kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/envoy: init

Browse Source
main
Cameron Nemo 3 years ago
parent 666a90e29d
commit 1b4b16e1bd
7 changed files with 131 additions and 2 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
  2. 2
      nixos/doc/manual/release-notes/rl-2205.section.md
  3. 1
      nixos/modules/module-list.nix
  4. 84
      nixos/modules/services/networking/envoy.nix
  5. 1
      nixos/tests/all-tests.nix
  6. 33
      nixos/tests/envoy.nix
  7. 5
      pkgs/servers/http/envoy/default.nix

7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
Unescape View File

@ -1525,6 +1525,13 @@
configuration.
</para>
</listitem>
<listitem>
<para>
A new module was added for the Envoy reverse proxy, providing
the options <literal>services.envoy.enable</literal> and
<literal>services.envoy.settings</literal>.
</para>
</listitem>
<listitem>
<para>
The option <literal>services.duplicati.dataDir</literal> has

2
nixos/doc/manual/release-notes/rl-2205.section.md
Unescape View File

@ -541,6 +541,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`.
- The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.
- The options `boot.extraModprobeConfig` and `boot.blacklistedKernelModules` now also take effect in the initrd by copying the file `/etc/modprobe.d/nixos.conf` into the initrd.

1
nixos/modules/module-list.nix
Unescape View File

@ -753,6 +753,7 @@
./services/networking/ncdns.nix
./services/networking/nomad.nix
./services/networking/ejabberd.nix
./services/networking/envoy.nix
./services/networking/epmd.nix
./services/networking/ergo.nix
./services/networking/ergochat.nix

84
nixos/modules/services/networking/envoy.nix
Unescape View File

@ -0,0 +1,84 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.envoy;
format = pkgs.formats.json { };
conf = format.generate "envoy.json" cfg.settings;
validateConfig = file:
pkgs.runCommand "validate-envoy-conf" { } ''
${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}"
cp "${file}" "$out"
'';
in
{
options.services.envoy = {
enable = mkEnableOption "Envoy reverse proxy";
settings = mkOption {
type = format.type;
default = { };
example = literalExpression ''
{
admin = {
access_log_path = "/dev/null";
address = {
socket_address = {
protocol = "TCP";
address = "127.0.0.1";
port_value = 9901;
};
};
};
static_resources = {
listeners = [];
clusters = [];
};
}
'';
description = ''
Specify the configuration for Envoy in Nix.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.envoy ];
systemd.services.envoy = {
description = "Envoy reverse proxy";
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}";
DynamicUser = true;
Restart = "no";
CacheDirectory = "envoy";
LogsDirectory = "envoy";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP";
SystemCallArchitectures = "native";
LockPersonality = true;
RestrictNamespaces = true;
RestrictRealtime = true;
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "ptraceable";
ProtectHostname = true;
ProtectSystem = "strict";
UMask = "0066";
SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation";
};
};
};
}

1
nixos/tests/all-tests.nix
Unescape View File

@ -142,6 +142,7 @@ in
engelsystem = handleTest ./engelsystem.nix {};
enlightenment = handleTest ./enlightenment.nix {};
env = handleTest ./env.nix {};
envoy = handleTest ./envoy.nix {};
ergo = handleTest ./ergo.nix {};
ergochat = handleTest ./ergochat.nix {};
etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; };

33
nixos/tests/envoy.nix
Unescape View File

@ -0,0 +1,33 @@
import ./make-test-python.nix ({ pkgs, lib, ...} : {
name = "envoy";
meta = with pkgs.lib.maintainers; {
maintainers = [ cameronnemo ];
};
nodes.machine = { pkgs, ... }: {
services.envoy.enable = true;
services.envoy.settings = {
admin = {
access_log_path = "/dev/null";
address = {
socket_address = {
protocol = "TCP";
address = "127.0.0.1";
port_value = 9901;
};
};
};
static_resources = {
listeners = [];
clusters = [];
};
};
};
testScript = ''
machine.start()
machine.wait_for_unit("envoy.service")
machine.wait_for_open_port(9901)
machine.wait_until_succeeds("curl -fsS localhost:9901/ready")
'';
})

5
pkgs/servers/http/envoy/default.nix
Unescape View File

@ -127,8 +127,9 @@ buildBazelPackage rec {
];
passthru.tests = {
# No tests for Envoy itself (yet), but it's tested as a core component of Pomerium.
inherit (nixosTests) pomerium;
envoy = nixosTests.envoy;
# tested as a core component of Pomerium
pomerium = nixosTests.pomerium;
};
meta = with lib; {

Write Preview
Loading…
Cancel
Save