nginxMainline: enable ktls support

[Izorkin]

Motivation for this change

Activate TLS encryption in kernel space for nginx Mainline.
This PR is required - #146983

Example nginx configuration:

  services.nginx = {
    enable = true;
    package = pkgs.nginxMainline;
    virtualHosts."test.local" = {
      addSSL = true;
      forceSSL = false;
      enableACME = false;
      sslCertificate    = "/var/lib/cert/default.crt";
      sslCertificateKey = "/var/lib/cert/default.key";
      kTLS = true;
    };
  };

cc @ajs124 @Mic92

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 21.11 Release Notes (or backporting 21.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[Izorkin]

Updated PR.

[Izorkin]

Fixed nginx-variants tests.

[Izorkin]

Small fix.

[dasJ]

This does currently not fail the eval when I enable ktls and I'm not using the mainline package, or am I wrong here?

[Izorkin]

An error will occur at startup with these parameters:

  services.nginx = {
    enable = true;
    package = pkgs.nginxStable;
    virtualHosts."test.local" = {
      addSSL = true;
      forceSSL = false;
      enableACME = false;
      sslCertificate    = "/var/lib/cert/default.crt";
      sslCertificateKey = "/var/lib/cert/default.key";
      kTLS = true;
    };
  };

The eval is not affected by.

[dasJ]

Yeah sorry I think I was unclear with my statement there. I'd prefer if enabling ktls failed the eval instead of nginx starting because this can hint the user that something will break if they try to activate this option with their current choice of the nginx package.

[Izorkin]

I could not find a method to check the vhost.kTLS parameter.
Example error:

error: value is a string while a set was expected

       at /home/user/works/src/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix:939:35:

          938|
          939|     boot.kernelModules = optional vhost.kTLS [ "tls" ];
             |                                   ^
          940|
(use '--show-trace' to show detailed location information)

[Izorkin]

@dasJ added check for nginx version + kTLS.

[Izorkin]

cc @dasJ @ajs124 @Mic92

[Izorkin]

@ofborg eval

[Izorkin]

cc @ajs124 @dasJ @Mic92

[ajs124]

The diff LGTM, but I haven't done any real testing, so I'll not merge this right now. If anyone else does that testing, feel free to merge.

[7c6f434c]

It also looks like it should only break (if wrong) the new stuff if it is enabled, not the old stuff

[ncfavier]

2f66ac0 broke my config (see below). hasSSL means that you have SSL enabled, which is precisely what you don't want when using rejectSSL.

{
  services.nginx.virtualHosts.default = {
    default = true;
    rejectSSL = true;
    extraConfig = "return 444;";
  };
}

[lopsided98]

This breaks nginx on platforms without valgrind support (armv6l-linux in my case) because tengine transitively depends on valgrind. Even though tengine is not actually used by default, just evaluating it for the cfg.package != pkgs.tengine check triggers the unsupported platform error.