diff options
author | Cameron Nemo <cnemo@tutanota.com> | 2021-08-27 19:28:27 -0700 |
---|---|---|
committer | Cameron Nemo <cnemo@tutanota.com> | 2022-04-07 14:43:53 +0000 |
commit | 1b4b16e1bdc75fe881494b9341c482e9c63174bf (patch) | |
tree | 6b0d16c6c220b68c58bc48c318ed76d6e6423eb0 | |
parent | 666a90e29d6261fd17fab0481ac21c64cd857834 (diff) |
nixos/envoy: init
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 7 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2205.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/envoy.nix | 84 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/envoy.nix | 33 | ||||
-rw-r--r-- | pkgs/servers/http/envoy/default.nix | 5 |
7 files changed, 131 insertions, 2 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index b4a33777851ee..3e4bd867d1b73 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1527,6 +1527,13 @@ </listitem> <listitem> <para> + A new module was added for the Envoy reverse proxy, providing + the options <literal>services.envoy.enable</literal> and + <literal>services.envoy.settings</literal>. + </para> + </listitem> + <listitem> + <para> The option <literal>services.duplicati.dataDir</literal> has been added to allow changing the location of duplicati’s files. diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 560d80514d6a8..97d7ed3eabed3 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -541,6 +541,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. +- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`. + - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files. - The options `boot.extraModprobeConfig` and `boot.blacklistedKernelModules` now also take effect in the initrd by copying the file `/etc/modprobe.d/nixos.conf` into the initrd. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c4958c36ea004..ce6ceb1bfb9c3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -753,6 +753,7 @@ ./services/networking/ncdns.nix ./services/networking/nomad.nix ./services/networking/ejabberd.nix + ./services/networking/envoy.nix ./services/networking/epmd.nix ./services/networking/ergo.nix ./services/networking/ergochat.nix diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix new file mode 100644 index 0000000000000..b7f859c73d9dd --- /dev/null +++ b/nixos/modules/services/networking/envoy.nix @@ -0,0 +1,84 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.envoy; + format = pkgs.formats.json { }; + conf = format.generate "envoy.json" cfg.settings; + validateConfig = file: + pkgs.runCommand "validate-envoy-conf" { } '' + ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}" + cp "${file}" "$out" + ''; + +in + +{ + options.services.envoy = { + enable = mkEnableOption "Envoy reverse proxy"; + + settings = mkOption { + type = format.type; + default = { }; + example = literalExpression '' + { + admin = { + access_log_path = "/dev/null"; + address = { + socket_address = { + protocol = "TCP"; + address = "127.0.0.1"; + port_value = 9901; + }; + }; + }; + static_resources = { + listeners = []; + clusters = []; + }; + } + ''; + description = '' + Specify the configuration for Envoy in Nix. + ''; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.envoy ]; + systemd.services.envoy = { + description = "Envoy reverse proxy"; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}"; + DynamicUser = true; + Restart = "no"; + CacheDirectory = "envoy"; + LogsDirectory = "envoy"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP"; + SystemCallArchitectures = "native"; + LockPersonality = true; + RestrictNamespaces = true; + RestrictRealtime = true; + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + PrivateDevices = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "ptraceable"; + ProtectHostname = true; + ProtectSystem = "strict"; + UMask = "0066"; + SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation"; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index ffccb6b446602..9f0ecf74763fa 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -142,6 +142,7 @@ in engelsystem = handleTest ./engelsystem.nix {}; enlightenment = handleTest ./enlightenment.nix {}; env = handleTest ./env.nix {}; + envoy = handleTest ./envoy.nix {}; ergo = handleTest ./ergo.nix {}; ergochat = handleTest ./ergochat.nix {}; etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; }; diff --git a/nixos/tests/envoy.nix b/nixos/tests/envoy.nix new file mode 100644 index 0000000000000..9d2c32ce102f2 --- /dev/null +++ b/nixos/tests/envoy.nix @@ -0,0 +1,33 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "envoy"; + meta = with pkgs.lib.maintainers; { + maintainers = [ cameronnemo ]; + }; + + nodes.machine = { pkgs, ... }: { + services.envoy.enable = true; + services.envoy.settings = { + admin = { + access_log_path = "/dev/null"; + address = { + socket_address = { + protocol = "TCP"; + address = "127.0.0.1"; + port_value = 9901; + }; + }; + }; + static_resources = { + listeners = []; + clusters = []; + }; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("envoy.service") + machine.wait_for_open_port(9901) + machine.wait_until_succeeds("curl -fsS localhost:9901/ready") + ''; +}) diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix index 0c5038898ea3f..64565a57ff948 100644 --- a/pkgs/servers/http/envoy/default.nix +++ b/pkgs/servers/http/envoy/default.nix @@ -127,8 +127,9 @@ buildBazelPackage rec { ]; passthru.tests = { - # No tests for Envoy itself (yet), but it's tested as a core component of Pomerium. - inherit (nixosTests) pomerium; + envoy = nixosTests.envoy; + # tested as a core component of Pomerium + pomerium = nixosTests.pomerium; }; meta = with lib; { |