nixpkgs/nixos/modules/services/networking/haproxy.nix

{ config, lib, pkgs, ... }:

let
  cfg = config.services.haproxy;

  haproxyCfg = pkgs.writeText "haproxy.conf" ''
    global
      # needed for hot-reload to work without dropping packets in multi-worker mode
      stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user

    ${cfg.config}
  '';

in
with lib;
{
  options = {
    services.haproxy = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable HAProxy, the reliable, high performance TCP/HTTP
          load balancer.
        '';
      };

      user = mkOption {
        type = types.str;
        default = "haproxy";
        description = "User account under which haproxy runs.";
      };

      group = mkOption {
        type = types.str;
        default = "haproxy";
        description = "Group account under which haproxy runs.";
      };

      config = mkOption {
        type = types.nullOr types.lines;
        default = null;
        description = ''
          Contents of the HAProxy configuration file,
          <filename>haproxy.conf</filename>.
        '';
      };
    };
  };

  config = mkIf cfg.enable {

    assertions = [{
      assertion = cfg.config != null;
      message = "You must provide services.haproxy.config.";
    }];

    # configuration file indirection is needed to support reloading
    environment.etc."haproxy.cfg".source = haproxyCfg;

    systemd.services.haproxy = {
      description = "HAProxy";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = cfg.user;
        Group = cfg.group;
        Type = "notify";
        ExecStartPre = [
          # when the master process receives USR2, it reloads itself using exec(argv[0]),
          # so we create a symlink there and update it before reloading
          "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy"
          # when running the config test, don't be quiet so we can see what goes wrong
          "/run/haproxy/haproxy -c -f ${haproxyCfg}"
        ];
        ExecStart = "/run/haproxy/haproxy -Ws -f /etc/haproxy.cfg -p /run/haproxy/haproxy.pid";
        # support reloading
        ExecReload = [
          "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"
          "${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy"
          "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"
        ];
        KillMode = "mixed";
        SuccessExitStatus = "143";
        Restart = "always";
        RuntimeDirectory = "haproxy";
        # upstream hardening options
        NoNewPrivileges = true;
        ProtectHome = true;
        ProtectSystem = "strict";
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync";
        # needed in case we bind to port < 1024
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      };
    };

    users.users = optionalAttrs (cfg.user == "haproxy") {
      haproxy = {
        group = cfg.group;
        isSystemUser = true;
      };
    };

    users.groups = optionalAttrs (cfg.group == "haproxy") {
      haproxy = {};
    };
  };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
nixos/haproxy: support hot-reload without dropping packets 2019-11-08 13:47:13 +08:00
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`let`
			`cfg = config.services.haproxy;`
nixos/haproxy: support hot-reload without dropping packets 2019-11-08 13:47:13 +08:00
			`haproxyCfg = pkgs.writeText "haproxy.conf" ''`
			`global`
			`# needed for hot-reload to work without dropping packets in multi-worker mode`
			`stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level user`

			`${cfg.config}`
			`'';`

nixos: haproxy module 2013-10-29 15:55:25 +01:00			`in`
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`{`
			`options = {`
			`services.haproxy = {`

			`enable = mkOption {`
nixos/haproxy: small cleanup * Add option types * Rewrite option descriptions * /var/run/haproxy.pid => /run/haproxy.pid (canonical location) 2015-02-21 13:23:48 +01:00			`type = types.bool;`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`default = false;`
nixos/haproxy: small cleanup * Add option types * Rewrite option descriptions * /var/run/haproxy.pid => /run/haproxy.pid (canonical location) 2015-02-21 13:23:48 +01:00			`description = ''`
			`Whether to enable HAProxy, the reliable, high performance TCP/HTTP`
			`load balancer.`
			`'';`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`};`

nixos/haproxy: Revive the haproxy user and group Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as. 2020-03-11 19:52:37 +01:00			`user = mkOption {`
			`type = types.str;`
			`default = "haproxy";`
			`description = "User account under which haproxy runs.";`
			`};`

