# This enables an IPv6-only server which is proxied by kurisu.lahfa.xyz to have proper IPv4 logs via PROXY protocol. { config, lib, ... }: let inherit (lib) mkEnableOption mkIf concatStringsSep; cfg = config.bagel.raito.v6-proxy-awareness; # outside of raito infra inside of raito infra allowedUpstreams = [ "2001:bc8:38ee::1/128" "2001:bc8:38ee:99::1/128" ]; in { options.bagel.raito.v6-proxy-awareness.enable = mkEnableOption "the kurisu.lahfa.xyz's sniproxy awareness for NGINX"; config = mkIf cfg.enable { services.nginx = { # IPv6-only server defaultListen = [ { addr = "[::0]"; proxyProtocol = true; port = 444; ssl = true; } { addr = "[::0]"; port = 443; ssl = true; } { addr = "[::0]"; port = 80; ssl = false; } # Private networking { addr = "127.0.0.1"; port = 80; ssl = false; } { addr = "[::1]"; port = 80; ssl = false; } ]; appendHttpConfig = '' # Kurisu nodes ${concatStringsSep "\n" (map (up: "set_real_ip_from ${up};") allowedUpstreams)} real_ip_header proxy_protocol; ''; }; # Move to nftables if firewall is enabled. networking.nftables.enable = true; networking.firewall.extraInputRules = '' ${concatStringsSep "\n" (map (up: "ip6 saddr ${up} tcp dport 444 accept") allowedUpstreams)} ''; }; }