From 5560deef4cd6b2d8b764d06cc5fd8fefc47fec6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Thu, 14 Mar 2024 18:41:02 +0100
Subject: [PATCH] Enable proxyProtocol not together with old proxy method

---
 hosts/public-access-proxy/default.nix | 17 +++++++++++++++++
 hosts/public-access-proxy/proxy.nix   | 14 +++++++++-----
 lib/nginx.nix                         | 19 +++++++++----------
 3 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix
index d11b7a93..17625398 100644
--- a/hosts/public-access-proxy/default.nix
+++ b/hosts/public-access-proxy/default.nix
@@ -15,6 +15,7 @@
     proxyHosts = [ {
       hostNames = [ "auth.c3d2.de" ];
       proxyTo.host = hostRegistry.auth.ip4;
+      proxyProtocol = true;
     } {
       hostNames = [ "jabber.c3d2.de" ];
       proxyTo = {
@@ -78,6 +79,8 @@
         "nix-cache.hq.c3d2.de"
       ];
       proxyTo.host = hostRegistry.hydra.ip4;
+      # TODO: enable in hydra
+      # proxyProtocol = true;
     } {
       hostNames = [
         "zentralwerk.org"
@@ -87,18 +90,23 @@
     } {
       hostNames = [ "mate.c3d2.de" "matemat.c3d2.de" "matemat.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.matemat.ip4;
+      proxyProtocol = true;
     } {
       hostNames = [
         "element.c3d2.de"
         "matrix.c3d2.de"
       ];
       proxyTo.host = hostRegistry.matrix.ip4;
+      # TODO: enable in matrix
+      # proxyProtocol = true;
     } {
       hostNames = [ "mobilizon.c3d2.de" ];
       proxyTo.host = hostRegistry.mobilizon.ip4;
     } {
       hostNames = [ "drkkr.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.pulsebert.ip4;
+      # TODO: enable in pipebert
+      # proxyProtocol = true;
     } {
       hostNames = [ "scrape.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.scrape.ip4;
@@ -119,12 +127,15 @@
     } {
       hostNames = [ "wiki.c3d2.de" ];
       proxyTo.host = hostRegistry.mediawiki.ip4;
+      proxyProtocol = true;
     } {
       hostNames = [ "owncast.c3d2.de" ];
       proxyTo.host = hostRegistry.owncast.ip4;
     } {
       hostNames = [ "c3d2.social" ];
       proxyTo.host = hostRegistry.mastodon.ip4;
+      # TODO: enable in mastodon
+      # proxyProtocol = true;
     } {
       hostNames = [ "relay.fedi.buzz" ];
       proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.buzzrelay;
@@ -135,12 +146,18 @@
     } {
       hostNames = [ "home-assistant.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.home-assistant.ip4;
+      # TODO: enable in home-assistant
+      # proxyProtocol = true;
     } {
       hostNames = [ "pretalx.c3d2.de" "talks.datenspuren.de" ];
       proxyTo.host = hostRegistry.pretalx.ip4;
+      # TODO: enable in pretalx
+      # proxyProtocol = true;
     } {
       hostNames = [ "vaultwarden.c3d2.de" ];
       proxyTo.host = hostRegistry.vaultwarden.ip4;
+      # TODO: enable in vaultwarden
+      # proxyProtocol = true;
     } ];
   };
 
diff --git a/hosts/public-access-proxy/proxy.nix b/hosts/public-access-proxy/proxy.nix
index c045365e..2090b6a5 100644
--- a/hosts/public-access-proxy/proxy.nix
+++ b/hosts/public-access-proxy/proxy.nix
@@ -73,7 +73,7 @@ in
 
           proxyProtocol = lib.mkOption {
             type = lib.types.bool;
-            default = true;
+            default = false;
             description = "Whether to use proxy protocol to connect to the server.";
           };
 
@@ -137,8 +137,10 @@ in
                 lib.concatMapStrings (hostname: ''
 
                   use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
-                    server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"}
-                   ${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"}
+                    server ${canonicalize hostname}-http ${proxyTo.host}:${
+                      if proxyProtocol then "${toString proxyTo.proxyHttpPort} check send-proxy-v2"
+                      else "${toString proxyTo.httpPort} check"
+                    }
                 '') hostNames
               )
             ) cfg.proxyHosts
@@ -159,8 +161,10 @@ in
         ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ...  }: ''
 
           backend ${canonicalize proxyTo.host}-https
-            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"}
-            ${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"}
+            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
+              if proxyProtocol then "${toString proxyTo.proxyHttpsPort} check send-proxy-v2"
+              else "${toString proxyTo.httpsPort} check"
+            }
         '') cfg.proxyHosts}
       '';
     };
diff --git a/lib/nginx.nix b/lib/nginx.nix
index 73ef6e78..98704717 100644
--- a/lib/nginx.nix
+++ b/lib/nginx.nix
@@ -3,16 +3,15 @@ _:
 {
   defaultListen = let
     listen = [
-      # breaks satisfy any
-      # {
-      #   addr = "[::]";
-      #   port = 80;
-      # }
-      # {
-      #   addr = "[::]";
-      #   port = 443;
-      #   ssl = true;
-      # }
+      {
+        addr = "[::]";
+        port = 80;
+      }
+      {
+        addr = "[::]";
+        port = 443;
+        ssl = true;
+      }
       {
         addr = "[::]";
         port = 8080;