swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-21 04:49:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

nixos/nginx: allow enabling QUIC packet routing using eBPF

Browse source
This commit is contained in:
Izorkin 2023-09-10 20:44:28 +03:00
parent d0120f0ed6
commit 64fe8c9292
No known key found for this signature in database
GPG key ID: 1436C1B3F3679F09
1 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -146,6 +146,10 @@ let
error_log ${cfg.logError};
daemon off;
${optionalString cfg.enableQuicBPF ''
quic_bpf on;
''}
${cfg.config}
${optionalString (cfg.eventsConfig != "" || cfg.config == "") ''
@ -783,6 +787,19 @@ in
'';
};
enableQuicBPF = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
Enables routing of QUIC packets using eBPF. When enabled, this allows
to support QUIC connection migration. The directive is only supported
on Linux 5.7+.
Note that enabling this option will make nginx run with extended
capabilities that are usually limited to processes running as root
namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`.
'';
};
user = mkOption {
type = types.str;
default = "nginx";
@ -1125,6 +1142,14 @@ in
'';
}
{
assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF);
message = ''
services.nginx.enableQuicBPF requires using nginxQuic package,
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
'';
}
{
assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts);
message = ''
@ -1224,8 +1249,8 @@ in
# New file permissions
UMask = "0027"; # 0640 / 0750
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
# Security
NoNewPrivileges = true;
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
@ -1250,6 +1275,7 @@ in
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optional cfg.enableQuicBPF [ "bpf" ]
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
};
};