mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 06:18:52 +08:00
add nginx httpProxy
This commit is contained in:
parent
77cff8e03f
commit
c87bc53a24
@ -320,11 +320,14 @@
|
||||
externalIp = "74.211.99.69";
|
||||
map =
|
||||
{
|
||||
default = "443";
|
||||
"ng01.mirism.one" = "7411";
|
||||
"beta.mirism.one" = "9114";
|
||||
};
|
||||
proxyPorts = [ 443 7411 9114 ];
|
||||
proxyPorts = [ 7411 9114 ];
|
||||
};
|
||||
httpProxy =
|
||||
{
|
||||
"nix-store.chn.moe" = { upstream = "http://127.0.0.1:5000"; rewriteHttps = true; };
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -95,6 +95,18 @@ inputs:
|
||||
map = mkOption { type = types.attrsOf types.nonEmptyStr; };
|
||||
proxyPorts = mkOption { type = types.listOf types.ints.unsigned; };
|
||||
};
|
||||
httpProxy = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
# setHeaders = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
||||
# addPin = mkOption { type = types.bool; default = false; };
|
||||
# detectPin = mkOption { type = types.bool; default = false; };
|
||||
}; });
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
};
|
||||
config =
|
||||
@ -102,7 +114,7 @@ inputs:
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (inputs.config.nixos) services;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString elemAt genList length;
|
||||
inherit (builtins) map listToAttrs concatStringsSep toString elemAt genList length attrNames;
|
||||
in mkMerge
|
||||
[
|
||||
(
|
||||
@ -795,6 +807,7 @@ inputs:
|
||||
${concatStringsSep "\n" (map
|
||||
(x: '' "${x.name}" 127.0.0.1:${x.value};'')
|
||||
(attrsToList services.nginx.transparentProxy.map))}
|
||||
default 127.0.0.1:443;
|
||||
}
|
||||
server
|
||||
{
|
||||
@ -807,6 +820,12 @@ inputs:
|
||||
proxy_buffer_size 128k;
|
||||
}
|
||||
'';
|
||||
recommendedZstdSettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedBrotliSettings = true;
|
||||
};
|
||||
systemd.services =
|
||||
{
|
||||
@ -835,7 +854,7 @@ inputs:
|
||||
)
|
||||
+ concatStringsSep "\n" (map
|
||||
(port: ''${ipset} add nginx_proxy_port ${toString port}'')
|
||||
services.nginx.transparentProxy.proxyPorts)
|
||||
(services.nginx.transparentProxy.proxyPorts ++ [ 443 ]) )
|
||||
);
|
||||
stop = inputs.pkgs.writeShellScript "nginx-proxy.stop" (stripeTabs
|
||||
''
|
||||
@ -872,5 +891,36 @@ inputs:
|
||||
networking.firewall.allowedTCPPorts = [ 443 ];
|
||||
}
|
||||
)
|
||||
(
|
||||
mkIf (services.nginx.httpProxy != {})
|
||||
{
|
||||
services.nginx.virtualHosts = listToAttrs (map
|
||||
(site:
|
||||
{
|
||||
inherit (site) name;
|
||||
value =
|
||||
{
|
||||
serverName = site.name;
|
||||
listen = [{ addr = "127.0.0.1"; port = 443; ssl = true; }];
|
||||
useACMEHost = site.name;
|
||||
locations."/".proxyPass = site.value.upstream;
|
||||
forceSSL = site.value.rewriteHttps;
|
||||
};
|
||||
})
|
||||
(attrsToList services.nginx.httpProxy));
|
||||
nixos.services =
|
||||
{
|
||||
nginx.transparentProxy.enable = true;
|
||||
acme =
|
||||
{
|
||||
enable = true;
|
||||
certs = attrNames services.nginx.httpProxy;
|
||||
};
|
||||
};
|
||||
security.acme.certs = listToAttrs (map
|
||||
(cert: { name = cert; value.group = inputs.config.services.nginx.group; })
|
||||
(attrNames services.nginx.httpProxy));
|
||||
}
|
||||
)
|
||||
];
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user