diff --git a/modules/nixos/nginx/proxy.nix b/modules/nixos/nginx/proxy.nix index a6e8055e..c4741ed6 100644 --- a/modules/nixos/nginx/proxy.nix +++ b/modules/nixos/nginx/proxy.nix @@ -51,6 +51,7 @@ let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkBefore mkOptionDefault; inherit (lib.attrsets) filterAttrs mapAttrsToList; + inherit (lib.lists) optional; inherit (lib.strings) hasPrefix removeSuffix optionalString concatStringsSep; inherit (lib.trivial) mapNullable; inherit (nixosConfig.services) nginx; @@ -125,7 +126,8 @@ let upstream = nginx.upstreams'.${cfg.upstream}; upstreamServer = upstream.servers.${upstream.defaultServerName}; dynamicUpstream = hasPrefix "$" cfg.upstream; - hasUpstream = cfg.upstream != null && !dynamicUpstream && upstream.defaultServerName != null; + hasUpstream = cfg.upstream != null && !dynamicUpstream; + hasUpstreamServer = upstream.defaultServerName != null; recommendedHeaders = { Host = if cfg.host == null then xvars.get.proxy_hostport else cfg.host; Referer = xvars.get.referer; @@ -139,6 +141,7 @@ let http = 80; https = 443; }.${cfg.parsed.scheme} or (throw "unsupported proxy_scheme ${toString cfg.parsed.scheme}"); + upstreamHost = coalesce ([ upstream.host ] ++ optional hasUpstreamServer upstreamServer.addr); port = coalesce [ cfg.parsed.port schemePort ]; hostport = cfg.parsed.host + optionalString (port != schemePort) ":${toString port}"; initProxyVars = let @@ -239,11 +242,11 @@ let mapNullable (_: url.path) config.proxyPass ); host = mkOptionDefault ( - if hasUpstream then assert url.host == upstream.name; upstreamServer.addr + if hasUpstream then assert url.host == upstream.name; upstreamHost else mapNullable (_: url.host) config.proxyPass ); port = mkOptionDefault ( - if hasUpstream && url.port == null then assert url.host == upstream.name; upstreamServer.port + if hasUpstream && hasUpstreamServer && url.port == null then assert url.host == upstream.name; upstreamServer.port else mapNullable (_: url.port) config.proxyPass ); }; diff --git a/modules/nixos/nginx/upstream.nix b/modules/nixos/nginx/upstream.nix index 38f6d6fc..72d5926d 100644 --- a/modules/nixos/nginx/upstream.nix +++ b/modules/nixos/nginx/upstream.nix @@ -149,6 +149,10 @@ let servers = mkOption { type = attrsOf upstreamServer; }; + host = mkOption { + type = nullOr str; + default = null; + }; ssl = { enable = mkEnableOption "ssl upstream"; host = mkOption { @@ -276,6 +280,7 @@ let enable = mkAlmostOptionDefault (if hasUpstream then proxyUpstream.ssl.enable else false); host = mkIf hasUpstream (mkAlmostOptionDefault proxyUpstream.ssl.host); }; + host = mkIf (hasUpstream && proxyUpstream.host != null) (mkAlmostOptionDefault proxyUpstream.host); }; }; }; diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix index 7da00d14..866658c4 100644 --- a/modules/nixos/nginx/vouch.nix +++ b/modules/nixos/nginx/vouch.nix @@ -261,7 +261,7 @@ in { then "localhost" else listen; in { - # TODO: serviceAccess.exportedId = "login"; + # TODO: accessService.exportedId = "login"; enable = mkAlmostOptionDefault vouch-proxy.enable; port = mkIf vouch-proxy.enable (mkOptionDefault port); addr = mkIf vouch-proxy.enable (mkAlmostOptionDefault host); diff --git a/nixos/access/freeipa.nix b/nixos/access/freeipa.nix index 22da8d88..3c027a65 100644 --- a/nixos/access/freeipa.nix +++ b/nixos/access/freeipa.nix @@ -23,7 +23,6 @@ let proxy = { enable = true; upstream = "freeipa"; - host = mkDefault config.proxy.ssl.host; headers = { rewriteReferer.enable = true; set = { @@ -83,6 +82,7 @@ in { # TODO: ssl.preread.enable = mkDefault true; upstreams'.freeipa = {config, ...