infra/common/raito-proxy-aware-nginx.nix

# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol.
{ config, lib, ... }:
let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.bagel.raito.v6-proxy-awareness;
  allowedUpstream = "2001:bc8:38ee:99::1/128";
in
{
  options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX";
  config = mkIf cfg.enable {
    services.nginx = {
      # IPv6-only server
      defaultListen = [
        {
          addr = "[::0]";
          proxyProtocol = true;
          port = 444;
          ssl = true;
        }
        {
          addr = "[::0]";
          port = 443;
          ssl = true;
        }
        {
          addr = "[::0]";
          port = 80;
          ssl = false;
        }
        # Private networking
        {
          addr = "127.0.0.1";
          port = 80;
          ssl = false;
        }
        {
          addr = "[::1]";
          port = 80;
          ssl = false;
        }
      ];

      appendHttpConfig = ''
        # Kurisu node
        set_real_ip_from ${allowedUpstream};
        real_ip_header proxy_protocol;
      '';
    };

    # Move to nftables if firewall is enabled.
    networking.nftables.enable = true;
    networking.firewall.extraInputRules = ''
      ip6 saddr ${allowedUpstream} tcp dport 444 accept
    '';
  };
}