feat(nginx): reuseport

modules/nixos/nginx/proxied.nix

@@ -118,7 +118,7 @@ let
       local.denyGlobal = mkIf listenProxied (mkDefault true);
       listen' = mkIf listenProxied {
         proxied = {
-          addr = "[::]";
+          addr = mkAlmostOptionDefault nginx.proxied.listenAddr;
           port = mkAlmostOptionDefault nginx.proxied.listenPort;
         };
       };
@@ -130,10 +130,12 @@ let
 in {
   config,
   system,
+  gensokyo-zone,
   lib,
   ...
 }: let
-  inherit (lib.options) mkOption;
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.options) mkOption mkEnableOption;
   inherit (lib.modules) mkIf mkOptionDefault;
   inherit (lib.attrsets) attrValues;
   inherit (lib.lists) any;
@@ -142,8 +144,10 @@ in {
 in {
   options.services.nginx = with lib.types; {
     proxied = {
-      enabled = mkOption {
-        type = bool;
+      enable = mkEnableOption "proxy";
+      listenAddr = mkOption {
+        type = str;
+        default = "[::]";
       };
       listenPort = mkOption {
         type = port;
@@ -156,13 +160,11 @@ in {
   };
   config = {
     services.nginx = let
+      warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set";
       hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts);
     in {
-      proxied = {
-        enabled = mkOptionDefault hasProxiedHosts;
-      };
       upstreams' = {
-        nginx'proxied = mkIf cfg.enabled {
+        nginx'proxied = mkIf (warnEnable cfg.enable) {
           servers.local = {
             accessService = {
               system = system.name;
@@ -172,10 +174,23 @@ in {
           };
         };
       };
-      # TODO: virtualHosts.fallback'proxied.reuseport = true;
+      virtualHosts = {
+        fallback'proxied = mkIf cfg.enable {
+          serverName = null;
+          reuseport = mkAlmostOptionDefault true;
+          default = mkAlmostOptionDefault true;
+          listen'.proxied = {
+            addr = mkAlmostOptionDefault cfg.listenAddr;
+            port = mkAlmostOptionDefault cfg.listenPort;
+          };
+          locations."/".extraConfig = mkAlmostOptionDefault ''
+            return 502;
+          '';
+        };
+      };
     };
     networking.firewall.interfaces.lan = mkIf nginx.enable {
-      allowedTCPPorts = mkIf cfg.enabled [ cfg.listenPort ];
+      allowedTCPPorts = mkIf cfg.enable [ cfg.listenPort ];
     };
   };
 }

modules/system/exports/nginx.nix

@@ -12,7 +12,7 @@ in {
       message = "ports mismatch";
     };
     assertProxied = nixosConfig: cfg: {
-      assertion = config.ports.proxied.enable == cfg.proxied.enabled;
+      assertion = config.ports.proxied.enable == cfg.proxied.enable;
       message = "proxied mismatch";
     };
     assertProxiedPort = nixosConfig: cfg: {

nixos/access/barcodebuddy.nix

@@ -8,7 +8,10 @@
   name.shortServer = mkDefault "bbuddy";
   serverName = "@bbuddy_internal";
 in {
-  config.services.nginx.vouch.enable = true;
+  config.services.nginx = {
+    vouch.enable = true;
+    proxied.enable = true;
+  };
   config.services.nginx.virtualHosts = {
     barcodebuddy'php = mkIf barcodebuddy.enable {
       inherit serverName;

nixos/access/grocy.nix

@@ -49,6 +49,7 @@ in {
   config.services.nginx = {
     lua.http.enable = true;
     vouch.enable = true;
+    proxied.enable = true;
     virtualHosts = {
       grocy'php = mkIf grocy.enable {
         inherit serverName;

nixos/access/invidious.nix

@@ -9,9 +9,9 @@
   inherit (config.services) nginx;
   cfg = config.services.invidious;
   upstreamName = "invidious'access";
-  upstreamNginx = "invidious'access'nginx";
 in {
   config.services.nginx = {
+    proxied.enable = true;
     upstreams' = {
       ${upstreamName}.servers = {
         local = {
@@ -26,15 +26,6 @@ in {
           };
         };
       };
-      ${upstreamNginx} = {
-        enable = mkDefault nginx.virtualHosts.invidious'int.enable;
-        host = mkDefault nginx.virtualHosts.invidious'int.serverName;
-        servers.local = {
-          accessService = {
-            inherit (nginx.upstreams'.nginx'proxied.servers.local.accessService) system name id port;
-          };
-        };
-      };
     };
     virtualHosts = let
       invidiousDomains =
@@ -66,7 +57,10 @@ in {
       invidious = {
         # lua can't handle HTTP 2.0 requests, so layer it behind another proxy...
         inherit name extraConfig;
-        proxy.upstream = upstreamNginx;
+        proxy = mkIf nginx.virtualHosts.invidious'int.enable {
+          upstream = "nginx'proxied";
+          host = mkDefault nginx.virtualHosts.invidious'int.serverName;
+        };
         locations."/" = { xvars, virtualHost, ... }: {
           proxy.enable = true;
           extraConfig = ''

nixos/access/vouch.nix

@@ -8,6 +8,7 @@
   cfg = config.services.vouch-proxy;
 in {
   config.services.nginx = {
+    proxied.enable = true;
     upstreams'.vouch'access.servers.access = {
       accessService = {
         inherit (nginx.upstreams'.vouch'auth.servers.service.accessService) system name id port;

nixos/nginx.nix

@@ -37,6 +37,7 @@ in {
     virtualHosts.fallback = {
       serverName = null;
       default = mkDefault true;
+      reuseport = mkDefault true;
       locations."/".extraConfig = mkDefault ''
         return 404;
       '';

systems/hakurei/nixos.nix

@@ -213,6 +213,7 @@ in {
   };
 
   services.nginx = {
+    proxied.enable = true;
     vouch.enable = true;
     upstreams' = {
       vouch'auth.servers.local.enable = false;

systems/tei/nixos.nix

@@ -24,6 +24,7 @@
   ];
 
   services.nginx = {
+    proxied.enable = true;
     virtualHosts = {
       zigbee2mqtt.proxied.enable = "cloudflared";
       grocy.proxied.enable = "cloudflared";

systems/utsuho/nixos.nix

@@ -29,6 +29,7 @@ in {
   };
 
   services.nginx = {
+    proxied.enable = true;
     virtualHosts = {
       unifi.proxied.enable = "cloudflared";
     };