From f286ff4c72037274751224048cf7567aeef6fc75 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Tue, 23 Apr 2024 13:31:22 -0700
Subject: [PATCH] chore(nginx): move proxy logic out of stream.nix

---
 modules/nixos/nginx/preread.nix  |  1 +
 modules/nixos/nginx/proxy.nix    | 49 ++++++++++++++++++++++++++++++--
 modules/nixos/nginx/stream.nix   | 21 +-------------
 modules/nixos/nginx/upstream.nix |  1 +
 4 files changed, 50 insertions(+), 22 deletions(-)

diff --git a/modules/nixos/nginx/preread.nix b/modules/nixos/nginx/preread.nix
index 3c572621..e76f4d73 100644
--- a/modules/nixos/nginx/preread.nix
+++ b/modules/nixos/nginx/preread.nix
@@ -38,6 +38,7 @@ let
         '';
       };
       proxy = mkIf cfg.enable {
+        enable = mkAlmostOptionDefault true;
         ssl.enable = false;
         upstream = mkAlmostOptionDefault cfg.upstream;
       };
diff --git a/modules/nixos/nginx/proxy.nix b/modules/nixos/nginx/proxy.nix
index 8240257b..79e886fa 100644
--- a/modules/nixos/nginx/proxy.nix
+++ b/modules/nixos/nginx/proxy.nix
@@ -1,4 +1,42 @@
 let
+  serverModule = {config, name, options, gensokyo-zone, lib, ...}: let
+    inherit (lib.options) mkOption mkEnableOption;
+    inherit (lib.modules) mkIf mkMerge mkAfter;
+    cfg = config.proxy;
+  in {
+    options = with lib.types; {
+      proxy = {
+        enable = mkEnableOption "proxy_pass";
+        transparent.enable = mkEnableOption "proxy_bind transparent";
+        ssl = {
+          enable = mkEnableOption "ssl upstream";
+          verify = mkEnableOption "proxy_ssl_verify";
+        };
+        url = mkOption {
+          type = str;
+        };
+      };
+    };
+
+    config = let
+      warnProxy = lib.warnIf (!cfg.enable && options.proxy.url.isDefined) "nginx.stream.servers.${name}.proxy.url set without proxy.enable";
+    in {
+      streamConfig = warnProxy (mkMerge [
+        (mkIf cfg.transparent.enable ''
+          proxy_bind $remote_addr transparent;
+        '')
+        (mkIf cfg.ssl.enable
+          "proxy_ssl on;"
+        )
+        (mkIf (cfg.ssl.enable && cfg.ssl.verify)
+          "proxy_ssl_verify on;"
+        )
+        (mkIf cfg.enable (mkAfter
+          "proxy_pass ${cfg.url};"
+        ))
+      ]);
+    };
+  };
   locationModule = { config, nixosConfig, name, virtualHost, xvars, gensokyo-zone, lib, ... }: let
     inherit (gensokyo-zone.lib) mkJustBefore mkJustAfter mkAlmostOptionDefault mapOptionDefaults coalesce parseUrl;
     inherit (lib.options) mkOption mkEnableOption;
@@ -44,6 +82,7 @@ let
             type = nullOr str;
             default = null;
             example = "xvars.get.proxy_host";
+            # $upstream_last_server_name is commercial-only :<
           };
         };
         parsed = {
@@ -304,9 +343,15 @@ in {
 }: let
   inherit (lib.options) mkOption;
 in {
-  options = with lib.types; {
-    services.nginx.virtualHosts = mkOption {
+  options.services.nginx = with lib.types; {
+    virtualHosts = mkOption {
       type = attrsOf (submodule [hostModule]);
     };
+    stream.servers = mkOption {
+      type = attrsOf (submoduleWith {
+        modules = [serverModule];
+        shorthandOnlyDefinesConfig = false;
+      });
+    };
   };
 }
diff --git a/modules/nixos/nginx/stream.nix b/modules/nixos/nginx/stream.nix
index ff9a6659..94ac5394 100644
--- a/modules/nixos/nginx/stream.nix
+++ b/modules/nixos/nginx/stream.nix
@@ -5,7 +5,7 @@
   ...
 }: let
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkAfter mkOptionDefault;
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault;
   inherit (lib.attrsets) mapAttrsToList;
   cfg = config.services.nginx.stream;
   serverModule = {config, ...}: {
@@ -25,30 +25,11 @@
         type = lines;
         internal = true;
       };
-      proxy = {
-        ssl = {
-          enable = mkEnableOption "ssl upstream";
-          verify = mkEnableOption "proxy_ssl_verify";
-        };
-        url = mkOption {
-          type = nullOr str;
-          default = null;
-        };
-      };
     };
 
     config = {
       streamConfig = mkMerge [
         config.extraConfig
-        (mkIf config.proxy.ssl.enable
-          "proxy_ssl on;"
-        )
-        (mkIf (config.proxy.ssl.enable && config.proxy.ssl.verify)
-          "proxy_ssl_verify on;"
-        )
-        (mkIf (config.proxy.url != null) (mkAfter
-          "proxy_pass ${config.proxy.url};"
-        ))
       ];
       serverBlock = mkOptionDefault ''
         server {
diff --git a/modules/nixos/nginx/upstream.nix b/modules/nixos/nginx/upstream.nix
index ecabd71c..afeeae13 100644
--- a/modules/nixos/nginx/upstream.nix
+++ b/modules/nixos/nginx/upstream.nix
@@ -225,6 +225,7 @@ let
         else assert proxyUpstream.enable; proxyUpstream.name;
     in {
       proxy = {
+        enable = mkIf (config.proxy.upstream != null) true;
         url = mkIf (config.proxy.upstream != null) (mkAlmostOptionDefault proxyPass);
         ssl.enable = mkIf (hasUpstream && proxyUpstream.ssl.enable) (mkAlmostOptionDefault true);
       };