mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-21 04:49:01 +02:00
nixos/nginx: allow enabling QUIC packet routing using eBPF
This commit is contained in:
parent
d0120f0ed6
commit
64fe8c9292
|
@ -146,6 +146,10 @@ let
|
|||
error_log ${cfg.logError};
|
||||
daemon off;
|
||||
|
||||
${optionalString cfg.enableQuicBPF ''
|
||||
quic_bpf on;
|
||||
''}
|
||||
|
||||
${cfg.config}
|
||||
|
||||
${optionalString (cfg.eventsConfig != "" || cfg.config == "") ''
|
||||
|
@ -783,6 +787,19 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
enableQuicBPF = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = lib.mdDoc ''
|
||||
Enables routing of QUIC packets using eBPF. When enabled, this allows
|
||||
to support QUIC connection migration. The directive is only supported
|
||||
on Linux 5.7+.
|
||||
Note that enabling this option will make nginx run with extended
|
||||
capabilities that are usually limited to processes running as root
|
||||
namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "nginx";
|
||||
|
@ -1125,6 +1142,14 @@ in
|
|||
'';
|
||||
}
|
||||
|
||||
{
|
||||
assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF);
|
||||
message = ''
|
||||
services.nginx.enableQuicBPF requires using nginxQuic package,
|
||||
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
|
||||
'';
|
||||
}
|
||||
|
||||
{
|
||||
assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts);
|
||||
message = ''
|
||||
|
@ -1224,8 +1249,8 @@ in
|
|||
# New file permissions
|
||||
UMask = "0027"; # 0640 / 0750
|
||||
# Capabilities
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
|
||||
# Security
|
||||
NoNewPrivileges = true;
|
||||
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
|
||||
|
@ -1250,6 +1275,7 @@ in
|
|||
# System Call Filtering
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
|
||||
++ optional cfg.enableQuicBPF [ "bpf" ]
|
||||
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue