diff options
author | Ryan Lahfa <masterancpp@gmail.com> | 2023-09-27 18:53:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-27 18:53:43 +0200 |
commit | c22ca8e82097dc7650053c85509d9369ce8726bf (patch) | |
tree | 66529afd570908fab27993b182fbee44d0e00ea0 /nixos | |
parent | e909050efda76765c3075436da3f8e07f9b9e70e (diff) | |
parent | 64fe8c929292b56436fa587641a4e589e2ee67ff (diff) | |
download | nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar.gz nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar.bz2 nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar.lz nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar.xz nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.tar.zst nixlib-c22ca8e82097dc7650053c85509d9369ce8726bf.zip |
Merge pull request #254440 from Izorkin/add-nginx-bpf
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7a7fb4061eea..62e0a8940e2c 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -146,6 +146,10 @@ let error_log ${cfg.logError}; daemon off; + ${optionalString cfg.enableQuicBPF '' + quic_bpf on; + ''} + ${cfg.config} ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' @@ -783,6 +787,19 @@ in ''; }; + enableQuicBPF = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enables routing of QUIC packets using eBPF. When enabled, this allows + to support QUIC connection migration. The directive is only supported + on Linux 5.7+. + Note that enabling this option will make nginx run with extended + capabilities that are usually limited to processes running as root + namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -1126,6 +1143,14 @@ in } { + assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); + message = '' + services.nginx.enableQuicBPF requires using nginxQuic package, + which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. + ''; + } + + { assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic package, @@ -1224,8 +1249,8 @@ in # New file permissions UMask = "0027"; # 0640 / 0750 # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) @@ -1250,6 +1275,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] + ++ optional cfg.enableQuicBPF [ "bpf" ] ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; |