mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-10 04:49:19 -08:00
229 lines
7.6 KiB
Nix
229 lines
7.6 KiB
Nix
let
|
|
sslModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
|
|
inherit (lib.options) mkOption;
|
|
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
|
|
inherit (nixosConfig.services) nginx;
|
|
cfg = config.ssl;
|
|
in {
|
|
options = with lib.types; {
|
|
ssl = {
|
|
enable = mkOption {
|
|
type = bool;
|
|
};
|
|
force = mkOption {
|
|
# TODO: "force-nonlocal"? exceptions for tailscale?
|
|
type = enum [ false true "only" "reject" ];
|
|
default = false;
|
|
};
|
|
forced = mkOption {
|
|
type = bool;
|
|
readOnly = true;
|
|
};
|
|
cert = {
|
|
name = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
};
|
|
keyPath = mkOption {
|
|
type = nullOr path;
|
|
default = null;
|
|
};
|
|
path = mkOption {
|
|
type = nullOr path;
|
|
default = null;
|
|
};
|
|
copyFromVhost = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
};
|
|
copyFromStreamServer = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
};
|
|
};
|
|
};
|
|
proxy.ssl = {
|
|
enabled = mkOption {
|
|
type = bool;
|
|
};
|
|
};
|
|
};
|
|
config = {
|
|
ssl = {
|
|
enable = mkOptionDefault (cfg.cert.name != null || cfg.cert.keyPath != null);
|
|
forced = mkOptionDefault (cfg.force != false && cfg.force != "reject");
|
|
cert = let
|
|
mkCopyCert = copyCert: {
|
|
name = mkDefault copyCert.name;
|
|
keyPath = mkDefault copyCert.keyPath;
|
|
path = mkDefault copyCert.path;
|
|
};
|
|
copyCertVhost = mkCopyCert nginx.virtualHosts.${cfg.cert.copyFromVhost}.ssl.cert;
|
|
copyCertStreamServer = mkCopyCert nginx.stream.servers.${cfg.cert.copyFromStreamServer}.ssl.cert;
|
|
in mkMerge [
|
|
(mkIf (cfg.cert.copyFromStreamServer != null) copyCertStreamServer)
|
|
(mkIf (cfg.cert.copyFromVhost != null) copyCertVhost)
|
|
];
|
|
};
|
|
};
|
|
};
|
|
sslProxyModule = { config, lib, ... }: let
|
|
inherit (lib.options) mkOption mkEnableOption;
|
|
inherit (lib.modules) mkIf mkMerge mkAfter;
|
|
inherit (config) proxy;
|
|
cfg = proxy.ssl;
|
|
in {
|
|
options.proxy.ssl = with lib.types; {
|
|
enable = mkOption {
|
|
type = bool;
|
|
};
|
|
verify = mkEnableOption "proxy_ssl_verify";
|
|
sni = mkEnableOption "proxy_ssl_server_name" // {
|
|
default = cfg.host != null;
|
|
};
|
|
host = mkOption {
|
|
type = nullOr str;
|
|
default = null;
|
|
example = "xvars.get.proxy_host";
|
|
description = "proxy_ssl_name";
|
|
# $upstream_last_server_name is commercial-only :<
|
|
};
|
|
};
|
|
config = {
|
|
extraConfig = mkIf (proxy.enable && cfg.enable) (mkMerge [
|
|
(mkIf cfg.verify "proxy_ssl_verify on;")
|
|
(mkIf cfg.sni "proxy_ssl_server_name on;")
|
|
(mkIf (cfg.host != null) (mkAfter "proxy_ssl_name ${cfg.host};"))
|
|
]);
|
|
};
|
|
};
|
|
streamServerModule = { config, nixosConfig, gensokyo-zone, lib, ... }: let
|
|
inherit (gensokyo-zone.lib) mkAlmostDefault;
|
|
inherit (lib.options) mkEnableOption;
|
|
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
|
|
cfg = config.ssl;
|
|
in {
|
|
imports = [ sslModule sslProxyModule ];
|
|
options = with lib.types; {
|
|
ssl = {
|
|
kTLS = mkEnableOption "kTLS support" // {
|
|
default = true;
|
|
};
|
|
};
|
|
};
|
|
config = let
|
|
inherit (config) proxy;
|
|
cert = nixosConfig.security.acme.certs.${cfg.cert.name};
|
|
conf.ssl.cert = {
|
|
path = mkIf (cfg.cert.name != null) (mkAlmostDefault "${cert.directory}/fullchain.pem");
|
|
keyPath = mkIf (cfg.cert.name != null) (mkAlmostDefault "${cert.directory}/key.pem");
|
|
};
|
|
conf.proxy.ssl.enable = mkOptionDefault false;
|
|
#confSsl.listen.ssl = { ssl = true; };
|
|
confSsl.extraConfig = mkMerge [
