Add nginx reverse proxy configuration
This commit is contained in:
parent
86a8837305
commit
bf2aefd507
40
module.nix
40
module.nix
@ -1,7 +1,7 @@
|
||||
flake: { config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrsToList mkEnableOption mkMerge mkOption types;
|
||||
inherit (lib) filterAttrs foldl imap1 mapAttrsToList mkEnableOption mkIf mkMerge mkOption types;
|
||||
intakeCfg = config.services.intake;
|
||||
in {
|
||||
options = {
|
||||
@ -9,13 +9,19 @@ in {
|
||||
listen.addr = mkOption {
|
||||
type = types.str;
|
||||
default = "0.0.0.0";
|
||||
description = "Listen address for the nginx entry point.";
|
||||
description = "The listen address for the entry point to intake services. This endpoint will redirect to a local port based on the request's HTTP Basic Auth credentials.";
|
||||
};
|
||||
|
||||
listen.port = mkOption {
|
||||
type = types.port;
|
||||
default = 80;
|
||||
description = "Listen port for the nginx entry point.";
|
||||
default = 8032;
|
||||
description = "The listen port for the entry point to intake services. This endpoint will redirect to a local port based on the request's HTTP Basic Auth credentials.";
|
||||
};
|
||||
|
||||
internalPortStart = mkOption {
|
||||
type = types.port;
|
||||
default = 24130;
|
||||
description = "The first port to use for internal service endpoints. A number of ports will be continguously allocated equal to the number of users with enabled intake services.";
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
@ -41,11 +47,18 @@ in {
|
||||
# Define the intake package and a python environment to run it from
|
||||
intake = flake.packages.${pkgs.stdenv.hostPlatform.system}.default;
|
||||
pythonEnv = pkgs.python38.withPackages (pypkgs: [ intake ]);
|
||||
|
||||
# Assign each user an internal port for their personal intake instance
|
||||
enabledUsers = filterAttrs (userName: userCfg: userCfg.enable) intakeCfg.users;
|
||||
enabledUserNames = mapAttrsToList (userName: userCfg: userName) enabledUsers;
|
||||
userPortList = imap1 (i: userName: { ${userName} = i + intakeCfg.internalPortStart; }) enabledUserNames;
|
||||
userPort = foldl (acc: val: acc // val) {} userPortList;
|
||||
in {
|
||||
# Define a user service for each configured user
|
||||
systemd.services =
|
||||
let
|
||||
runScript = userName: pkgs.writeShellScript "intake-run.sh" ''
|
||||
${pythonEnv}/bin/intake run -d /home/${userName}/.local/share/intake
|
||||
${pythonEnv}/bin/intake run -d /home/${userName}/.local/share/intake --port ${toString userPort.${userName}}
|
||||
'';
|
||||
# systemd service definition for a single user, given `services.intake.users.userName` = `userCfg`
|
||||
userServiceConfig = userName: userCfg: {
|
||||
@ -63,5 +76,22 @@ in {
|
||||
};
|
||||
};
|
||||
in mkMerge (mapAttrsToList userServiceConfig intakeCfg.users);
|
||||
|
||||
# Define an nginx reverse proxy to request auth
|
||||
services.nginx = mkIf (enabledUsers != {}) {
|
||||
enable = true;
|
||||
virtualHosts."intake" = mkIf (enabledUsers != {}) {
|
||||
listen = [ intakeCfg.listen ];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:$target_port";
|
||||
basicAuth = { alpha = "alpha"; beta = "beta"; };
|
||||
};
|
||||
extraConfig = foldl (acc: val: acc + val) "" (mapAttrsToList (userName: port: ''
|
||||
if ($remote_user = "${userName}") {
|
||||
set $target_port ${toString port};
|
||||
}
|
||||
'') userPort);
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -11,41 +11,7 @@ flake: { pkgs, ... }:
|
||||
|
||||
services.intake.users.alpha.enable = true;
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts = {
|
||||
alpha-fsid = {
|
||||
listen = [ { addr = "localhost"; port = 8030; } ];
|
||||
locations."/".tryFiles = "/dev/null @dummy";
|
||||
locations."@dummy" = {
|
||||
proxyPass = "http://127.0.0.1:5000";
|
||||
};
|
||||
};
|
||||
beta-fsid = {
|
||||
listen = [ { addr = "localhost"; port = 8031; } ];
|
||||
locations."/".tryFiles = "/dev/null @dummy";
|
||||
locations."@dummy" = {
|
||||
return = "200 'youve reached beta'";
|
||||
extraConfig = ''
|
||||
add_header Content-Type text/plain always;
|
||||
'';
|
||||
};
|
||||
};
|
||||
redirector = {
|
||||
listen = [ { addr = "localhost"; port = 8032; } ];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:$target_port";
|
||||
basicAuth = { alpha = "alpha"; beta = "beta"; };
|
||||
};
|
||||
extraConfig = ''
|
||||
if ($remote_user ~ "alpha|^$") {
|
||||
set $target_port 8030;
|
||||
}
|
||||
if ($remote_user = "beta") {
|
||||
set $target_port 8031;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.intake.users.beta.enable = true;
|
||||
|
||||
users.users.alpha = {
|
||||
isNormalUser = true;
|
||||
|
Loading…
Reference in New Issue
Block a user