lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

kusakabe: updates for XMPP

Browse source
This commit is contained in:
Luke Granger-Brown 2020-10-15 13:24:37 +00:00
parent 4a3aa3d7d8
commit d5d4d6eb33
1 changed files with 48 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
ops/nixos/kusakabe/default.nix
View file

@ -97,8 +97,18 @@ in {
# PostgreSQL
5432
# XMPP
5222 5223 5269 5347 5280 5281
# TURN
3478
];
allowedTCPPorts = [
80 443 6443
5222 5223 5269 5280 5281
3478
];
allowedTCPPorts = [ 80 443 6443 ];
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -195,7 +205,32 @@ in {
# LB
services.haproxy = {
enable = true;
config = ''
config = (let
backends = { okd1 = "137.74.77.21"; okd2 = "137.74.77.22"; okd3 = "137.74.77.23"; };
services = {
k8sapi = { port = 6443; backendPort = 6443; sendProxy = false; backends = backends; };
machineconfig = { port = 22623; backendPort = 22623; sendProxy = false; backends = backends; };
https = { port = 443; backendPort = 443; sendProxy = true; backends = backends; };
http = { port = 80; backendPort = 80; sendProxy = true; backends = backends; };
xmpp-c2s = { port = 5222; backendPort = 32732; sendProxy = false; backends = backends; };
xmpp-c2s-legacyssl = { port = 5223; backendPort = 31778; sendProxy = false; backends = backends; };
xmpp-s2s = { port = 5269; backendPort = 32131; sendProxy = false; backends = backends; };
xmpp-extcomp = { port = 5347; backendPort = 31856; sendProxy = false; backends = backends; };
xmpp-http = { port = 5280; backendPort = 30389; sendProxy = false; backends = backends; };
xmpp-https = { port = 5281; backendPort = 30952; sendProxy = false; backends = backends; };
};
backendToLine = backendPort: suffix: backendName: backendAddr: "server ${backendName} ${backendAddr}:${toString backendPort} ${suffix}";
backendsToLine = backendPort: suffix: backends: lib.mapAttrsToList (backendToLine backendPort suffix) backends;
serviceToFragment = serviceName: service: ''
frontend ${serviceName}
bind 137.74.77.17:${toString service.port}
default_backend ${serviceName}-backend
backend ${serviceName}-backend
balance roundrobin
${lib.concatStringsSep "\n " (backendsToLine service.backendPort "check ${if service.sendProxy then "send-proxy-v2" else ""}" service.backends)}
'';
in ''
global
maxconn 50000
nbthread 4
@ -208,51 +243,11 @@ in {
timeout connect 10s
timeout client 1m
timeout server 1m
timeout tunnel 24h
timeout client-fin 30s
frontend k8sapi
bind 137.74.77.17:6443
default_backend k8sapi-backend
backend k8sapi-backend
balance roundrobin
mode tcp
server okd1 137.74.77.21:6443 check
server okd2 137.74.77.22:6443 check
server okd3 137.74.77.23:6443 check
frontend machineconfig
bind 137.74.77.17:22623
default_backend machineconfig-backend
backend machineconfig-backend
balance roundrobin
mode tcp
server okd1 137.74.77.21:22623 check
server okd2 137.74.77.22:22623 check
server okd3 137.74.77.23:22623 check
frontend https
bind 137.74.77.17:443
default_backend https-backend
backend https-backend
balance roundrobin
mode tcp
server okd1 137.74.77.21:443 check send-proxy-v2
server okd2 137.74.77.22:443 check send-proxy-v2
server okd3 137.74.77.23:443 check send-proxy-v2
frontend http
bind 137.74.77.17:80
default_backend http-backend
backend http-backend
balance roundrobin
mode tcp
server okd1 137.74.77.21:80 check send-proxy-v2
server okd2 137.74.77.22:80 check send-proxy-v2
server okd3 137.74.77.23:80 check send-proxy-v2
'';
${lib.concatStringsSep "\n\n" (lib.mapAttrsToList serviceToFragment services)}
'');
};
virtualisation.libvirtd = {
@ -280,5 +275,12 @@ in {
};
services.postgresqlBackup.enable = true;
services.coturn = {
enable = true;
use-auth-secret = true;
realm = "turn.lukegb.com";
static-auth-secret = machineSecrets.turnSecret;
};
system.stateVersion = "20.03";
}