diff --git a/ops/nixos/kusakabe/default.nix b/ops/nixos/kusakabe/default.nix index f693d3dd0b..e62ede407c 100644 --- a/ops/nixos/kusakabe/default.nix +++ b/ops/nixos/kusakabe/default.nix @@ -97,8 +97,18 @@ in { # PostgreSQL 5432 + + # XMPP + 5222 5223 5269 5347 5280 5281 + + # TURN + 3478 + ]; + allowedTCPPorts = [ + 80 443 6443 + 5222 5223 5269 5280 5281 + 3478 ]; - allowedTCPPorts = [ 80 443 6443 ]; }; }; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; @@ -195,7 +205,32 @@ in { # LB services.haproxy = { enable = true; - config = '' + config = (let + backends = { okd1 = "137.74.77.21"; okd2 = "137.74.77.22"; okd3 = "137.74.77.23"; }; + services = { + k8sapi = { port = 6443; backendPort = 6443; sendProxy = false; backends = backends; }; + machineconfig = { port = 22623; backendPort = 22623; sendProxy = false; backends = backends; }; + https = { port = 443; backendPort = 443; sendProxy = true; backends = backends; }; + http = { port = 80; backendPort = 80; sendProxy = true; backends = backends; }; + xmpp-c2s = { port = 5222; backendPort = 32732; sendProxy = false; backends = backends; }; + xmpp-c2s-legacyssl = { port = 5223; backendPort = 31778; sendProxy = false; backends = backends; }; + xmpp-s2s = { port = 5269; backendPort = 32131; sendProxy = false; backends = backends; }; + xmpp-extcomp = { port = 5347; backendPort = 31856; sendProxy = false; backends = backends; }; + xmpp-http = { port = 5280; backendPort = 30389; sendProxy = false; backends = backends; }; + xmpp-https = { port = 5281; backendPort = 30952; sendProxy = false; backends = backends; }; + }; + backendToLine = backendPort: suffix: backendName: backendAddr: "server ${backendName} ${backendAddr}:${toString backendPort} ${suffix}"; + backendsToLine = backendPort: suffix: backends: lib.mapAttrsToList (backendToLine backendPort suffix) backends; + serviceToFragment = serviceName: service: '' + frontend ${serviceName} + bind 137.74.77.17:${toString service.port} + default_backend ${serviceName}-backend + + backend ${serviceName}-backend + balance roundrobin + ${lib.concatStringsSep "\n " (backendsToLine service.backendPort "check ${if service.sendProxy then "send-proxy-v2" else ""}" service.backends)} + ''; + in '' global maxconn 50000 nbthread 4 @@ -208,51 +243,11 @@ in { timeout connect 10s timeout client 1m timeout server 1m + timeout tunnel 24h + timeout client-fin 30s - frontend k8sapi - bind 137.74.77.17:6443 - default_backend k8sapi-backend - - backend k8sapi-backend - balance roundrobin - mode tcp - server okd1 137.74.77.21:6443 check - server okd2 137.74.77.22:6443 check - server okd3 137.74.77.23:6443 check - - frontend machineconfig - bind 137.74.77.17:22623 - default_backend machineconfig-backend - - backend machineconfig-backend - balance roundrobin - mode tcp - server okd1 137.74.77.21:22623 check - server okd2 137.74.77.22:22623 check - server okd3 137.74.77.23:22623 check - - frontend https - bind 137.74.77.17:443 - default_backend https-backend - - backend https-backend - balance roundrobin - mode tcp - server okd1 137.74.77.21:443 check send-proxy-v2 - server okd2 137.74.77.22:443 check send-proxy-v2 - server okd3 137.74.77.23:443 check send-proxy-v2 - - frontend http - bind 137.74.77.17:80 - default_backend http-backend - - backend http-backend - balance roundrobin - mode tcp - server okd1 137.74.77.21:80 check send-proxy-v2 - server okd2 137.74.77.22:80 check send-proxy-v2 - server okd3 137.74.77.23:80 check send-proxy-v2 - ''; + ${lib.concatStringsSep "\n\n" (lib.mapAttrsToList serviceToFragment services)} + ''); }; virtualisation.libvirtd = { @@ -280,5 +275,12 @@ in { }; services.postgresqlBackup.enable = true; + services.coturn = { + enable = true; + use-auth-secret = true; + realm = "turn.lukegb.com"; + static-auth-secret = machineSecrets.turnSecret; + }; + system.stateVersion = "20.03"; }