commit 56b293d03968552b3252c634a26fd64aff9c9fa1
author Skyler Grey <minion@clicks.codes> Sun Oct 22 22:53:34 2023 +0000
committer Skyler Grey <minion@clicks.codes> Sun Oct 22 22:53:34 2023 +0000
tree 3fe4207d6be99ccfa5d4d2b089c3b70d50e872ee
parent 4259e931486c9d626d5ac83a2f5ce4ae46022d6c

Make nginx use the haproxy protocol for mail

Mail listens for haproxy proxy messages, which have extra information about
where the query came from (similar to X-Forwarded-For headers in HTTP).
Unfortunately, we were forwarding it raw TCP data from nginx.

This commit uses ProxyStream (introduced in helpers commit
Ia15a18380624375ec4eb5d87d802df1e31f3c82d) to add haproxy proxying.

Finally, this commit removes an extraneous email vhost (ignored since helpers
commit I1e3dc3db735c0ccea5a6b7407cda8338ff7cf1e8)

Change-Id: Ia6142f249b911e11fef1a6476fcef4002d88b86d

modules/nginx-routes.nix

diff --git a/modules/nginx-routes.nix b/modules/nginx-routes.nix
index 889a17c..a5ff7a5 100644
--- a/modules/nginx-routes.nix
+++ b/modules/nginx-routes.nix
@@ -37,9 +37,7 @@
       "smtp.coded.codes"
       "smtp.clicks.codes"
       "smtp.hopescaramels.com"
-    ] (ReverseProxy "localhost:1080"))
-    (Hosts [ "mail.clicks.codes" "mail.coded.codes" "mail.hopescaramels.com" ]
-      (ReverseProxy "localhost:1080"))
+    ] (ReverseProxy "127.0.0.1:1080"))
     (Host "matrix.coded.codes" (Directory "${builtins.toString
       (pkgs.schildichat-web.override {
         conf = {
@@ -91,12 +89,12 @@
     ])
   ];
   clicks.nginx.streams = with helpers.nginx; [
-    (Stream 143 "localhost:1143" "tcp") # imap
-    (Stream 993 "localhost:1993" "tcp") # imap
-    (Stream 110 "localhost:1110" "tcp") # pop3
-    (Stream 995 "localhost:1995" "tcp") # pop3
-    (Stream 25 "localhost:1025" "tcp") # smtp
-    (Stream 465 "localhost:1465" "tcp") # smtp
-    (Stream 587 "localhost:1587" "tcp") # smtp
+    (ProxyStream 143 "127.0.0.1:1143" "tcp") # imap
+    (ProxyStream 993 "127.0.0.1:1993" "tcp") # imap
+    (ProxyStream 110 "127.0.0.1:1110" "tcp") # pop3
+    (ProxyStream 995 "127.0.0.1:1995" "tcp") # pop3
+    (ProxyStream 25 "127.0.0.1:1025" "tcp") # smtp
+    (ProxyStream 465 "127.0.0.1:1465" "tcp") # smtp
+    (ProxyStream 587 "127.0.0.1:1587" "tcp") # smtp
   ];
 }

modules/nginx.nix

diff --git a/modules/nginx.nix b/modules/nginx.nix
index 08ae0cf..7515dcb 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -124,6 +124,7 @@
               internal = lib.mkOption { type = str; };
               external = lib.mkOption { type = port; };
               protocol = lib.mkOption { type = strMatching "^(tcp|udp)$"; };
+              haproxy = lib.mkOption { type = bool; };
             };
           });
         example = lib.literalExpression ''
@@ -157,7 +158,8 @@
             listen ${builtins.toString stream.external}${
               lib.optionalString (stream.protocol == "udp") " udp"
             };
-            proxy_pass ${builtins.toString stream.internal};
+            proxy_pass ${stream.internal};
+            ${if stream.haproxy then "proxy_protocol on;" else ""}
         }
       '') config.clicks.nginx.streams);
     };