nixpkgs

nordic-dev.net/nixpkgs

Fork 0

mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-16 18:03:59 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Silvan Mosberger	4f0dadbf38	treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build `a08b3a4d19`.tar.gz \ --argstr baseRev `b32a094368` result/bin/apply-formatting $NIXPKGS_PATH	2024-12-10 20:26:33 +01:00
Raito Bezarius	72cfcbebd6	nixos/tests/nginx-proxyprotocol: add raitobezarius as a maintainer I added this feature, I will maintain it.	2023-07-21 21:13:28 +02:00
Raito Bezarius	69bb0f94de	nixos/nginx: first-class PROXY protocol support PROXY protocol is a convenient way to carry information about the originating address/port of a TCP connection across multiple layers of proxies/NAT, etc. Currently, it is possible to make use of it in NGINX's NixOS module, but is painful when we want to enable it "globally". Technically, this is achieved by reworking the defaultListen options and the objective is to have a coherent way to specify default listeners in the current API design. See `mkDefaultListenVhost` and `defaultListen` for the details. It adds a safeguard against running a NGINX with no HTTP listeners (e.g. only PROXY listeners) while asking for ACME certificates over HTTP-01. An interesting usecase of PROXY protocol is to enable seamless IPv4 to IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is demonstrated how to achieve this in the tests, using sniproxy. Finally, the tests covers: - NGINX `defaultListen` mechanisms are not broken by these changes; - NGINX PROXY protocol listeners are working in a final usecase (sniproxy); - uses snakeoil TLS certs from ACME setup with wildcard certificates; In the future, it is desirable to spoof-attack NGINX in this scenario to ascertain that `set_real_ip_from` and all the layers are working as intended and preventing any user from setting their origin IP address to any arbitrary, opening up the NixOS module to bad™ vulnerabilities. For now, it is quite hard to achieve while being minimalistic about the tests dependencies.	2023-05-26 19:48:26 +02:00

Silvan Mosberger

4f0dadbf38

treewide: format all inactive Nix files

After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build a08b3a4d19.tar.gz \
      --argstr baseRev b32a094368
    result/bin/apply-formatting $NIXPKGS_PATH

2024-12-10 20:26:33 +01:00

Raito Bezarius

72cfcbebd6

nixos/tests/nginx-proxyprotocol: add raitobezarius as a maintainer

I added this feature, I will maintain it.

2023-07-21 21:13:28 +02:00

Raito Bezarius

69bb0f94de

nixos/nginx: first-class PROXY protocol support

PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.

Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.

It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.

An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.

Finally, the tests covers:

- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
  (sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;

In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.

For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.

2023-05-26 19:48:26 +02:00

3 Commits