fix(nginx): proxied listen

modules/nixos/nftables.nix

@@ -111,7 +111,7 @@
           };
         conditions = mkOption {
           type = types.listOf types.str;
-          default = "iifname ${name}";
+          default = [ "iifname ${name}" ];
         };
       };
     };

modules/nixos/nginx/proxied.nix

@@ -1,11 +1,4 @@
-{
-  lib,
-  inputs,
-  ...
-}: let
-  inherit (inputs.self.lib.lib) mkJustBefore mkAlmostOptionDefault orderJustBefore;
-  inherit (lib.options) mkOption;
-  inherit (lib.modules) mkIf mkMerge mkOrder mkDefault mkOptionDefault;
+let
   xHeadersProxied = { xvars }: ''
     ${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"}
     if ($http_x_forwarded_proto) {
@@ -25,7 +18,10 @@
       ${xvars.init "forwarded_server" "$http_x_forwarded_server"}
     }
   '';
-  locationModule = { config, virtualHost, xvars, ... }: let
+  locationModule = { config, virtualHost, xvars, gensokyo-zone, lib, ... }: let
+    inherit (gensokyo-zone.lib) mkJustBefore mkAlmostOptionDefault;
+    inherit (lib.options) mkOption;
+    inherit (lib.modules) mkIf mkMerge mkOptionDefault;
     cfg = config.proxied;
   in {
     options = with lib.types; {
@@ -69,7 +65,11 @@
       ];
     };
   };
-  hostModule = { config, xvars, ... }: let
+  hostModule = { config, nixosConfig, xvars, gensokyo-zone, lib, ... }: let
+    inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged;
+    inherit (lib.options) mkOption;
+    inherit (lib.modules) mkIf mkOrder mkDefault;
+    inherit (nixosConfig.services) nginx;
     cfg = config.proxied;
   in {
     options = with lib.types; {
@@ -82,6 +82,14 @@
           type = bool;
           default = cfg.enable != false;
         };
+        cloudflared = {
+          ingressSettings = mkOption {
+            type = unmerged.types.attrs;
+          };
+          getIngress = mkOption {
+            type = functionTo unspecified;
+          };
+        };
       };
       locations = mkOption {
         type = attrsOf (submoduleWith {
@@ -91,18 +99,83 @@
       };
     };
 
-    config = {
+    config = let
+      listenProxied = cfg.enabled;
+    in {
+      proxied = {
+        cloudflared = let
+          listen = config.listen'.proxied;
+          scheme = if listen.ssl then "https" else "http";
+        in mkIf (cfg.enable == "cloudflared") {
+          ingressSettings.${config.serverName} = {
+            service = "${scheme}://localhost:${toString listen.port}";
+            originRequest.${if scheme == "https" then "noTLSVerify" else null} = true;
+          };
+          getIngress = {}: unmerged.mergeAttrs cfg.cloudflared.ingressSettings;
+        };
+      };
       xvars.enable = mkIf cfg.enabled true;
-      local.denyGlobal = mkIf (cfg.enable == "cloudflared") (mkDefault true);
+      local.denyGlobal = mkIf listenProxied (mkDefault true);
+      listen' = mkIf listenProxied {
+        proxied = {
+          addr = "[::]";
+          port = mkAlmostOptionDefault nginx.proxied.listenPort;
+        };
+      };
       extraConfig = mkIf (cfg.enabled && config.xvars.enable) (
         mkOrder (orderJustBefore + 25) (xHeadersProxied { inherit xvars; })
       );
     };
   };
 in {
-  options = with lib.types; {
-    services.nginx.virtualHosts = mkOption {
+  config,
+  system,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkOptionDefault;
+  inherit (lib.attrsets) attrValues;
+  inherit (lib.lists) any;
+  inherit (config.services) nginx;
+  cfg = nginx.proxied;
+in {
+  options.services.nginx = with lib.types; {
+    proxied = {
+      enabled = mkOption {
+        type = bool;
+      };
+      listenPort = mkOption {
+        type = port;
+        default = 9080;
+      };
+    };
+    virtualHosts = mkOption {
       type = attrsOf (submodule [hostModule]);
     };
   };
+  config = {
+    services.nginx = let
+      hasProxiedHosts = any (virtualHost: virtualHost.enable && virtualHost.proxied.enabled) (attrValues nginx.virtualHosts);
+    in {
+      proxied = {
+        enabled = mkOptionDefault hasProxiedHosts;
+      };
+      upstreams' = {
+        nginx'proxied = mkIf cfg.enabled {
+          servers.local = {
+            accessService = {
+              system = system.name;
+              name = "nginx";
+              port = "proxied";
+            };
+          };
+        };
+      };
+      # TODO: virtualHosts.fallback'proxied.reuseport = true;
+    };
+    networking.firewall.interfaces.lan = mkIf nginx.enable {
+      allowedTCPPorts = mkIf cfg.enabled [ cfg.listenPort ];
+    };
+  };
 }

