Enable proxyProtocol for drone and gitea

config/default.nix

@@ -159,26 +159,25 @@
       gnome-initial-setup.enable = false;
     };
 
-    # nginx = {
+    nginx = {
-    #   appendHttpConfig = ''
+      appendHttpConfig = ''
-    #     log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
+        log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
-    #                              '"$request" $status $body_bytes_sent '
+                                 '"$request" $status $body_bytes_sent '
-    #                              '"$http_referer" "$http_user_agent"';
+                                 '"$http_referer" "$http_user_agent"';
 
-    #     access_log /var/log/nginx/access.log proxyCombined;
+        access_log /var/log/nginx/access.log proxyCombined;
-    #   '';
+      '';
-    #   commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
+      commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
-    #     # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+        # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
-    #     set_real_ip_from ${hosts4.public-access-proxy};
+        set_real_ip_from ${hosts4.public-access-proxy};
-    #     set_real_ip_from ${hosts6.up4.public-access-proxy};
+        set_real_ip_from ${hosts6.up4.public-access-proxy};
 
-    #     real_ip_header proxy_protocol;
+        real_ip_header proxy_protocol;
 
-    #     proxy_set_header X-Real-IP       $proxy_protocol_addr;
+        proxy_set_header X-Real-IP       $proxy_protocol_addr;
-    #     proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
-    #   '';
+      '';
-    #   defaultExtraParameters = [ "proxy_protocol" ];
+    };
-    # };
 
     openssh = {
       # Required for deployment and sops

flake.nix

@@ -225,6 +225,9 @@
 
       inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry;
 
+      libC = {
+        inherit (import ./lib/nginx.nix {}) defaultListen;
+      };
 
       overlayList = [
         self.overlays
@@ -243,7 +246,7 @@
         modules = [
           (_: {
             _module.args = {
-              inherit hostRegistry nixos zentralwerk;
+              inherit hostRegistry libC nixos zentralwerk;
             };
 
             nixpkgs.overlays = overlayList;

hosts/drone/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, libC, pkgs, ... }:
 
 let
   hostname = "drone.hq.c3d2.de";
@@ -16,6 +16,7 @@ in
       virtualHosts.${hostname} = {
         forceSSL = true;
         enableACME = true;
+        listen = libC.defaultListen;
         locations."/".proxyPass = "http://localhost:8080";
       };
     };

hosts/gitea/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, libS, ... }:
+{ config, pkgs, lib, libC, libS, ... }:
 
 {
   c3d2.deployment.server = "server10";
@@ -112,6 +112,7 @@
       virtualHosts."gitea.c3d2.de" = {
         forceSSL = true;
         enableACME = true;
+        listen = libC.defaultListen;
         locations."/".proxyPass = "http://localhost:3000";
       };
     };

hosts/public-access-proxy/default.nix

@@ -70,6 +70,7 @@
     } {
       hostNames = [ "gitea.c3d2.de" ];
       proxyTo.host = hostRegistry.gitea.ip4;
+      proxyProtocol = true;
     } {
       hostNames = [ "grafana.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.grafana.ip4;
@@ -140,6 +141,7 @@
     } {
       hostNames = [ "drone.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.drone.ip4;
+      proxyProtocol = true;
     } {
       hostNames = [ "home-assistant.hq.c3d2.de" ];
       proxyTo.host = hostRegistry.home-assistant.ip4;

hosts/public-access-proxy/proxy.nix

@@ -49,6 +49,20 @@ in
                     Port to forward http to.
                   '';
                 };
+                proxyHttpPort = lib.mkOption {
+                  type = lib.types.port;
+                  default = 8080;
+                  description = ''
+                    Port to forward http to when using the proxy protocol.
+                  '';
+                };
+                proxyHttpsPort = lib.mkOption {
+                  type = lib.types.port;
+                  default = 8443;
+                  description = ''
+                    Port to forward http to when using the proxy protocol.
+                  '';
+                };
               };
             };
             description = ''
@@ -106,8 +120,10 @@ in
           ${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
               lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
                 lib.concatMapStrings (hostname: ''
+
                   use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
-                  server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
+                    server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"}
+                   ${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"}
                 '') hostNames
               )
             ) cfg.proxyHosts
@@ -127,7 +143,8 @@ in
         ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ...  }: ''
         
           backend ${canonicalize proxyTo.host}-https
-            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
+            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"}
+            ${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"}
         '') cfg.proxyHosts}
       '';
     };