From 244d691b37244b2fcd59bd45280f2bad11d82f51 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 7 Jul 2024 15:13:10 -0500 Subject: [PATCH] Added haproxy module and enabled it for telperion as a talos k8s lb --- nixos/hosts/telperion/config/haproxy.nix | 48 +++++++++++++++++++ nixos/hosts/telperion/default.nix | 5 ++ nixos/modules/nixos/services/default.nix | 1 + .../nixos/services/haproxy/default.nix | 38 +++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 nixos/hosts/telperion/config/haproxy.nix create mode 100644 nixos/modules/nixos/services/haproxy/default.nix diff --git a/nixos/hosts/telperion/config/haproxy.nix b/nixos/hosts/telperion/config/haproxy.nix new file mode 100644 index 0000000..374a192 --- /dev/null +++ b/nixos/hosts/telperion/config/haproxy.nix @@ -0,0 +1,48 @@ +{ ... }: +'' +global + log /dev/log local0 + log /dev/log local1 notice + daemon + +defaults + mode http + log global + option httplog + option dontlognull + option http-server-close + option redispatch + retries 3 + timeout http-request 10s + timeout queue 20s + timeout connect 10s + timeout client 1h + timeout server 1h + timeout http-keep-alive 10s + timeout check 10s + +frontend k8s_apiserver + bind *:6443 + mode tcp + option tcplog + default_backend k8s_controlplane + +frontend talos_apiserver + bind *:50000 + mode tcp + option tcplog + default_backend talos_controlplane + +backend k8s_controlplane + option httpchk GET /healthz + http-check expect status 200 + mode tcp + option ssl-hello-chk + balance roundrobin + server worker1 10.1.1.61:6443 check + +backend talos_controlplane + option httpchk GET /healthz + http-check expect status 200 + mode tcp +'' \ No newline at end of file diff --git a/nixos/hosts/telperion/default.nix b/nixos/hosts/telperion/default.nix index 942f7bd..a1164f1 100644 --- a/nixos/hosts/telperion/default.nix +++ b/nixos/hosts/telperion/default.nix @@ -77,6 +77,11 @@ enable = true; extraConfig = import ./config/bind.nix { inherit config; }; }; + haproxy = { + enable = true; + config = import ./config/haproxy.nix { inherit config; }; + tcpPorts = [ 6443 50000 ]; + }; }; }; } diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index ee69ac6..ad07e7d 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -3,6 +3,7 @@ ./bind ./cockpit ./forgejo + ./haproxy ./nginx ./onepassword-connect ./podman diff --git a/nixos/modules/nixos/services/haproxy/default.nix b/nixos/modules/nixos/services/haproxy/default.nix new file mode 100644 index 0000000..2145b23 --- /dev/null +++ b/nixos/modules/nixos/services/haproxy/default.nix @@ -0,0 +1,38 @@ +{ lib, config, pkgs, ... }: +with lib; +let + cfg = config.mySystem.services.haproxy; + serviceUser = "named"; +in +{ + options.mySystem.services.haproxy = { + enable = mkEnableOption "haproxy"; + package = mkPackageOption pkgs "haproxy" { }; + config = mkOption { + type = types.str; + }; + tcpPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + udpPorts = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + }; + + config = mkIf cfg.enable { + # Open firewall for specified ports. + networking.firewall = { + allowedTCPPorts = cfg.tcpPorts; + allowedUDPPorts = cfg.udpPorts; + }; + + # Enable haproxy service with custom configuration + services.haproxy = { + enable = true; + inherit (cfg) package; + config = cfg.config; + }; + }; +}