mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
refactor(idp): use nginx stream options
This commit is contained in:
arcnmx
parent
871b1c5b2d
commit
ed3fff4c4f
2 changed files with 106 additions and 86 deletions
|
|
@ -121,6 +121,9 @@
|
||||||
type = lines;
|
type = lines;
|
||||||
internal = true;
|
internal = true;
|
||||||
};
|
};
|
||||||
|
ssl = {
|
||||||
|
preread.enable = mkEnableOption "ngx_stream_ssl_preread_module";
|
||||||
|
};
|
||||||
proxy = {
|
proxy = {
|
||||||
upstream = mkOption {
|
upstream = mkOption {
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
|
|
@ -143,7 +146,10 @@
|
||||||
proxyUpstream = cfg.upstreams.${config.proxy.upstream};
|
proxyUpstream = cfg.upstreams.${config.proxy.upstream};
|
||||||
in mkMerge [
|
in mkMerge [
|
||||||
config.extraConfig
|
config.extraConfig
|
||||||
(mkIf (config.proxy.upstream != null && proxyUpstream.ssl.enable) ''
|
(mkIf config.ssl.preread.enable ''
|
||||||
|
ssl_preread on;
|
||||||
|
'')
|
||||||
|
(mkIf (config.proxy.upstream != null && !config.ssl.preread.enable && proxyUpstream.ssl.enable) ''
|
||||||
proxy_ssl on;
|
proxy_ssl on;
|
||||||
proxy_ssl_verify off;
|
proxy_ssl_verify off;
|
||||||
'')
|
'')
|
||||||
|
|
|
||||||
|
|
@ -120,32 +120,91 @@ in {
|
||||||
(mkIf config.systemd.network.enable [ "127.0.0.53" ])
|
(mkIf config.systemd.network.enable [ "127.0.0.53" ])
|
||||||
]);
|
]);
|
||||||
defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
|
defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
|
||||||
stream = {
|
stream = let
|
||||||
upstreams = {
|
prereadConf = {
|
||||||
freeipa.servers.access = let
|
upstreams = {
|
||||||
system = config.lib.access.systemForService "freeipa";
|
freeipa.servers.access = let
|
||||||
inherit (system.exports.services) freeipa;
|
system = config.lib.access.systemForService "freeipa";
|
||||||
in {
|
inherit (system.exports.services) freeipa;
|
||||||
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
|
in {
|
||||||
port = mkOptionDefault freeipa.ports.default.port;
|
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
|
||||||
|
port = mkOptionDefault freeipa.ports.default.port;
|
||||||
|
};
|
||||||
|
samba_access.servers.access = let
|
||||||
|
system = config.lib.access.systemForService "samba";
|
||||||
|
inherit (system.exports.services) samba;
|
||||||
|
in {
|
||||||
|
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
|
||||||
|
port = mkOptionDefault samba.ports.default.port;
|
||||||
|
};
|
||||||
|
ldaps_access.servers.access = {
|
||||||
|
addr = mkDefault "localhost";
|
||||||
|
port = mkOptionDefault nginx.stream.servers.ldap.listen.ldaps.port;
|
||||||
|
};
|
||||||
|
nginx.servers.access = {
|
||||||
|
addr = mkDefault "localhost";
|
||||||
|
port = mkOptionDefault nginx.defaultSSLListenPort;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
samba_access.servers.access = let
|
servers = {
|
||||||
system = config.lib.access.systemForService "samba";
|
preread'https = {
|
||||||
inherit (system.exports.services) samba;
|
listen = {
|
||||||
in {
|
https.port = 443;
|
||||||
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
|
};
|
||||||
port = mkOptionDefault samba.ports.default.port;
|
ssl.preread.enable = true;
|
||||||
};
|
proxy.url = "$https_upstream";
|
||||||
ldaps_access.servers.access = {
|
};
|
||||||
addr = mkDefault "localhost";
|
preread'ldap = {
|
||||||
port = mkOptionDefault nginx.stream.servers.ldap.listen.ldaps.port;
|
listen = {
|
||||||
};
|
ldaps.port = 636;
|
||||||
nginx.servers.access = {
|
};
|
||||||
addr = mkDefault "localhost";
|
ssl.preread.enable = true;
|
||||||
port = mkOptionDefault nginx.defaultSSLListenPort;
|
proxy.url = "$ldap_upstream";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
servers = {
|
kerberosConf = let
|
||||||
|
system = config.lib.access.systemForService "kerberos";
|
||||||
|
inherit (system.exports.services) kerberos;
|
||||||
|
in {
|
||||||
|
upstreams = let
|
||||||
|
addr = mkDefault (config.lib.access.getAddressFor system.name "lan");
|
||||||
|
mkKrb5Upstream = portName: {
|
||||||
|
enable = mkDefault kerberos.ports.${portName}.enable;
|
||||||
|
servers.access = {
|
||||||
|
port = mkOptionDefault kerberos.ports.${portName}.port;
|
||||||
|
inherit addr;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
krb5 = mkKrb5Upstream "default";
|
||||||
|
kadmin = mkKrb5Upstream "kadmin";
|
||||||
|
kpasswd = mkKrb5Upstream "kpasswd";
|
||||||
|
kticket5 = mkKrb5Upstream "ticket4";
|
||||||
|
};
|
||||||
|
servers = let
|
||||||
|
mkKrb5Server = tcpPort: udpPort: { name, ... }: {
|
||||||
|
listen = {
|
||||||
|
tcp = mkIf (tcpPort != null) {
|
||||||
|
enable = mkDefault kerberos.ports.${tcpPort}.enable;
|
||||||
|
port = mkOptionDefault kerberos.ports.${tcpPort}.port;
|
||||||
|
};
|
||||||
|
udp = mkIf (udpPort != null) {
|
||||||
|
enable = mkDefault kerberos.ports.${udpPort}.enable;
|
||||||
|
port = mkOptionDefault kerberos.ports.${udpPort}.port;
