refactor(idp): use nginx stream options

2026-02-09 04:19:19 -08:00 · 2024-04-15 11:24:59 -07:00 · 2024-04-15 11:24:59 -07:00 · ed3fff4c4f
commit ed3fff4c4f
parent 871b1c5b2d
2 changed files with 106 additions and 86 deletions
--- a/modules/nixos/nginx/stream.nix
+++ b/modules/nixos/nginx/stream.nix
@ -121,6 +121,9 @@
        type = lines;
        internal = true;
      };
+      ssl = {
+        preread.enable = mkEnableOption "ngx_stream_ssl_preread_module";
+      };
      proxy = {
        upstream = mkOption {
          type = nullOr str;
@ -143,7 +146,10 @@
        proxyUpstream = cfg.upstreams.${config.proxy.upstream};
      in mkMerge [
        config.extraConfig
-        (mkIf (config.proxy.upstream != null && proxyUpstream.ssl.enable) ''
+        (mkIf config.ssl.preread.enable ''
+          ssl_preread on;
+        '')
+        (mkIf (config.proxy.upstream != null && !config.ssl.preread.enable && proxyUpstream.ssl.enable) ''
          proxy_ssl on;
          proxy_ssl_verify off;
        '')
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@ -120,32 +120,91 @@ in {
        (mkIf config.systemd.network.enable [ "127.0.0.53" ])
      ]);
      defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
-      stream = {
-        upstreams = {
-          freeipa.servers.access = let
-            system = config.lib.access.systemForService "freeipa";
-            inherit (system.exports.services) freeipa;
-          in {
-            addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
-            port = mkOptionDefault freeipa.ports.default.port;
+      stream = let
+        prereadConf = {
+          upstreams = {
+            freeipa.servers.access = let
+              system = config.lib.access.systemForService "freeipa";
+              inherit (system.exports.services) freeipa;
+            in {
+              addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
+              port = mkOptionDefault freeipa.ports.default.port;
+            };
+            samba_access.servers.access = let
+              system = config.lib.access.systemForService "samba";
+              inherit (system.exports.services) samba;
+            in {
+              addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
+              port = mkOptionDefault samba.ports.default.port;
+            };
+            ldaps_access.servers.access = {
+              addr = mkDefault "localhost";
+              port = mkOptionDefault nginx.stream.servers.ldap.listen.ldaps.port;
+            };
+            nginx.servers.access = {
+              addr = mkDefault "localhost";
+              port = mkOptionDefault nginx.defaultSSLListenPort;
+            };
          };
-          samba_access.servers.access = let
-            system = config.lib.access.systemForService "samba";
-            inherit (system.exports.services) samba;
-          in {
-            addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
-            port = mkOptionDefault samba.ports.default.port;
-          };
-          ldaps_access.servers.access = {
-            addr = mkDefault "localhost";
-            port = mkOptionDefault nginx.stream.servers.ldap.listen.ldaps.port;
-          };
-          nginx.servers.access = {
-            addr = mkDefault "localhost";
-            port = mkOptionDefault nginx.defaultSSLListenPort;
+          servers = {
+            preread'https = {
+              listen = {
+                https.port = 443;
+              };
+              ssl.preread.enable = true;
+              proxy.url = "$https_upstream";
+            };
+            preread'ldap = {
+              listen = {
+                ldaps.port = 636;
+              };
+              ssl.preread.enable = true;
+              proxy.url = "$ldap_upstream";
+            };
          };
        };
-        servers = {
+        kerberosConf = let
+          system = config.lib.access.systemForService "kerberos";
+          inherit (system.exports.services) kerberos;
+        in {
+          upstreams = let
+            addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
+            mkKrb5Upstream = portName: {
+              enable = mkDefault kerberos.ports.${portName}.enable;
+              servers.access = {
+                port = mkOptionDefault kerberos.ports.${portName}.port;
+                inherit addr;
+              };
+            };
+          in {
+            krb5 = mkKrb5Upstream "default";
+            kadmin = mkKrb5Upstream "kadmin";
+            kpasswd = mkKrb5Upstream "kpasswd";
+            kticket5 = mkKrb5Upstream "ticket4";
+          };
+          servers = let
+            mkKrb5Server = tcpPort: udpPort: { name, ... }: {
+              listen = {
+                tcp = mkIf (tcpPort != null) {
+                  enable = mkDefault kerberos.ports.${tcpPort}.enable;