}: { ssl.host = mkDefault (access.systemFor config.servers.access.accessService.system).access.fqdn; + host = mkDefault config.ssl.host; servers.access = { accessService = { name = "freeipa"; @@ -209,9 +209,10 @@ in { name.shortServer = mkDefault "idp-ca"; locations."/" = mkMerge [ locations."/" - { - proxy.ssl.host = virtualHosts.freeipa'ca.serverName; - } + ({config, virtualHost, ...}: { + proxy.ssl.host = virtualHost.serverName; + proxy.host = config.proxy.ssl.host; + }) ]; ssl = { force = mkDefault virtualHosts.freeipa.ssl.force; diff --git a/nixos/access/invidious.nix b/nixos/access/invidious.nix index 53f88dec..d9e8a2e9 100644 --- a/nixos/access/invidious.nix +++ b/nixos/access/invidious.nix @@ -5,28 +5,39 @@ }: let inherit (lib.modules) mkIf mkMerge mkBefore mkDefault; inherit (lib.strings) replaceStrings concatStringsSep concatMapStringsSep escapeRegex; - inherit (config.services.nginx) virtualHosts; + inherit (config.services) nginx; cfg = config.services.invidious; upstreamName = "invidious'access"; + upstreamNginx = "invidious'access'nginx"; in { config.services.nginx = { - upstreams'.${upstreamName}.servers = { - local = { - enable = mkDefault cfg.enable; - addr = mkDefault "localhost"; - port = mkIf cfg.enable (mkDefault cfg.port); + upstreams' = { + ${upstreamName}.servers = { + local = { + enable = mkDefault cfg.enable; + addr = mkDefault "localhost"; + port = mkIf cfg.enable (mkDefault cfg.port); + }; + service = { upstream, ... }: { + enable = mkIf upstream.servers.local.enable (mkDefault false); + accessService = { + name = "invidious"; + }; + }; }; - service = { upstream, ... }: { - enable = mkIf upstream.servers.local.enable (mkDefault false); - accessService = { - name = "invidious"; + ${upstreamNginx} = { + enable = mkDefault nginx.virtualHosts.invidious'int.enable; + host = mkDefault nginx.virtualHosts.invidious'int.serverName; + servers.local = { + addr = mkDefault "localhost"; + port = nginx.defaultHTTPListenPort; }; }; }; virtualHosts = let invidiousDomains = - virtualHosts.invidious.allServerNames - ++ virtualHosts.invidious'local.allServerNames; + nginx.virtualHosts.invidious.allServerNames + ++ nginx.virtualHosts.invidious'local.allServerNames; contentSecurityPolicy' = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob: https://*.googlevideo.com:443 https://*.youtube.com:443; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'"; contentSecurityPolicy = replaceStrings ["'self'"] ["'self' ${concatStringsSep " " invidiousDomains}"] contentSecurityPolicy'; extraConfig = mkBefore '' @@ -44,26 +55,23 @@ in { }; headers.set.content-security-policy = contentSecurityPolicy; extraConfig = '' - proxy_cookie_domain ${virtualHosts.invidious.serverName} ${xvars.get.host}; + proxy_cookie_domain ${nginx.virtualHosts.invidious.serverName} ${xvars.get.host}; ''; }; name.shortServer = mkDefault "yt"; - localDomains = virtualHosts.invidious'local.allServerNames; + localDomains = nginx.virtualHosts.invidious'local.allServerNames; in { invidious = { # lua can't handle HTTP 2.0 requests, so layer it behind another proxy... inherit name extraConfig; - proxy = { - url = mkDefault "http://localhost:${toString config.services.nginx.defaultHTTPListenPort}"; - host = mkDefault virtualHosts.invidious'int.serverName; - }; - locations."/" = { xvars, ... }: { + proxy.upstream = upstreamNginx; + locations."/" = { xvars, virtualHost, ... }: { proxy.enable = true; extraConfig = '' proxy_http_version 1.1; set $invidious_req_check ${xvars.get.scheme}:$request_uri; if ($invidious_req_check = "http:/") { - return ${toString virtualHosts.invidious.redirectCode} https://${xvars.get.host}$request_uri; + return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri; } ''; };