talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge pull request #254440 from Izorkin/add-nginx-bpf

Browse Source
This commit is contained in:
Ryan Lahfa
2023-09-27 18:53:43 +02:00
committed by GitHub
parent e909050efd 64fe8c9292
commit c22ca8e820
1 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/modules/services/web-servers/nginx/default.nix
View File

@@ -146,6 +146,10 @@ let
error_log ${cfg.logError}; error_log ${cfg.logError};
daemon off; daemon off;
${optionalString cfg.enableQuicBPF ''
quic_bpf on;
''}
${cfg.config} ${cfg.config}
${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' ${optionalString (cfg.eventsConfig != "" || cfg.config == "") ''
@@ -783,6 +787,19 @@ in
''; '';
}; };
enableQuicBPF = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
Enables routing of QUIC packets using eBPF. When enabled, this allows
to support QUIC connection migration. The directive is only supported
on Linux 5.7+.
Note that enabling this option will make nginx run with extended
capabilities that are usually limited to processes running as root
namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`.
'';
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = "nginx"; default = "nginx";
@@ -1125,6 +1142,14 @@ in
''; '';
} }
{
assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF);
message = ''
services.nginx.enableQuicBPF requires using nginxQuic package,
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
'';
}
{ {
assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts);
message = '' message = ''
@@ -1224,8 +1249,8 @@ in
# New file permissions # New file permissions
UMask = "0027"; # 0640 / 0750 UMask = "0027"; # 0640 / 0750
# Capabilities # Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ];
# Security # Security
NoNewPrivileges = true; NoNewPrivileges = true;
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
@@ -1250,6 +1275,7 @@ in
# System Call Filtering # System Call Filtering
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optional cfg.enableQuicBPF [ "bpf" ]
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
}; };
}; };