|
|
(mkIf (cfg.cert.path != null) "ssl_certificate ${cfg.cert.path};")
|
|
(mkIf (cfg.cert.keyPath != null) "ssl_certificate_key ${cfg.cert.keyPath};")
|
|
(mkIf cfg.kTLS "ssl_conf_command Options KTLS;")
|
|
];
|
|
confProxy.extraConfig = mkIf proxy.ssl.enable "proxy_ssl on;";
|
|
in mkMerge [
|
|
conf
|
|
(mkIf cfg.enable confSsl)
|
|
(mkIf proxy.enable confProxy)
|
|
];
|
|
};
|
|
in {
|
|
config,
|
|
gensokyo-zone,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
|
|
inherit (lib.options) mkOption mkEnableOption;
|
|
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
|
|
inherit (lib.attrsets) mapAttrsToList;
|
|
inherit (lib.trivial) warnIf;
|
|
inherit (lib.strings) hasPrefix;
|
|
inherit (config.services) nginx;
|
|
forceRedirectConfig = { virtualHost, xvars }: ''
|
|
if (${xvars.get.scheme} = http) {
|
|
return ${toString virtualHost.redirectCode} https://${xvars.get.host}$request_uri;
|
|
}
|
|
'';
|
|
locationModule = { config, virtualHost, xvars, ... }: let
|
|
cfg = config.ssl;
|
|
emitForce = cfg.force && !virtualHost.ssl.forced;
|
|
in {
|
|
imports = [ sslProxyModule ];
|
|
options.ssl = {
|
|
force = mkEnableOption "redirect to SSL";
|
|
};
|
|
config = {
|
|
proxy.ssl.enable = mkOptionDefault (hasPrefix "https://" config.proxyPass);
|
|
xvars.enable = mkIf emitForce true;
|
|
extraConfig = mkIf emitForce (forceRedirectConfig { inherit xvars virtualHost; });
|
|
};
|
|
};
|
|
hostModule = { config, xvars, ... }: let
|
|
cfg = config.ssl;
|
|
emitForce = cfg.forced && config.proxied.enabled;
|
|
in {
|
|
imports = [ sslModule ];
|
|
options = with lib.types; {
|
|
ssl = {
|
|
cert = {
|
|
enable = mkEnableOption "ssl cert via name.shortServer";
|
|
};
|
|
};
|
|
locations = mkOption {
|
|
type = attrsOf (submoduleWith {
|
|
modules = [ locationModule ];
|
|
shorthandOnlyDefinesConfig = true;
|
|
});
|
|
};
|
|
};
|
|
config = {
|
|
ssl = {
|
|
cert = let
|
|
certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
|
|
mkAlmostOptionDefault config.name.shortServer
|
|
));
|
|
in certConfig;
|
|
};
|
|
addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
|
|
forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);
|
|
onlySSL = mkIf (cfg.enable && cfg.force == "only" && !emitForce) (mkDefault true);
|
|
rejectSSL = mkIf (cfg.force == "reject") (mkDefault true);
|
|
useACMEHost = mkAlmostOptionDefault cfg.cert.name;
|
|
sslCertificate = mkIf (cfg.cert.path != null) (mkAlmostOptionDefault cfg.cert.path);
|
|
sslCertificateKey = mkIf (cfg.cert.keyPath != null) (mkAlmostOptionDefault cfg.cert.keyPath);
|
|
kTLS = mkAlmostOptionDefault true;
|
|
|
|
xvars.enable = mkIf emitForce true;
|
|
extraConfig = mkIf emitForce (forceRedirectConfig { virtualHost = config; inherit xvars; });
|
|
};
|
|
};
|
|
in {
|
|
options.services.nginx = with lib.types; {
|
|
virtualHosts = mkOption {
|
|
type = attrsOf (submoduleWith {
|
|
modules = [ hostModule ];
|
|
shorthandOnlyDefinesConfig = true;
|
|
});
|
|
};
|
|
stream.servers = mkOption {
|
|
type = attrsOf (submoduleWith {
|
|
modules = [ streamServerModule ];
|
|
shorthandOnlyDefinesConfig = false;
|
|
});
|
|
};
|
|
};
|
|
config.systemd.services.nginx = let
|
|
mapStreamServer = server: mkIf (server.enable && server.ssl.enable && server.ssl.cert.name != null) {
|
|
wants = [ "acme-finished-${server.ssl.cert.name}.target" ];
|
|
after = [ "acme-selfsigned-${server.ssl.cert.name}.service" ];
|
|
before = [ "acme-${server.ssl.cert.name}.service" ];
|
|
};
|
|
streamServerCerts = mapAttrsToList (_: mapStreamServer) nginx.stream.servers;
|
|
in mkIf nginx.enable (mkMerge streamServerCerts);
|
|
}
|