{ config, pkgs, ...}: { services.haproxy.enable = true; services.haproxy.config = '' global log 127.0.0.1 local0 info maxconn 2000 stats socket /run/haproxy/stats.sock mode 666 level user stats timeout 30s # from https://ssl-config.mozilla.org ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-dh-param-file /etc/dhparam defaults log global mode http option dontlognull retries 3 option redispatch timeout connect 50000000 timeout client 10000000 timeout server 10000000 option http-keep-alive balance roundrobin frontend tls-in bind 104.168.211.198:443 interface ens3 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } acl sni_irc req.ssl_sni -i -m end .irc.tempest.dev use_backend calico if sni_irc acl sni_irc_multi req.ssl_sni -i -m str irc.tempest.dev use_backend irc_tls if sni_irc_multi default_backend http-pass backend calico mode tcp server calico 127.0.0.1:6697 backend irc_tls mode tcp server irc_tls 127.0.0.1:6668 send-proxy-v2 backend http-pass mode tcp server local-http 127.0.0.1:443 send-proxy-v2 frontend irc_tls bind 127.0.0.1:6668 interface lo accept-proxy ssl crt /var/lib/acme/wildcard-tempest.dev/combined.pem mode tcp default_backend irc_multi backend irc_multi mode tcp server irc_multi 127.0.0.1:6666 send-proxy-v2 frontend irc_multi bind 127.0.0.1:6666 interface lo accept-proxy mode tcp tcp-request inspect-delay 5s tcp-request content accept acl http_maybe payload(0,10) -m reg '^(GET|POST|OPTIONS|HEAD|PUT|DELETE|CONNECT|TRACE|PATCH) .*' use_backend the_lounge_httpwrap if http_maybe default_backend solanum backend solanum mode tcp server solanum 127.0.0.1:6667 backend the_lounge_httpwrap mode tcp server the_lounge_httpwrap 127.0.0.1:9001 send-proxy-v2 frontend the_lounge_httpwrap bind 127.0.0.1:9001 interface lo accept-proxy mode http use_backend the_lounge backend the_lounge mode http option forwarded option forwardfor server the_lounge 127.0.0.1:9000 ''; environment.etc = { dhparam = { text = '' -----BEGIN DH PARAMETERS----- MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS----- ''; mode = "0400"; user = "haproxy"; }; }; }