From b17af83d2a6850ea1a102c8980d350fec6e529ff Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 30 Apr 2024 14:52:23 -0700 Subject: [PATCH] feat(nginx): reuseport --- modules/nixos/nginx/proxied.nix | 35 +++++++++++++++++++++++--------- modules/system/exports/nginx.nix | 2 +- nixos/access/barcodebuddy.nix | 5 ++++- nixos/access/grocy.nix | 1 + nixos/access/invidious.nix | 16 +++++---------- nixos/access/vouch.nix | 1 + nixos/nginx.nix | 1 + systems/hakurei/nixos.nix | 1 + systems/tei/nixos.nix | 1 + systems/utsuho/nixos.nix | 1 + 10 files changed, 41 insertions(+), 23 deletions(-) diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix index 06ccb0d4..5d0e9281 100644 --- a/modules/nixos/nginx/proxied.nix +++ b/modules/nixos/nginx/proxied.nix @@ -118,7 +118,7 @@ let local.denyGlobal = mkIf listenProxied (mkDefault true); listen' = mkIf listenProxied { proxied = { - addr = "[::]"; + addr = mkAlmostOptionDefault nginx.proxied.listenAddr; port = mkAlmostOptionDefault nginx.proxied.listenPort; }; }; @@ -130,10 +130,12 @@ let in { config, system, + gensokyo-zone, lib, ... }: let - inherit (lib.options) mkOption; + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkOptionDefault; inherit (lib.attrsets) attrValues; inherit (lib.lists) any; @@ -142,8 +144,10 @@ in { in { options.services.nginx = with lib.types; { proxied = { - enabled = mkOption { - type = bool; + enable = mkEnableOption "proxy"; + listenAddr = mkOption { + type = str; + default = "[::]"; }; listenPort = mkOption { type = port; @@ -156,13 +160,11 @@ in { }; config = { services.nginx = let + warnEnable = lib.warnIf (cfg.enable != hasProxiedHosts) "services.nginx.proxied.enable expected to be set"; hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts); in { - proxied = { - enabled = mkOptionDefault hasProxiedHosts; - }; upstreams' = { - nginx'proxied = mkIf cfg.enabled { + nginx'proxied = mkIf (warnEnable cfg.enable) { servers.local = { accessService = { system = system.name; @@ -172,10 +174,23 @@ in { }; }; }; - # TODO: virtualHosts.fallback'proxied.reuseport = true; + virtualHosts = { + fallback'proxied = mkIf cfg.enable { + serverName = null; + reuseport = mkAlmostOptionDefault true; + default = mkAlmostOptionDefault true; + listen'.proxied = { + addr = mkAlmostOptionDefault cfg.listenAddr; + port = mkAlmostOptionDefault cfg.listenPort; + }; + locations."/".extraConfig = mkAlmostOptionDefault '' + return 502; + ''; + }; + }; }; networking.firewall.interfaces.lan = mkIf nginx.enable { - allowedTCPPorts = mkIf cfg.enabled [ cfg.listenPort ]; + allowedTCPPorts = mkIf cfg.enable [ cfg.listenPort ]; }; }; } diff --git a/modules/system/exports/nginx.nix b/modules/system/exports/nginx.nix index c6893066..e3a668b3 100644 --- a/modules/system/exports/nginx.nix +++ b/modules/system/exports/nginx.nix @@ -12,7 +12,7 @@ in { message = "ports mismatch"; }; assertProxied = nixosConfig: cfg: { - assertion = config.ports.proxied.enable == cfg.proxied.enabled; + assertion = config.ports.proxied.enable == cfg.proxied.enable; message = "proxied mismatch"; }; assertProxiedPort = nixosConfig: cfg: { diff --git a/nixos/access/barcodebuddy.nix b/nixos/access/barcodebuddy.nix index 3caa222c..36db7703 100644 --- a/nixos/access/barcodebuddy.nix +++ b/nixos/access/barcodebuddy.nix @@ -8,7 +8,10 @@ name.shortServer = mkDefault "bbuddy"; serverName = "@bbuddy_internal"; in { - config.services.nginx.vouch.enable = true; + config.services.nginx = { + vouch.enable = true; + proxied.enable = true; + }; config.services.nginx.virtualHosts = { barcodebuddy'php = mkIf barcodebuddy.enable { inherit serverName; diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix index fa84e334..0e3a05ef 100644 --- a/nixos/access/grocy.nix +++ b/nixos/access/grocy.nix @@ -49,6 +49,7 @@ in { config.services.nginx = { lua.http.enable = true; vouch.enable = true; + proxied.enable = true; virtualHosts = { grocy'php = mkIf grocy.enable { inherit serverName; diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix index f368cc5d..14037793 100644 --- a/nixos/access/invidious.nix +++ b/nixos/access/invidious.nix @@ -9,9 +9,9 @@ inherit (config.services) nginx; cfg = config.services.invidious; upstreamName = "invidious'access"; - upstreamNginx = "invidious'access'nginx"; in { config.services.nginx = { + proxied.enable = true; upstreams' = { ${upstreamName}.servers = { local = { @@ -26,15 +26,6 @@ in { }; }; }; - ${upstreamNginx} = { - enable = mkDefault nginx.virtualHosts.invidious'int.enable; - host = mkDefault nginx.virtualHosts.invidious'int.serverName; - servers.local = { - accessService = { - inherit (nginx.upstreams'.nginx'proxied.servers.local.accessService) system name id port; - }; - }; - }; }; virtualHosts = let invidiousDomains = @@ -66,7 +57,10 @@ in { invidious = { # lua can't handle HTTP 2.0 requests, so layer it behind another proxy... inherit name extraConfig; - proxy.upstream = upstreamNginx; + proxy = mkIf nginx.virtualHosts.invidious'int.enable { + upstream = "nginx'proxied"; + host = mkDefault nginx.virtualHosts.invidious'int.serverName; + }; locations."/" = { xvars, virtualHost, ... }: { proxy.enable = true; extraConfig = '' diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix index ed929baf..0ad0a366 100644 --- a/nixos/access/vouch.nix +++ b/nixos/access/vouch.nix @@ -8,6 +8,7 @@ cfg = config.services.vouch-proxy; in { config.services.nginx = { + proxied.enable = true; upstreams'.vouch'access.servers.access = { accessService = { inherit (nginx.upstreams'.vouch'auth.servers.service.accessService) system name id port; diff --git a/nixos/nginx.nix b/nixos/nginx.nix index 4c14855f..f4464461 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -37,6 +37,7 @@ in { virtualHosts.fallback = { serverName = null; default = mkDefault true; + reuseport = mkDefault true; locations."/".extraConfig = mkDefault '' return 404; ''; diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index 3b77a4c6..3bef3928 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -213,6 +213,7 @@ in { }; services.nginx = { + proxied.enable = true; vouch.enable = true; upstreams' = { vouch'auth.servers.local.enable = false; diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 0035b240..e06850d4 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -24,6 +24,7 @@ ]; services.nginx = { + proxied.enable = true; virtualHosts = { zigbee2mqtt.proxied.enable = "cloudflared"; grocy.proxied.enable = "cloudflared"; diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index f61d766e..3cdd3d42 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -29,6 +29,7 @@ in { }; services.nginx = { + proxied.enable = true; virtualHosts = { unifi.proxied.enable = "cloudflared"; };