From 1d19f0821d428cd193ca3f2bd5be82741399efad Mon Sep 17 00:00:00 2001 From: arcnmx Date: Mon, 24 Jun 2024 11:40:44 -0700 Subject: [PATCH] refactor(nginx): proxied xvars defaults --- modules/nixos/nginx/proxied.nix | 46 ++++++++++++++++++++++++------ modules/nixos/nginx/proxy.nix | 4 +-- modules/nixos/nginx/xvars.nix | 50 ++++++++++++++++++++------------- 3 files changed, 70 insertions(+), 30 deletions(-) diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix index 086f6a61..1ee52f4f 100644 --- a/modules/nixos/nginx/proxied.nix +++ b/modules/nixos/nginx/proxied.nix @@ -1,4 +1,5 @@ let + xInit = true; xCloudflared = {virtualHost}: let host = if virtualHost.proxied.cloudflared.host == virtualHost.serverName then "$server_name" @@ -29,6 +30,23 @@ let ${xvars.init "forwarded_server" "$http_x_forwarded_server"} } ''; + xDefaults = {cfg}: let + defaults = { + ${toString true} = { + remote_addr = "$proxied_remote_addr_x"; + host = "$proxied_host_x"; + forwarded_server = "$proxied_forwarded_server_x"; + }; + "cloudflared" = { + remote_addr = "$proxied_remote_addr_cf"; + host = "$proxied_host_cf"; + }; + }; + in { + forwarded_for = "$proxy_add_x_forwarded_for"; + scheme = "$proxied_scheme"; + https = "$proxied_https"; + } // defaults.${cfg.enable}; locationModule = { config, virtualHost, @@ -37,7 +55,7 @@ let lib, ... }: let - inherit (gensokyo-zone.lib) mkJustBefore mkAlmostOptionDefault; + inherit (gensokyo-zone.lib) mkJustBefore mkAlmostOptionDefault mapAlmostOptionDefaults; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkOptionDefault; cfg = config.proxied; @@ -75,12 +93,15 @@ let X-Accel-Buffering = mkOptionDefault true; }; }; - xvars.enable = mkIf cfg.enabled true; + xvars = mkIf cfg.enabled { + enable = mkIf xInit true; + defaults = mkIf (!xInit && cfg.enable != virtualHost.proxied.enable) (mapAlmostOptionDefaults (xDefaults {inherit cfg;})); + }; extraConfig = mkMerge [ (mkIf (cfg.enable == "cloudflared" && virtualHost.proxied.enable != "cloudflared") ( mkJustBefore (xCloudflared {inherit virtualHost;}) )) - (mkIf emitVars ( + (mkIf (xInit && emitVars) ( mkJustBefore (xHeadersProxied {inherit xvars;}) )) ]; @@ -94,7 +115,7 @@ let lib, ... }: let - inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged; + inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapAlmostOptionDefaults orderJustBefore unmerged; inherit (lib.options) mkOption; inherit (lib.modules) mkIf mkMerge mkOrder mkDefault; inherit (nixosConfig.services) nginx; @@ -115,6 +136,10 @@ let type = str; default = config.serverName; }; + originHost = mkOption { + type = str; + default = config.serverName; + }; ingressSettings = mkOption { type = unmerged.types.attrs; }; @@ -143,7 +168,7 @@ let else "http"; in mkIf (cfg.enable == "cloudflared") { - ingressSettings.${config.serverName} = { + ingressSettings.${cfg.cloudflared.host} = { service = "${scheme}://localhost:${toString listen.port}"; originRequest = let noTLSVerify = @@ -151,18 +176,21 @@ let then "noTLSVerify" else null; httpHostHeader = - if cfg.cloudflared.host != config.serverName + if cfg.cloudflared.host != cfg.cloudflared.originHost then "httpHostHeader" else null; in { ${noTLSVerify} = true; - ${httpHostHeader} = cfg.cloudflared.host; + ${httpHostHeader} = cfg.cloudflared.originHost; }; }; getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings; }; }; - xvars.enable = mkIf cfg.enabled true; + xvars = mkIf cfg.enabled { + enable = mkIf xInit true; + defaults = mkIf (!xInit) (mapAlmostOptionDefaults (xDefaults {inherit cfg;})); + }; local.denyGlobal = mkIf listenProxied (mkDefault true); listen' = mkIf listenProxied { proxied = { @@ -181,7 +209,7 @@ let (mkIf (cfg.enable == "cloudflared") ( mkOrder orderJustBefore (xCloudflared {virtualHost = config;}) )) - (mkIf (cfg.enabled && config.xvars.enable) ( + (mkIf (xInit && cfg.enabled && config.xvars.enable) ( mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;}) )) ]; diff --git a/modules/nixos/nginx/proxy.nix b/modules/nixos/nginx/proxy.nix index e303a426..0e40636f 100644 --- a/modules/nixos/nginx/proxy.nix +++ b/modules/nixos/nginx/proxy.nix @@ -374,12 +374,12 @@ let in { xvars = { parseReferer = mkIf (anyLocations needsReferer) true; - defaults = mkIf (anyLocations (loc: loc.proxy.enabled)) (mkOptionDefault (mapOptionDefaults rec { + defaults = mkIf (anyLocations (loc: loc.proxy.enabled)) (mapOptionDefaults rec { proxy_scheme = null; proxy_host = "$proxy_host"; proxy_port = "$proxy_port"; proxy_hostport = "${proxy_host}:${proxy_port}"; - })); + }); }; proxy = mkIf (cfg.copyFromVhost != null) confCopy; }; diff --git a/modules/nixos/nginx/xvars.nix b/modules/nixos/nginx/xvars.nix index 964efa88..2a01caac 100644 --- a/modules/nixos/nginx/xvars.nix +++ b/modules/nixos/nginx/xvars.nix @@ -2,12 +2,20 @@ let locationModule = { config, virtualHost, + gensokyo-zone, lib, ... }: let + inherit (gensokyo-zone.lib) mkJustBefore; inherit (lib.options) mkEnableOption mkOption; - inherit (lib.attrsets) mapAttrs; + inherit (lib.modules) mkIf; + inherit (lib.attrsets) mapAttrs mapAttrsToList filterAttrs; + inherit (lib.strings) concatStringsSep; cfg = config.xvars; + defaultValues = filterAttrs (name: value: value != null && value != virtualHost.xvars.defaults.${name} or null) cfg.defaults; + defaults = concatStringsSep "\n" (mapAttrsToList ( + name: value: "set $x_${name} ${virtualHost.xvars.lib.escapeString value};" + ) defaultValues); in { options.xvars = with lib.types; { enable = mkEnableOption "$x_variables"; @@ -34,6 +42,7 @@ let get = xvars.get // get; }; }; + extraConfig = mkIf (cfg.enable && defaultValues != {}) (mkJustBefore defaults); _module.args.xvars = config.xvars.lib; }; }; @@ -45,9 +54,9 @@ let lib, ... }: let - inherit (gensokyo-zone.lib) mkJustBefore; + inherit (gensokyo-zone.lib) mkJustBefore mapOptionDefaults; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (lib.modules) mkIf mkMerge; inherit (lib.attrsets) attrValues filterAttrs mapAttrs mapAttrsToList; inherit (lib.lists) any; inherit (lib.strings) concatStringsSep hasPrefix hasInfix; @@ -73,15 +82,6 @@ let parseReferer = mkEnableOption "$x_referer_{scheme,host,path}"; defaults = mkOption { type = attrsOf (nullOr str); - default = rec { - scheme = "$scheme"; - forwarded_for = remote_addr; - remote_addr = "$remote_addr"; - forwarded_server = host; - host = "$host"; - referer = "$http_referer"; - https = "$https"; - }; }; lib = mkOption { type = attrs; @@ -99,9 +99,10 @@ let }; }; config = let + defaultValues = filterAttrs (_: value: value != null) cfg.defaults; defaults = concatStringsSep "\n" (mapAttrsToList ( name: value: "set $x_${name} ${escapeString value};" - ) (filterAttrs (_: value: value != null) cfg.defaults)); + ) defaultValues); parseReferer = '' set $hack_referer $http_referer; if ($hack_referer ~ "^(https?)://([^/]+)(/.*)$") { @@ -116,11 +117,22 @@ let (mkIf (anyLocations (loc: loc.xvars.enable)) true) (mkIf cfg.parseReferer true) ]; - defaults = mkIf cfg.parseReferer (mkOptionDefault { - referer_scheme = null; - referer_host = null; - referer_path = null; - }); + defaults = mkMerge [ + (mapOptionDefaults rec { + scheme = "$scheme"; + forwarded_for = remote_addr; + remote_addr = "$remote_addr"; + forwarded_server = host; + host = "$host"; + referer = "$http_referer"; + https = "$https"; + }) + (mkIf cfg.parseReferer (mapOptionDefaults { + referer_scheme = null; + referer_host = null; + referer_path = null; + })) + ]; lib = { get = mapAttrs (name: default: if cfg.enable @@ -132,7 +144,7 @@ let }; }; extraConfig = mkMerge [ - (mkIf cfg.enable (mkJustBefore defaults)) + (mkIf (cfg.enable && defaultValues != {}) (mkJustBefore defaults)) (mkIf (cfg.enable && cfg.parseReferer) (mkJustBefore parseReferer)) ]; _module.args.xvars = config.xvars.lib;