kusakabe: updates for XMPP

2020-10-15 13:24:37 +00:00 · 2020-10-15 13:24:37 +00:00 · d5d4d6eb33
commit d5d4d6eb33
parent 4a3aa3d7d8
1 changed files with 48 additions and 46 deletions
--- a/ops/nixos/kusakabe/default.nix
+++ b/ops/nixos/kusakabe/default.nix
@ -97,8 +97,18 @@ in {
        # PostgreSQL
        5432
        # XMPP
        5222 5223 5269 5347 5280 5281
        # TURN
        3478
      ];
      allowedTCPPorts = [
        80 443 6443
        5222 5223 5269 5280 5281
        3478
      ];
      allowedTCPPorts = [ 80 443 6443 ];
    };
  };
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -195,7 +205,32 @@ in {
  # LB
  services.haproxy = {
    enable = true;
-    config = ''
+    config = (let
      backends = { okd1 = "137.74.77.21"; okd2 = "137.74.77.22"; okd3 = "137.74.77.23"; };
      services = {
        k8sapi = { port = 6443; backendPort = 6443; sendProxy = false; backends = backends; };
        machineconfig = { port = 22623; backendPort = 22623; sendProxy = false; backends = backends; };
        https = { port = 443; backendPort = 443; sendProxy = true; backends = backends; };
        http = { port = 80; backendPort = 80; sendProxy = true; backends = backends; };
        xmpp-c2s = { port = 5222; backendPort = 32732; sendProxy = false; backends = backends; };
        xmpp-c2s-legacyssl = { port = 5223; backendPort = 31778; sendProxy = false; backends = backends; };
        xmpp-s2s = { port = 5269; backendPort = 32131; sendProxy = false; backends = backends; };
        xmpp-extcomp = { port = 5347; backendPort = 31856; sendProxy = false; backends = backends; };
        xmpp-http = { port = 5280; backendPort = 30389; sendProxy = false; backends = backends; };
        xmpp-https = { port = 5281; backendPort = 30952; sendProxy = false; backends = backends; };
      };
      backendToLine = backendPort: suffix: backendName: backendAddr: "server ${backendName} ${backendAddr}:${toString backendPort} ${suffix}";
      backendsToLine = backendPort: suffix: backends: lib.mapAttrsToList (backendToLine backendPort suffix) backends;
      serviceToFragment = serviceName: service: ''
        frontend ${serviceName}
          bind 137.74.77.17:${toString service.port}
          default_backend ${serviceName}-backend
        backend ${serviceName}-backend
          balance roundrobin
          ${lib.concatStringsSep "\n  " (backendsToLine service.backendPort "check ${if service.sendProxy then "send-proxy-v2" else ""}" service.backends)}
      '';
    in ''
      global
        maxconn 50000
        nbthread 4
@ -208,51 +243,11 @@ in {
        timeout connect 10s
        timeout client 1m
        timeout server 1m
        timeout tunnel 24h
        timeout client-fin 30s
-      frontend k8sapi
+      ${lib.concatStringsSep "\n\n" (lib.mapAttrsToList serviceToFragment services)}
-        bind 137.74.77.17:6443
+    '');
        default_backend k8sapi-backend
      backend k8sapi-backend
        balance roundrobin
        mode tcp
        server okd1 137.74.77.21:6443 check
        server okd2 137.74.77.22:6443 check
        server okd3 137.74.77.23:6443 check
      frontend machineconfig
        bind 137.74.77.17:22623
        default_backend machineconfig-backend
      backend machineconfig-backend
        balance roundrobin
        mode tcp
        server okd1 137.74.77.21:22623 check
        server okd2 137.74.77.22:22623 check
        server okd3 137.74.77.23:22623 check
      frontend https
        bind 137.74.77.17:443
        default_backend https-backend
      backend https-backend
        balance roundrobin
        mode tcp
        server okd1 137.74.77.21:443 check send-proxy-v2
        server okd2 137.74.77.22:443 check send-proxy-v2
        server okd3 137.74.77.23:443 check send-proxy-v2
      frontend http
        bind 137.74.77.17:80
        default_backend http-backend
      backend http-backend
        balance roundrobin
        mode tcp
        server okd1 137.74.77.21:80 check send-proxy-v2
        server okd2 137.74.77.22:80 check send-proxy-v2
        server okd3 137.74.77.23:80 check send-proxy-v2
    '';
  };
  virtualisation.libvirtd = {
@ -280,5 +275,12 @@ in {
  };
  services.postgresqlBackup.enable = true;
  services.coturn = {
    enable = true;
    use-auth-secret = true;
    realm = "turn.lukegb.com";
    static-auth-secret = machineSecrets.turnSecret;
  };
  system.stateVersion = "20.03";
 }