gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(nginx): upstream ssl.host

Browse source
This commit is contained in:
arcnmx 2024-04-27 11:07:00 -07:00
parent 41b2642acf
commit b1676079ef
2 changed files with 55 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

14
modules/nixos/nginx/upstream.nix
View file

@ -151,6 +151,10 @@ let
}; };
ssl = { ssl = {
enable = mkEnableOption "ssl upstream"; enable = mkEnableOption "ssl upstream";
host = mkOption {
type = nullOr str;
default = null;
};
}; };
defaultServerName = mkOption { defaultServerName = mkOption {
type = nullOr str; type = nullOr str;
@ -227,7 +231,10 @@ let
proxy = { proxy = {
enable = mkIf (config.proxy.upstream != null) true; enable = mkIf (config.proxy.upstream != null) true;
url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault proxyPass); url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault proxyPass);
ssl.enable = mkIf (hasUpstream && proxyUpstream.ssl.enable) (mkAlmostOptionDefault true); ssl = mkIf (hasUpstream && proxyUpstream.ssl.enable) {
enable = mkAlmostOptionDefault true;
host = mkAlmostOptionDefault proxyUpstream.ssl.host;
};
}; };
}; };
}; };
@ -265,7 +272,10 @@ let
url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault
"${proxyScheme}://${proxyHost}" "${proxyScheme}://${proxyHost}"
); );
ssl.enable = mkAlmostOptionDefault (if hasUpstream then proxyUpstream.ssl.enable else false); ssl = {
enable = mkAlmostOptionDefault (if hasUpstream then proxyUpstream.ssl.enable else false);
host = mkIf hasUpstream (mkAlmostOptionDefault proxyUpstream.ssl.host);
};
}; };
}; };
}; };

