Fix infinite recursion in modules/stats.nix <-> nixos-modules, remove nginx tcp fast open code moved to nixos-modules

2023-09-10 14:11:43 +02:00 · 2023-09-10 14:11:43 +02:00 · a88e1e00c8
parent 525edf5bc5
commit a88e1e00c8
4 changed files with 33 additions and 55 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -21,9 +21,6 @@
      # reset 60 seconds after a kernel panic
      "kernel.panic" = 60;
      "net.ipv4.tcp_congestion_control" = "bbr";
-      # enable tcp fastopen for outgoing and incoming connections
-      # used by haproxy and nginx
-      "net.ipv4.tcp_fastopen" = 3;
    };
    # recommend to turn off, only on by default for backwards compatibility
    zfs.forceImportRoot = false;
@ -200,21 +197,6 @@
        proxy_set_header X-Real-IP       $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
      '';
-      virtualHosts."_".listen = let
-        extraParameters = [
-          "reuseport"
-
-          # net.core.somaxconn is set to 4096
-          # see https://www.nginx.com/blog/tuning-nginx/#:~:text=to%20a%20value-,greater%20than%20512,-%2C%20change%20the%20backlog
-          "backlog=1024"
-
-          "deferred"
-          "fastopen=256" # requires nginx to be compiled with -DTCP_FASTOPEN=23
-        ];
-      in lib.mkDefault [
-        { addr = "[::]"; port = 80; inherit extraParameters; }
-        { addr = "[::]"; port = 443; ssl = true; inherit extraParameters; }
-      ];
    };

    openssh = {
--- a/flake.lock
+++ b/flake.lock
@ -362,11 +362,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1694342461,
-        "narHash": "sha256-/0NhpfW6cSd3k39QhQoSchKt3UGG2n/o4qmg75h/8cY=",
+        "lastModified": 1694346869,
+        "narHash": "sha256-3rom5sUg5Euqiq3XdnxISy++iRafclsIT191KriTQv0=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "607451c9283d51c259662d37d50e9a7984a08579",
+        "rev": "c6c94ddf0a33eae72051a4fe4543609c9de1eff9",
        "type": "github"
      },
      "original": {
@ -398,11 +398,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694293408,
-        "narHash": "sha256-5Mka4G5nYSlOALiBGv3kMTS7XWCFE6DFz8xdl+tYcrw=",
+        "lastModified": 1694347645,
+        "narHash": "sha256-4REU1NpRvtD8CO/UZ3sAP5mE7C9HmP5RjO2XFIHT2Gk=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "0274bc775d2496ce95aec10b4cbb786ee0737dfb",
+        "rev": "7adbab67fd91b05095b46221b3772b1e8cd01d0b",
        "type": "github"
      },
      "original": {
@ -452,11 +452,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694252381,
-        "narHash": "sha256-TkwNC+30EMjselnwg3OCZ29gNLqqkPskeQVC8s9Khaw=",
+        "lastModified": 1694342626,
+        "narHash": "sha256-wbNZq57MUGVXBVyPD0+JFGAIW7a0NUYMCM6dOHCWG50=",
        "owner": "astro",
        "repo": "nix-openwrt-imagebuilder",
-        "rev": "2239e2b0b4d4af0bec3edc379449ed8aec1f32fc",
+        "rev": "cceaa22c6e7f027569ec29c466e63d7fbb7b3356",
        "type": "github"
      },
      "original": {
--- a/modules/stats.nix
+++ b/modules/stats.nix
@ -1,11 +1,10 @@
-{ config, lib, libC, pkgs, ... }:
+{ config, lib, libC, ... }:

 let
  cfg = config.c3d2.hq.statistics;

-  isMetal =
-    !config.boot.isContainer &&
-    !(config ? microvm);
+  isMetal = !config.boot.isContainer && !(config ? microvm);
+  supportsNodeExporter = config.nixpkgs.system != "riscv64-linux";

  nginxStatusPort = 9100;
 in
@ -57,9 +56,24 @@ in
        };
      };

-      nginx = lib.mkMerge [
-        (lib.mkIf config.services.nginx.enable {
-          virtualHosts.localhost = {
+      nginx = {
+        # nginx only needs to be explicitly enabled when proxing node_exporter
+        enable = lib.mkIf supportsNodeExporter true;
+
+        virtualHosts = {
+          # only required when proxying node_exporter
+          "_" = lib.mkIf supportsNodeExporter {
+            listen = [
+              { addr = "0.0.0.0"; port = nginxStatusPort; }
+              { addr = "[::]"; port = nginxStatusPort; }
+            ];
+            locations."/metrics" = {
+              proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics";
+              extraConfig = libC.hqNetworkOnly;
+            };
+          };
+
+          localhost = lib.mkIf cfg.enable {
            listen = [
              { addr = "127.0.0.1"; port = nginxStatusPort; }
              { addr = "[::1]"; port = nginxStatusPort; }
@ -73,24 +87,10 @@ in
              deny all;
            '';
          };
-        })
+        };
+      };

-        (lib.mkIf (pkgs.system != "riscv64-linux") {
-          enable = true;
-          virtualHosts."_" = {
-            listen = [
-              { addr = "0.0.0.0"; port = nginxStatusPort; }
-              { addr = "[::]"; port = nginxStatusPort; }
-            ];
-            locations."/metrics" = {
-              proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics";
-              extraConfig = libC.hqNetworkOnly;
-            };
-          };
-        })
-      ];
-
-      prometheus.exporters.node = lib.mkIf (pkgs.system != "riscv64-linux") {
+      prometheus.exporters.node = lib.mkIf supportsNodeExporter {
        enable = true;
        enabledCollectors = [ "ethtool" "systemd" ];
        listenAddress = "127.0.0.1";
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -92,10 +92,6 @@ with final; {

  mlat-client = python3Packages.callPackage ./mlat-client.nix { };

-  nginx = prev.nginx.override {
-    configureFlags = [ "-DTCP_FASTOPEN=23" ];
-  };
-
  nixVersions = prev.nixVersions // {
    stable = prev.nixVersions.stable.overrideAttrs (oldAttrs: {
      patches = oldAttrs.patches or [ ] ++ [