infra/common/raito-proxy-aware-nginx.nix

# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
{ config, lib, ... }:
let
  inherit (lib) mkEnableOption mkIf concatStringsSep;
  cfg = config.bagel.raito.v6-proxy-awareness;
  #                      outside of raito infra    inside of raito infra
  allowedUpstreams = [ "2001:bc8:38ee::1/128"     "2001:bc8:38ee:99::1/128" ];
in
  {
    options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
    config = mkIf cfg.enable {
      services.nginx = {
        # IPv6-only server
        defaultListen = [
          { addr = "[::0]"; proxyProtocol = true; port = 444; ssl = true; }
          { addr = "[::0]"; port = 443; ssl = true; }
          { addr = "[::0]"; port = 80; ssl = false; }
          # Private networking
          { addr = "127.0.0.1"; port = 80; ssl = false; }
          { addr = "[::1]"; port = 80; ssl = false; }
        ];

        appendHttpConfig = ''
          # Kurisu nodes
          ${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)}
          real_ip_header proxy_protocol;
        '';
      };

      # Move to nftables if firewall is enabled.
      networking.nftables.enable = true;
      networking.firewall.extraInputRules = ''
        ${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)}
      '';
    };
  }
meta01: init Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-07-01 17:11:01 +00:00			`# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.`
			`{ config, lib, ... }:`
			`let`
fix(sniproxy): outside/inside of infra, the ingress IPs are different In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-08-30 17:01:44 +00:00			`inherit (lib) mkEnableOption mkIf concatStringsSep;`
meta01: init Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-07-01 17:11:01 +00:00			`cfg = config.bagel.raito.v6-proxy-awareness;`
fix(sniproxy): outside/inside of infra, the ingress IPs are different In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-08-30 17:01:44 +00:00			`# outside of raito infra inside of raito infra`
			`allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ];`
meta01: init Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-07-01 17:11:01 +00:00			`in`
			`{`
			`options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";`
			`config = mkIf cfg.enable {`
			`services.nginx = {`
			`# IPv6-only server`
			`defaultListen = [`
			`{ addr = "[::0]"; proxyProtocol = true; port = 444; ssl = true; }`
			`{ addr = "[::0]"; port = 443; ssl = true; }`
			`{ addr = "[::0]"; port = 80; ssl = false; }`
			`# Private networking`
			`{ addr = "127.0.0.1"; port = 80; ssl = false; }`
			`{ addr = "[::1]"; port = 80; ssl = false; }`
			`];`

			`appendHttpConfig = ''`
fix(sniproxy): outside/inside of infra, the ingress IPs are different In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-08-30 17:01:44 +00:00			`# Kurisu nodes`
			`${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)}`
meta01: init Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-07-01 17:11:01 +00:00			`real_ip_header proxy_protocol;`
			`'';`
			`};`

			`# Move to nftables if firewall is enabled.`
			`networking.nftables.enable = true;`
			`networking.firewall.extraInputRules = ''`
fix(sniproxy): outside/inside of infra, the ingress IPs are different In my infrastructure, the source node is 99::1, outside of my infra, it's ::1. All of this machinery was never really meant to be used on this scale, so oopsie. We should build our own sniproxy at some point. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-08-30 17:01:44 +00:00			`${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)}`
meta01: init Includes: - Raito VM module - Raito proxy aware NGINX module - Base server module - Sysadmin module - New SSH keys - Netbox module Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-07-01 17:11:01 +00:00			`'';`
			`};`
			`}`