|
||||||
|
extraParameters = [ "udp" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
proxy.upstream = name;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
krb5 = mkKrb5Server "default" "udp";
|
||||||
|
kadmin = mkKrb5Server "kadmin" null;
|
||||||
|
kpasswd = mkKrb5Server "kpasswd" "kpasswd-udp";
|
||||||
|
kticket4 = mkKrb5Server null "ticket4";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
conf.servers = {
|
||||||
ldap = {
|
ldap = {
|
||||||
listen = {
|
listen = {
|
||||||
ldaps.port = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
|
ldaps.port = mkIf access.preread.enable (mkDefault access.preread.ldapPort);
|
||||||
|
|
@ -154,82 +213,37 @@ in {
|
||||||
ssl.cert.copyFromVhost = mkDefault "freeipa";
|
ssl.cert.copyFromVhost = mkDefault "freeipa";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
in mkMerge [
|
||||||
|
conf
|
||||||
|
(mkIf access.preread.enable prereadConf)
|
||||||
|
(mkIf access.kerberos.enable kerberosConf)
|
||||||
|
];
|
||||||
streamConfig = let
|
streamConfig = let
|
||||||
upstreams = {
|
inherit (nginx.stream) upstreams;
|
||||||
freeipa = "freeipa";
|
|
||||||
ldap = "ldaps_access";
|
|
||||||
ldap_freeipa = "ldaps";
|
|
||||||
samba = "samba_access";
|
|
||||||
nginx = "nginx";
|
|
||||||
};
|
|
||||||
preread = ''
|
preread = ''
|
||||||
map $ssl_preread_server_name $ssl_server_name {
|
map $ssl_preread_server_name $ssl_server_name {
|
||||||
hostnames;
|
hostnames;
|
||||||
${virtualHosts.freeipa.serverName} ${upstreams.freeipa};
|
${virtualHosts.freeipa.serverName} ${upstreams.freeipa.name};
|
||||||
${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa};
|
${virtualHosts.freeipa'ca.serverName} ${upstreams.freeipa.name};
|
||||||
${nginx.access.ldap.domain} ${upstreams.ldap};
|
${nginx.access.ldap.domain} ${upstreams.ldaps_access.name};
|
||||||
${nginx.access.ldap.localDomain} ${upstreams.ldap};
|
${nginx.access.ldap.localDomain} ${upstreams.ldaps_access.name};
|
||||||
${nginx.access.ldap.intDomain} ${upstreams.ldap};
|
${nginx.access.ldap.intDomain} ${upstreams.ldaps_access.name};
|
||||||
${nginx.access.ldap.tailDomain} ${upstreams.ldap};
|
${nginx.access.ldap.tailDomain} ${upstreams.ldaps_access.name};
|
||||||
default ${upstreams.nginx};
|
default ${upstreams.nginx.name};
|
||||||
}
|
}
|
||||||
map $ssl_preread_alpn_protocols $https_upstream {
|
map $ssl_preread_alpn_protocols $https_upstream {
|
||||||
~\bsmb\b ${upstreams.samba};
|
~\bsmb\b ${upstreams.samba_access.name};
|
||||||
# XXX: if only there were an ldap protocol id...
|
# XXX: if only there were an ldap protocol id...
|
||||||
default $ssl_server_name;
|
default $ssl_server_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:443;
|
|
||||||
listen [::]:443;
|
|
||||||
ssl_preread on;
|
|
||||||
proxy_pass $https_upstream;
|
|
||||||
}
|
|
||||||
|
|
||||||
map $ssl_preread_server_name $ldap_upstream {
|
map $ssl_preread_server_name $ldap_upstream {
|
||||||
hostnames;
|
hostnames;
|
||||||
${virtualHosts.freeipa.serverName} ${upstreams.ldap_freeipa};
|
${virtualHosts.freeipa.serverName} ${upstreams.ldaps.name};
|
||||||
default ${upstreams.ldap};
|
default ${upstreams.ldaps_access.name};
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:636;
|
|
||||||
listen [::]:636;
|
|
||||||
ssl_preread on;
|
|
||||||
proxy_pass $ldap_upstream;
|
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
kerberos = ''
|
in mkIf access.preread.enable preread;
|
||||||
server {
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.ticket};
|
|
||||||
listen [::]:${toString access.kerberos.ports.ticket};
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.ticket} udp;
|
|
||||||
listen [::]:${toString access.kerberos.ports.ticket} udp;
|
|
||||||
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket};
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.ticket4} udp;
|
|
||||||
listen [::]:${toString access.kerberos.ports.ticket4} udp;
|
|
||||||
proxy_pass ${access.host}:${toString access.kerberos.ports.ticket4};
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd};
|
|
||||||
listen [::]:${toString access.kerberos.ports.kpasswd};
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.kpasswd} udp;
|
|
||||||
listen [::]:${toString access.kerberos.ports.kpasswd} udp;
|
|
||||||
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 0.0.0.0:${toString access.kerberos.ports.kadmin};
|
|
||||||
listen [::]:${toString access.kerberos.ports.kadmin};
|
|
||||||
proxy_pass ${access.host}:${toString access.kerberos.ports.kadmin};
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
in mkMerge [
|
|
||||||
(mkIf access.preread.enable preread)
|
|
||||||
(mkIf access.kerberos.enable kerberos)
|
|
||||||
];
|
|
||||||
virtualHosts = let
|
virtualHosts = let
|
||||||
name.shortServer = mkDefault "freeipa";
|
name.shortServer = mkDefault "freeipa";
|
||||||
in {
|
in {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue