Added haproxy module and enabled it for telperion as a talos k8s lb

2024-07-07 15:13:10 -05:00 · 2024-07-07 15:13:10 -05:00 · 244d691b37
commit 244d691b37
parent ecd2ad3b0f
4 changed files with 92 additions and 0 deletions
--- a/nixos/hosts/telperion/config/haproxy.nix
+++ b/nixos/hosts/telperion/config/haproxy.nix
@ -0,0 +1,48 @@
+{ ... }:
+''
+global
+  log /dev/log local0
+  log /dev/log local1 notice
+  daemon
+
+defaults
+  mode http
+  log global
+  option httplog
+  option dontlognull
+  option http-server-close
+  option redispatch
+  retries 3
+  timeout http-request 10s
+  timeout queue 20s
+  timeout connect 10s
+  timeout client 1h
+  timeout server 1h
+  timeout http-keep-alive 10s
+  timeout check 10s
+
+frontend k8s_apiserver
+  bind *:6443
+  mode tcp
+  option tcplog
+  default_backend k8s_controlplane
+
+frontend talos_apiserver
+  bind *:50000
+  mode tcp
+  option tcplog
+  default_backend talos_controlplane
+
+backend k8s_controlplane
+  option httpchk GET /healthz
+  http-check expect status 200
+  mode tcp
+  option ssl-hello-chk
+  balance roundrobin
+  server worker1 10.1.1.61:6443 check
+
+backend talos_controlplane
+  option httpchk GET /healthz
+  http-check expect status 200
+  mode tcp
+''
--- a/nixos/hosts/telperion/default.nix
+++ b/nixos/hosts/telperion/default.nix
@ -77,6 +77,11 @@
        enable = true;
        extraConfig = import ./config/bind.nix { inherit config; };
      };
+      haproxy = {
+        enable = true;
+        config = import ./config/haproxy.nix { inherit config; };
+        tcpPorts = [ 6443 50000 ];
+      };
    };
  };
 }
--- a/nixos/modules/nixos/services/default.nix
+++ b/nixos/modules/nixos/services/default.nix
@ -3,6 +3,7 @@
    ./bind
    ./cockpit
    ./forgejo
+    ./haproxy
    ./nginx
    ./onepassword-connect
    ./podman
--- a/nixos/modules/nixos/services/haproxy/default.nix
+++ b/nixos/modules/nixos/services/haproxy/default.nix
@ -0,0 +1,38 @@
+{ lib, config, pkgs, ... }:
+with lib;
+let
+  cfg = config.mySystem.services.haproxy;
+  serviceUser = "named";
+in
+{
+  options.mySystem.services.haproxy = {
+    enable = mkEnableOption "haproxy";
+    package = mkPackageOption pkgs "haproxy" { };
+    config = mkOption {
+      type = types.str;
+    };
+    tcpPorts = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    udpPorts = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Open firewall for specified ports.
+    networking.firewall = {
+      allowedTCPPorts = cfg.tcpPorts;
+      allowedUDPPorts = cfg.udpPorts;
+    };
+
+    # Enable haproxy service with custom configuration
+    services.haproxy = {
+      enable = true;
+      inherit (cfg) package;
+      config = cfg.config;
+    };
+  };
+}