diff options
| author | Izorkin <izorkin@elven.pw> | 2023-03-27 11:27:49 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2023-04-01 13:09:49 +0300 |
| commit | 77d6fd36cfd50d2dd8363e18cc545628ca71055b (patch) | |
| tree | 1bab094a0939cbd58888186c7dc7c05d722d331c /nixos/modules/services/web-servers/nginx/default.nix | |
| parent | 9f2a1d98aa8af850eb27e4f37ba6286c7a598721 (diff) | |
| download | nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar.gz nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar.bz2 nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar.lz nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar.xz nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.tar.zst nixlib-77d6fd36cfd50d2dd8363e18cc545628ca71055b.zip | |
nixos/nginx: update quic configuration
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 064c86a9a7e2..577e9f94da8b 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -311,12 +311,15 @@ let else defaultListen; listenString = { addr, port, ssl, extraParameters ? [], ... }: - (if ssl && vhost.http3 then " - # UDP listener for **QUIC+HTTP/3 - listen ${addr}:${toString port} http3 " + # UDP listener for QUIC transport protocol. + (if ssl && vhost.quic then " + listen ${addr}:${toString port} quic " + optionalString vhost.default "default_server " + optionalString vhost.reuseport "reuseport " - + optionalString (extraParameters != []) (concatStringsSep " " extraParameters) + + optionalString (extraParameters != []) (concatStringsSep " " ( + let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ]; + isCompatibleParameter = param: !(any (p: p == param) inCompatibleParameters); + in filter isCompatibleParameter extraParameters)) + ";" else "") + " @@ -363,6 +366,10 @@ let server { ${concatMapStringsSep "\n" listenString hostListen} server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases}; + ${optionalString (hasSSL && vhost.quic) '' + http3 ${if vhost.http3 then "on" else "off"}; + http3_hq ${if vhost.http3_hq then "on" else "off"}; + ''} ${acmeLocation} ${optionalString (vhost.root != null) "root ${vhost.root};"} ${optionalString (vhost.globalRedirect != null) '' @@ -384,9 +391,10 @@ let ssl_conf_command Options KTLS; ''} - ${optionalString (hasSSL && vhost.http3) '' + ${optionalString (hasSSL && vhost.quic && vhost.http3) # Advertise that HTTP/3 is available - add_header Alt-Svc 'h3=":443"; ma=86400' always; + '' + add_header Alt-Svc 'h3=":$server_port"; ma=86400'; ''} ${mkBasicAuth vhostName vhost} @@ -1027,6 +1035,14 @@ in services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive. ''; } + + { + assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); + message = '' + services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + ''; + } ] ++ map (name: mkCertOwnershipAssertion { inherit (cfg) group user; cert = config.security.acme.certs.${name}; |