frontend: Add routing for gerrit.baserock.org

We allow through SSH on port 29418 and HTTP on port 80.

A downside of using HAProxy for this is that SSH traffic to port 29418
will be accepted for openid.baserock.org too. So gerrit.baserock.org
should not go through HAProxy after all. I will change this later.

1 files changed, 24 insertions, 3 deletions

diff --git a/frontend/haproxy.cfg b/frontend/haproxy.cfg
index 2ac0b850..865ed992 100644
--- a/frontend/haproxy.cfg
+++ b/frontend/haproxy.cfg
@@ -32,10 +32,31 @@ frontend http-in
     # See <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7>
     # for more documentation than you ever dreamed of.
 
+    acl host_gerrit hdr(host) -m beg -i gerrit
+    use_backend baserock_gerrit_http if host_gerrit
+
     acl host_openid hdr(host) -m beg -i openid
-    use_backend baserock_openid_provider if host_openid
+    use_backend baserock_openid_provider_http if host_openid
+
+frontend ssh-in:
+    # FIXME: it'd be better if we could limit traffic on port 29418 to
+    # gerrit.baserock.org. There's no way of knowing from an SSH request
+    # which subdomain the user tried to connect to, so for now they can
+    # clone repos from 'ssh://openid.baserock.org:29418' and such like.
+    # For this reason it's probably worth pointing gerrit.baserock.org to
+    # a different floating IP that serves only the gerrit instance.
+    mode tcp
+    bind *:29418
+    default_backend baserock_gerrit_ssh
 
 # Entries here locate each server backend.
 
-backend baserock_openid_provider
-    server baserock_openid_provider IP
+backend baserock_gerrit_http
+    server baserock_gerrit 192.168.222.69:8080
+
+backend baserock_gerrit_ssh
+    mode tcp
+    server baserock_gerrit 192.168.222.69:29418
+
+backend baserock_openid_provider_http
+    server baserock_openid_provider 192.168.222.67