 @@
bind :993
bind :4190
default_backend backend_mail
backend backend_mail
mode tcp
option forwarded
option forwardfor if-none
server mailserver-wg 10.100.1.3
backend backend_tcp
mode tcp
option forwarded
option forwardfor if-none
server warsaw-ovh-01 10.100.0.2
backend backend_http
mode http
option forwarded
option forwardfor if-none
server warsaw-ovh-01 10.100.0.2
'';
};
}

View file

@ -1,4 +1,4 @@
{ ... }: {
{ pkgs, ... }: {
networking = {
firewall = {
enable = true;
@ -50,6 +50,8 @@
};
};
environment.systemPackages = [ pkgs.cacert ];
services.haproxy = {
enable = true;
config = ''
@ -65,11 +67,12 @@
bind :80
bind :443 ssl crt /Storage/Data/Docker/sysctl.io/letsencrypt/external/*.sysctl.io/combined.pem
http-request redirect scheme https unless { ssl_fc }
option forwardfor
default_backend backend_http
backend backend_http
mode http
server framework-server 10.100.0.2:443 ssl verify required ca-file @system-ca
option forwardfor
option forwarded
server framework-server 10.100.0.2:443 ssl verify required ca-file ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt sni req.hdr(Host)
frontend tcp
mode tcp