From e4cc002f6f1f38b3d4e756fd2ff0cc3afd7cbdfa Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Sat, 12 Oct 2024 11:54:46 +0200
Subject: [PATCH] feat(nginx): Use proxy_protocol for sni redirection

WARNING: This alone does not work, we need to set the real ip based on
http://nginx.org/en/docs/stream/ngx_stream_realip_module.html

Which is not feasible right now without causing an infinite loop during
eval
---
 machines/compute01/pages.nix | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix
index 1375e9b..10a432d 100644
--- a/machines/compute01/pages.nix
+++ b/machines/compute01/pages.nix
@@ -69,19 +69,33 @@ in
   };
 
   services.nginx = {
+    defaultListen = [
+      {
+        addr = "127.0.0.1";
+        port = 8446;
+        ssl = true;
+        proxyProtocol = true;
+      }
+      {
+        addr = "0.0.0.0";
+        ssl = false;
+      }
+    ];
     streamConfig = ''
       map $ssl_preread_server_name $sni_upstream {
-        hostnames;
         default 127.0.0.1:8010;
-      ${lib.concatMapStringsSep "\n" (vhost: "  ${vhost} 127.0.0.1:8446;") (
-        lib.attrNames config.services.nginx.virtualHosts
-      )}
+        ${
+          lib.concatMapStringsSep "\n  " (vhost: "${vhost} 127.0.0.1:8446;") (
+            lib.attrNames config.services.nginx.virtualHosts
+          )
+        }
       }
 
       server {
         listen 443;
         ssl_preread on;
         proxy_pass $sni_upstream;
+        proxy_protocol on;
       }
 
     '';