diff --git a/modules/nixos/nginx/local.nix b/modules/nixos/nginx/local.nix index e5cb871d..6e745713 100644 --- a/modules/nixos/nginx/local.nix +++ b/modules/nixos/nginx/local.nix @@ -3,13 +3,53 @@ lib, ... }: let - inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkBefore mkOptionDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault; inherit (lib.strings) concatMapStringsSep optionalString; inherit (lib.lists) optionals; inherit (config.services) tailscale; inherit (config.networking.access) cidrForNetwork localaddrs; - localModule = {config, ...}: { + mkAddrVar = remoteAddr: varPrefix: '' + set ${varPrefix}tailscale 0; + '' + optionalString tailscale.enable '' + if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") { + set ${varPrefix}tailscale 1; + } + if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") { + set ${varPrefix}tailscale 1; + } + '' + '' + set ${varPrefix}lan 0; + if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fd0a::") { + set ${varPrefix}lan 1; + } + if (${remoteAddr} ~ "^fe80::") { + set ${varPrefix}lan 1; + } + set ${varPrefix}localhost 0; + if (${remoteAddr} = "::1") { + set ${varPrefix}localhost 1; + } + if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") { + set ${varPrefix}localhost 1; + } + set ${varPrefix}client 0; + if (${varPrefix}tailscale) { + set ${varPrefix}client 1; + } + if (${varPrefix}lan) { + set ${varPrefix}client 1; + } + if (${varPrefix}localhost) { + set ${varPrefix}client 1; + } + ''; + localModule = {config, ...}: let + cfg = config.local; + in { options.local = with lib.types; { enable = mkOption { type = bool; @@ -24,13 +64,19 @@ type = bool; defaultText = literalExpression "config.local.denyGlobal"; }; + vars.enable = mkEnableOption "local vars"; emitDenyGlobal = mkOption { internal = true; type = bool; - default = config.local.denyGlobal; + default = cfg.denyGlobal; + }; + emitVars = mkOption { + internal = true; + type = bool; + default = cfg.vars.enable; }; }; - config = mkIf config.local.emitDenyGlobal { + config = { extraConfig = let mkAllow = cidr: "allow ${cidr};"; allowAddresses = @@ -42,18 +88,24 @@ + optionalString localaddrs.enable '' include ${localaddrs.stateDir}/*.nginx.conf; ''; - in - mkBefore '' + allowDirectives = '' ${allows} deny all; ''; + in mkMerge [ + (mkIf cfg.emitDenyGlobal (mkBefore allowDirectives)) + (mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_"))) + (mkIf cfg.emitVars (mkBefore (mkAddrVar "$x_remote_addr" "$x_local_"))) + ]; }; }; locationModule = { config, virtualHost, ... - }: { + }: let + cfg = config.local; + in { imports = [ localModule ]; @@ -62,10 +114,13 @@ enable = mkOptionDefault virtualHost.local.enable; denyGlobal = mkOptionDefault virtualHost.local.denyGlobal; trusted = mkOptionDefault virtualHost.local.trusted; - emitDenyGlobal = config.local.denyGlobal && !virtualHost.local.emitDenyGlobal; + emitDenyGlobal = cfg.denyGlobal && !virtualHost.local.emitDenyGlobal; + emitVars = cfg.vars.enable && !virtualHost.local.vars.enable; }; }; - hostModule = {config, ...}: { + hostModule = {config, ...}: let + cfg = config.local; + in { imports = [localModule]; options = with lib.types; { @@ -82,8 +137,8 @@ config.local = { enable = mkOptionDefault false; - denyGlobal = mkOptionDefault config.local.enable; - trusted = mkOptionDefault config.local.denyGlobal; + denyGlobal = mkOptionDefault cfg.enable; + trusted = mkOptionDefault cfg.denyGlobal; }; }; in { diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix index 07697afa..b2ee2fc7 100644 --- a/modules/nixos/nginx/proxied.nix +++ b/modules/nixos/nginx/proxied.nix @@ -90,7 +90,6 @@ type = enum [ true false "nixpkgs" ]; }; }; - force = mkEnableOption "redirect to SSL"; }; config = let emitVars = cfg.enabled && !virtualHost.proxied.enabled;