+                  port = mkOptionDefault kerberos.ports.${tcpPort}.port;
+                };
+                udp = mkIf (udpPort != null) {
+                  enable = mkDefault kerberos.ports.${udpPort}.enable;
+                  port = mkOptionDefault kerberos.ports.${udpPort}.port;
+                  extraParameters = [ "udp" ];
+                };
+              };
+              proxy.upstream = name;
+            };
+          in {
+            krb5 = mkKrb5Server "default" "udp";
+            kadmin = mkKrb5Server "kadmin" null;
+            kpasswd = mkKrb5Server "kpasswd" "kpasswd-udp";
+            kticket4 = mkKrb5Server null "ticket4";
+          };
+        };
+        conf.servers = {
          ldap = {
            listen = {
              ldaps.port = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
@ -154,82 +213,37 @@ in {
            ssl.cert.copyFromVhost = mkDefault "freeipa";
          };
        };
-      };
+      in mkMerge [
+        conf
+        (mkIf access.preread.enable prereadConf)
+        (mkIf access.kerberos.enable kerberosConf)
+      ];
      streamConfig = let
-        upstreams = {
-          freeipa = "freeipa";
-          ldap = "ldaps_access";
-          ldap_freeipa = "ldaps";
-          samba = "samba_access";
-          nginx = "nginx";
-        };
+        inherit (nginx.stream) upstreams;
        preread = ''
          map $ssl_preread_server_name $ssl_server_name {
            hostnames;
-            ${virtualHosts.freeipa.serverName} ${upstreams.freeipa};
-            ${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
-            ${nginx.access.ldap.domain} ${upstreams.ldap};
-            ${nginx.access.ldap.localDomain} ${upstreams.ldap};
-            ${nginx.access.ldap.intDomain} ${upstreams.ldap};
-            ${nginx.access.ldap.tailDomain} ${upstreams.ldap};
-            default ${upstreams.nginx};
+            ${virtualHosts.freeipa.serverName} ${upstreams.freeipa.name};
+            ${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa.name};
+            ${nginx.access.ldap.domain} ${upstreams.ldaps_access.name};
+            ${nginx.access.ldap.localDomain} ${upstreams.ldaps_access.name};
+            ${nginx.access.ldap.intDomain} ${upstreams.ldaps_access.name};
+            ${nginx.access.ldap.tailDomain} ${upstreams.ldaps_access.name};
+            default ${upstreams.nginx.name};
          }
          map $ssl_preread_alpn_protocols $https_upstream {
-            ~\bsmb\b ${upstreams.samba};
+            ~\bsmb\b ${upstreams.samba_access.name};
            # XXX: if only there were an ldap protocol id...
            default $ssl_server_name;
          }

-          server {
-            listen 0.0.0.0:443;
-            listen [::]:443;
-            ssl_preread on;
-            proxy_pass $https_upstream;
-          }
-
          map $ssl_preread_server_name $ldap_upstream {
            hostnames;
-            ${virtualHosts.freeipa.serverName} ${upstreams.ldap_freeipa};
-            default ${upstreams.ldap};
-          }
-
-          server {
-            listen 0.0.0.0:636;
-            listen [::]:636;
-            ssl_preread on;
-            proxy_pass $ldap_upstream;
+            ${virtualHosts.freeipa.serverName} ${upstreams.ldaps.name};
+            default ${upstreams.ldaps_access.name};
          }
        '';
-        kerberos = ''
-          server {
-            listen 0.0.0.0:${toString access.kerberos.ports.ticket};
-            listen [::]:${toString access.kerberos.ports.ticket};
-            listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
-            listen [::]:${toString access.kerberos.ports.ticket} udp;
-            proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
-          }
-          server {
-            listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
-            listen [::]:${toString access.kerberos.ports.ticket4} udp;
-            proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
-          }
-          server {
-            listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
-            listen [::]:${toString access.kerberos.ports.kpasswd};
-            listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
-            listen [::]:${toString access.kerberos.ports.kpasswd} udp;
-            proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
-          }
-          server {
-            listen 0.0.0.0:${toString access.kerberos.ports.kadmin};
-            listen [::]:${toString access.kerberos.ports.kadmin};
-            proxy_pass ${access.host}:${toString access.kerberos.ports.kadmin};
-          }
-        '';
-      in mkMerge [
-        (mkIf access.preread.enable preread)
-        (mkIf access.kerberos.enable kerberos)
-      ];
+      in mkIf access.preread.enable preread;
      virtualHosts = let
        name.shortServer = mkDefault "freeipa";
      in {