			`group = mkOption {`
			`type = types.str;`
			`default = "haproxy";`
			`description = "Group account under which haproxy runs.";`
			`};`

nixos: haproxy module 2013-10-29 15:55:25 +01:00			`config = mkOption {`
nixos/haproxy: remove broken default 'config' HAProxy fails to start with the default 'config'. Better disable it and assert that the user provides a suitable 'config'. (AFAICS, there cannot really be a default config file for HAProxy.) 2015-02-22 12:30:14 +01:00			`type = types.nullOr types.lines;`
			`default = null;`
nixos/haproxy: small cleanup * Add option types * Rewrite option descriptions * /var/run/haproxy.pid => /run/haproxy.pid (canonical location) 2015-02-21 13:23:48 +01:00			`description = ''`
			`Contents of the HAProxy configuration file,`
			`<filename>haproxy.conf</filename>.`
			`'';`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`};`
			`};`
			`};`

			`config = mkIf cfg.enable {`

nixos/haproxy: remove broken default 'config' HAProxy fails to start with the default 'config'. Better disable it and assert that the user provides a suitable 'config'. (AFAICS, there cannot really be a default config file for HAProxy.) 2015-02-22 12:30:14 +01:00			`assertions = [{`
			`assertion = cfg.config != null;`
			`message = "You must provide services.haproxy.config.";`
			`}];`

nixos/haproxy: add reloading support, use upstream service hardening Refactor the systemd service definition for the haproxy reverse proxy, using the upstream systemd service definition. This allows the service to be reloaded on changes, preserving existing server state, and adds some hardening options. 2020-05-20 09:29:27 +02:00			`# configuration file indirection is needed to support reloading`
			`environment.etc."haproxy.cfg".source = haproxyCfg;`

nixos: haproxy module 2013-10-29 15:55:25 +01:00			`systemd.services.haproxy = {`
			`description = "HAProxy";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
nixos/haproxy: Revive the haproxy user and group Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as. 2020-03-11 19:52:37 +01:00			`User = cfg.user;`
			`Group = cfg.group;`
nixos/haproxy: support hot-reload without dropping packets 2019-11-08 13:47:13 +08:00			`Type = "notify";`
nixos/haproxy: add reloading support, use upstream service hardening Refactor the systemd service definition for the haproxy reverse proxy, using the upstream systemd service definition. This allows the service to be reloaded on changes, preserving existing server state, and adds some hardening options. 2020-05-20 09:29:27 +02:00			`ExecStartPre = [`
			`# when the master process receives USR2, it reloads itself using exec(argv[0]),`
			`# so we create a symlink there and update it before reloading`
			`"${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy"`
			`# when running the config test, don't be quiet so we can see what goes wrong`
			`"/run/haproxy/haproxy -c -f ${haproxyCfg}"`
			`];`
			`ExecStart = "/run/haproxy/haproxy -Ws -f /etc/haproxy.cfg -p /run/haproxy/haproxy.pid";`
			`# support reloading`
			`ExecReload = [`
			`"${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}"`
			`"${pkgs.coreutils}/bin/ln -sf ${pkgs.haproxy}/sbin/haproxy /run/haproxy/haproxy"`
			`"${pkgs.coreutils}/bin/kill -USR2 $MAINPID"`
			`];`
			`KillMode = "mixed";`
			`SuccessExitStatus = "143";`
			`Restart = "always";`
nixos/haproxy: support hot-reload without dropping packets 2019-11-08 13:47:13 +08:00			`RuntimeDirectory = "haproxy";`
nixos/haproxy: add reloading support, use upstream service hardening Refactor the systemd service definition for the haproxy reverse proxy, using the upstream systemd service definition. This allows the service to be reloaded on changes, preserving existing server state, and adds some hardening options. 2020-05-20 09:29:27 +02:00			`# upstream hardening options`
			`NoNewPrivileges = true;`
			`ProtectHome = true;`
			`ProtectSystem = "strict";`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectControlGroups = true;`
			`SystemCallFilter= "~@cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap @sync";`
nixos/haproxy: support hot-reload without dropping packets 2019-11-08 13:47:13 +08:00			`# needed in case we bind to port < 1024`
			`AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`};`
			`};`
nixos/haproxy: Revive the haproxy user and group Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as. 2020-03-11 19:52:37 +01:00
			`users.users = optionalAttrs (cfg.user == "haproxy") {`
			`haproxy = {`
			`group = cfg.group;`
			`isSystemUser = true;`
			`};`
			`};`

			`users.groups = optionalAttrs (cfg.group == "haproxy") {`
			`haproxy = {};`
			`};`
nixos: haproxy module 2013-10-29 15:55:25 +01:00			`};`
			`}`