modules/nixos/nginx/vouch.nix

@@ -297,22 +297,23 @@ in {
       };
       vouch'proxy = {
         enable = vouch.enable && vouch.doubleProxy.enable;
+        # TODO: need exported hosts options for this to detect the correct host/port/etc
         servers = {
           lan = { upstream, ... }: {
             enable = mkAlmostOptionDefault (!upstream.servers.int.enable);
             addr = mkAlmostOptionDefault "login.local.${networking.domain}";
-            port = mkOptionDefault null;
+            port = mkOptionDefault 9080;
             ssl.enable = mkAlmostOptionDefault true;
           };
           int = { upstream, ... }: {
             enable = mkAlmostOptionDefault system.network.networks.int.enable or false;
             addr = mkAlmostOptionDefault "login.int.${networking.domain}";
-            port = mkOptionDefault null;
+            port = mkOptionDefault 9080;
           };
           tail = { upstream, ... }: {
             enable = mkAlmostOptionDefault (tailscale.enable && !upstream.servers.lan.enable && !upstream.servers.int.enable);
             addr = mkAlmostOptionDefault "login.tail.${networking.domain}";
-            port = mkOptionDefault null;
+            port = mkOptionDefault 9080;
           };
         };
       };

modules/nixos/postgres.nix

@@ -93,7 +93,7 @@ in {
     local = mkIf cfg.enable {
       allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [cfg.settings.port];
     };
-    int = mkIf cfg.enable {
+    lan = mkIf cfg.enable {
       allowedTCPPorts = mkIf (any (user: user.authentication.int.allow) cfg.ensureUsers) [cfg.settings.port];
     };
   };

modules/system/exports/nginx.nix

@@ -11,12 +11,22 @@ in {
       assertion = config.ports.http.port == cfg.defaultHTTPListenPort && config.ports.https.port == cfg.defaultSSLListenPort;
       message = "ports mismatch";
     };
+    assertProxied = nixosConfig: cfg: {
+      assertion = config.ports.proxied.enable == cfg.proxied.enabled;
+      message = "proxied mismatch";
+    };
+    assertProxiedPort = nixosConfig: cfg: {
+      assertion = !config.ports.proxied.enable || config.ports.proxied.port == cfg.proxied.listenPort;
+      message = "proxied.port mismatch";
+    };
   in {
     nixos = {
       serviceAttr = "nginx";
-      assertions = mkIf config.enable [
-        (mkAssertion assertPorts)
-      ];
+      assertions = mkIf config.enable (map mkAssertion [
+        assertPorts
+        assertProxied
+        assertProxiedPort
+      ]);
     };
     defaults.port.listen = mkAlmostOptionDefault "lan";
     ports = mapAttrs (_: mapAlmostOptionDefaults) {
@@ -29,6 +39,12 @@ in {
         port = 443;
         protocol = "https";
       };
+      proxied = {
+        enable = false;
+        port = 9080;
+        protocol = "http";
+        listen = "lan";
+      };
     };
   };
 }