gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(nginx): local vars

Browse source
This commit is contained in:
arcnmx 2024-03-21 14:31:09 -07:00
parent 5aac27ca51
commit b7d63fc296
2 changed files with 67 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

79
modules/nixos/nginx/local.nix
View file

@ -3,13 +3,53 @@
lib,
...
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkBefore mkOptionDefault;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault;
inherit (lib.strings) concatMapStringsSep optionalString;
inherit (lib.lists) optionals;
inherit (config.services) tailscale;
inherit (config.networking.access) cidrForNetwork localaddrs;
localModule = {config, ...}: {
mkAddrVar = remoteAddr: varPrefix: ''
set ${varPrefix}tailscale 0;
'' + optionalString tailscale.enable ''
if (${remoteAddr} ~ "^fd7a:115c:a1e0:(:|ab12:)") {
set ${varPrefix}tailscale 1;
}
if (${remoteAddr} ~ "^100\.(6[4-9]|([7-9]|1[01])[0-9]|12[0-7])\.[0-9]+\.[0-9]+") {
set ${varPrefix}tailscale 1;
}
'' + ''
set ${varPrefix}lan 0;
if (${remoteAddr} ~ "^10\.1\.1\.[0-9]+") {
set ${varPrefix}lan 1;
}
if (${remoteAddr} ~ "^fd0a::") {
set ${varPrefix}lan 1;
}
if (${remoteAddr} ~ "^fe80::") {
set ${varPrefix}lan 1;
}
set ${varPrefix}localhost 0;
if (${remoteAddr} = "::1") {
set ${varPrefix}localhost 1;
}
if (${remoteAddr} ~ "127\.0\.0\.[0-9]+") {
set ${varPrefix}localhost 1;
}
set ${varPrefix}client 0;
if (${varPrefix}tailscale) {
set ${varPrefix}client 1;
}
if (${varPrefix}lan) {
set ${varPrefix}client 1;
}
if (${varPrefix}localhost) {
set ${varPrefix}client 1;
}
'';
localModule = {config, ...}: let
cfg = config.local;
in {
options.local = with lib.types; {
enable = mkOption {
type = bool;
@ -24,13 +64,19 @@
type = bool;
defaultText = literalExpression "config.local.denyGlobal";
};
vars.enable = mkEnableOption "local vars";
emitDenyGlobal = mkOption {
internal = true;
type = bool;
default = config.local.denyGlobal;
default = cfg.denyGlobal;
};
emitVars = mkOption {
internal = true;
type = bool;
default = cfg.vars.enable;
};
};
config = mkIf config.local.emitDenyGlobal {
config = {
extraConfig = let
mkAllow = cidr: "allow ${cidr};";
allowAddresses =
@ -42,18 +88,24 @@
+ optionalString localaddrs.enable ''
include ${localaddrs.stateDir}/*.nginx.conf;
'';
in
mkBefore ''
allowDirectives = ''
${allows}
deny all;
'';
in mkMerge [
(mkIf cfg.emitDenyGlobal (mkBefore allowDirectives))
(mkIf cfg.emitVars (mkBefore (mkAddrVar "$remote_addr" "$local_")))
(mkIf cfg.emitVars (mkBefore (mkAddrVar "$x_remote_addr" "$x_local_")))
];
};
};
locationModule = {
config,
virtualHost,
...
}: {
}: let
cfg = config.local;
in {
imports = [
localModule
];
@ -62,10 +114,13 @@
enable = mkOptionDefault virtualHost.local.enable;
denyGlobal = mkOptionDefault virtualHost.local.denyGlobal;
trusted = mkOptionDefault virtualHost.local.trusted;
emitDenyGlobal = config.local.denyGlobal && !virtualHost.local.emitDenyGlobal;
emitDenyGlobal = cfg.denyGlobal && !virtualHost.local.emitDenyGlobal;
emitVars = cfg.vars.enable && !virtualHost.local.vars.enable;
};
};
hostModule = {config, ...}: {
hostModule = {config, ...}: let
cfg = config.local;
in {
imports = [localModule];
options = with lib.types; {
@ -82,8 +137,8 @@
config.local = {
enable = mkOptionDefault false;
denyGlobal = mkOptionDefault config.local.enable;
trusted = mkOptionDefault config.local.denyGlobal;
denyGlobal = mkOptionDefault cfg.enable;
trusted = mkOptionDefault cfg.denyGlobal;
};
};
in {

1
modules/nixos/nginx/proxied.nix
View file

@ -90,7 +90,6 @@
type = enum [ true false "nixpkgs" ];
};
};
force = mkEnableOption "redirect to SSL";
};
config = let
emitVars = cfg.enabled && !virtualHost.proxied.enabled;