100
nixos/access/freeipa.nix
View file

@ -1,18 +1,19 @@
{ {
config, config,
meta, meta,
lib, access,
gensokyo-zone, gensokyo-zone,
lib,
... ...
}: }:
let let
inherit (gensokyo-zone.lib) mkAddress6 mapOptionDefaults; inherit (gensokyo-zone.lib) mapOptionDefaults;
inherit (lib.options) mkOption mkEnableOption; inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (config.services) tailscale; inherit (config.services) tailscale;
inherit (config.services) nginx; inherit (config.services) nginx;
inherit (nginx) virtualHosts; inherit (nginx) virtualHosts;
access = nginx.access.freeipa; cfg = nginx.access.freeipa;
inherit (nginx.access) ldap; inherit (nginx.access) ldap;
extraConfig = '' extraConfig = ''
ssl_verify_client optional_no_ca; ssl_verify_client optional_no_ca;
@ -21,9 +22,8 @@ let
"/" = { config, xvars, ... }: { "/" = { config, xvars, ... }: {
proxy = { proxy = {
enable = true; enable = true;
url = mkDefault access.proxyPass; upstream = "freeipa";
host = mkDefault virtualHosts.freeipa.serverName; host = mkDefault config.proxy.ssl.host;
ssl.host = mkDefault config.proxy.host;
headers = { headers = {
rewriteReferer.enable = true; rewriteReferer.enable = true;
set = { set = {
@ -36,10 +36,10 @@ let
fromScheme = xvars.get.proxy_scheme; fromScheme = xvars.get.proxy_scheme;
}; };
}; };
proxyPass = mkDefault access.proxyPass;
recommendedProxySettings = false; recommendedProxySettings = false;
}; };
}; };
ldapsPort = 636;
in { in {
imports = let imports = let
inherit (meta) nixos; inherit (meta) nixos;
@ -48,9 +48,6 @@ in {
]; ];
options.services.nginx.access.freeipa = with lib.types; { options.services.nginx.access.freeipa = with lib.types; {
host = mkOption {
type = str;
};
preread = { preread = {
ldapPort = mkOption { ldapPort = mkOption {
type = port; type = port;
@ -80,38 +77,27 @@ in {
}; };
}; };
}; };
proxyPass = mkOption {
type = str;
default = let
scheme = if access.port == 443 then "https" else "http";
in "${scheme}://${mkAddress6 access.host}:${toString access.port}";
};
port = mkOption {
type = port;
default = 443;
};
ldapPort = mkOption {
type = port;
default = 636;
};
}; };
config = { config = {
services.nginx = { services.nginx = {
# TODO: ssl.preread.enable = mkDefault true; # TODO: ssl.preread.enable = mkDefault true;
access.freeipa = { upstreams'.freeipa = {config, ...}: {
host = mkOptionDefault (config.lib.access.getAddressFor (config.lib.access.systemForService "freeipa").name "lan"); ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn;
servers.access = {
accessService = {
name = "freeipa";
};
};
}; };
stream = let stream = let
prereadConf = { prereadConf = {
upstreams = { upstreams = {
freeipa = { freeipa = let
ssl.enable = true; inherit (nginx.upstreams') freeipa;
servers.access = let in {
system = config.lib.access.systemForService "freeipa"; ssl.host = mkDefault freeipa.ssl.host;
inherit (system.exports.services) freeipa; servers.access.accessService = {
in { inherit (freeipa.servers.access.accessService) system name id port;
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
port = mkOptionDefault freeipa.ports.default.port;
}; };
}; };
ldaps_access = { ldaps_access = {
@ -135,7 +121,7 @@ in {
}; };
preread'ldap = { preread'ldap = {
listen = { listen = {
ldaps.port = access.ldapPort; ldaps.port = ldapsPort;
}; };
ssl.preread = { ssl.preread = {
enable = true; enable = true;
@ -148,26 +134,28 @@ in {
}; };
}; };
kerberosConf = let kerberosConf = let
system = config.lib.access.systemForService "kerberos"; system = access.systemFor nginx.stream.upstreams.krb5.servers.access.accessService.system;
inherit (system.exports.services) kerberos; inherit (system.exports.services) kerberos;
in { in {
upstreams = let upstreams = let
addr = mkDefault (config.lib.access.getAddressFor system.name "lan"); mkKrb5Upstream = port: {config, ...}: {
mkKrb5Upstream = portName: { enable = mkDefault config.servers.access.enable;
enable = mkDefault kerberos.ports.${portName}.enable;
servers.access = { servers.access = {
port = mkOptionDefault kerberos.ports.${portName}.port; accessService = {
inherit addr; name = "kerberos";
inherit port;
};
}; };
}; };
in { in {
krb5 = mkKrb5Upstream "default"; krb5 = mkKrb5Upstream "default";
kadmin = mkKrb5Upstream "kadmin"; kadmin = mkKrb5Upstream "kadmin";
kpasswd = mkKrb5Upstream "kpasswd"; kpasswd = mkKrb5Upstream "kpasswd";
kticket5 = mkKrb5Upstream "ticket4"; kticket4 = mkKrb5Upstream "ticket4";
}; };
servers = let servers = let
mkKrb5Server = tcpPort: udpPort: { name, ... }: { mkKrb5Server = tcpPort: udpPort: { name, ... }: {
enable = mkDefault nginx.stream.upstreams.${name}.enable;
listen = { listen = {
tcp = mkIf (tcpPort != null) { tcp = mkIf (tcpPort != null) {
enable = mkDefault kerberos.ports.${tcpPort}.enable; enable = mkDefault kerberos.ports.${tcpPort}.enable;
@ -192,7 +180,7 @@ in {
conf.servers = { conf.servers = {
ldap = { ldap = {
listen = { listen = {
ldaps.port = mkIf nginx.ssl.preread.enable (mkDefault access.preread.ldapPort); ldaps.port = mkIf nginx.ssl.preread.enable (mkDefault cfg.preread.ldapPort);
}; };
ssl.cert.copyFromVhost = mkDefault "freeipa"; ssl.cert.copyFromVhost = mkDefault "freeipa";
}; };
@ -200,7 +188,7 @@ in {
in mkMerge [ in mkMerge [
conf conf
(mkIf nginx.ssl.preread.enable prereadConf) (mkIf nginx.ssl.preread.enable prereadConf)
(mkIf access.kerberos.enable kerberosConf) (mkIf cfg.kerberos.enable kerberosConf)
]; ];
virtualHosts = let virtualHosts = let
name.shortServer = mkDefault "ipa"; name.shortServer = mkDefault "ipa";
@ -222,7 +210,7 @@ in {
locations."/" = mkMerge [ locations."/" = mkMerge [
locations."/" locations."/"
{ {
proxy.host = virtualHosts.freeipa'ca.serverName; proxy.ssl.host = virtualHosts.freeipa'ca.serverName;
} }
]; ];
ssl = { ssl = {
@ -258,22 +246,20 @@ in {
}; };
}; };
networking.firewall = { networking.firewall = let
inherit (nginx.stream.servers) krb5 kadmin kpasswd kticket4;
in {
allowedTCPPorts = mkMerge [ allowedTCPPorts = mkMerge [
(mkIf access.kerberos.enable [ (mkIf cfg.kerberos.enable (map (server:
access.kerberos.ports.ticket mkIf (server.enable && server.listen.tcp.enable) server.listen.tcp.port
access.kerberos.ports.kpasswd ) [ krb5 kticket4 kpasswd kadmin ]))
access.kerberos.ports.kadmin
])
(mkIf nginx.ssl.preread.enable [ (mkIf nginx.ssl.preread.enable [
access.ldapPort ldapsPort
]) ])
]; ];
allowedUDPPorts = mkIf access.kerberos.enable [ allowedUDPPorts = mkIf cfg.kerberos.enable (map (server:
access.kerberos.ports.ticket mkIf (server.enable && server.listen.udp.enable) server.listen.udp.port
access.kerberos.ports.ticket4 ) [ krb5 kticket4 kpasswd ]);
access.kerberos.ports.kpasswd
];
}; };
}; };
} }