diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index b4a33777851..3e4bd867d1b 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1525,6 +1525,13 @@
configuration.
+
+
+ A new module was added for the Envoy reverse proxy, providing
+ the options services.envoy.enable and
+ services.envoy.settings.
+
+
The option services.duplicati.dataDir has
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 560d80514d6..97d7ed3eabe 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -541,6 +541,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
+- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`.
+
- The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.
- The options `boot.extraModprobeConfig` and `boot.blacklistedKernelModules` now also take effect in the initrd by copying the file `/etc/modprobe.d/nixos.conf` into the initrd.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index c4958c36ea0..ce6ceb1bfb9 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -753,6 +753,7 @@
./services/networking/ncdns.nix
./services/networking/nomad.nix
./services/networking/ejabberd.nix
+ ./services/networking/envoy.nix
./services/networking/epmd.nix
./services/networking/ergo.nix
./services/networking/ergochat.nix
diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix
new file mode 100644
index 00000000000..b7f859c73d9
--- /dev/null
+++ b/nixos/modules/services/networking/envoy.nix
@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.services.envoy;
+ format = pkgs.formats.json { };
+ conf = format.generate "envoy.json" cfg.settings;
+ validateConfig = file:
+ pkgs.runCommand "validate-envoy-conf" { } ''
+ ${pkgs.envoy}/bin/envoy --log-level error --mode validate -c "${file}"
+ cp "${file}" "$out"
+ '';
+
+in
+
+{
+ options.services.envoy = {
+ enable = mkEnableOption "Envoy reverse proxy";
+
+ settings = mkOption {
+ type = format.type;
+ default = { };
+ example = literalExpression ''
+ {
+ admin = {
+ access_log_path = "/dev/null";
+ address = {
+ socket_address = {
+ protocol = "TCP";
+ address = "127.0.0.1";
+ port_value = 9901;
+ };
+ };
+ };
+ static_resources = {
+ listeners = [];
+ clusters = [];
+ };
+ }
+ '';
+ description = ''
+ Specify the configuration for Envoy in Nix.
+ '';
+ };
+ };
+
+ config = mkIf cfg.enable {
+ environment.systemPackages = [ pkgs.envoy ];
+ systemd.services.envoy = {
+ description = "Envoy reverse proxy";
+ after = [ "network-online.target" ];
+ requires = [ "network-online.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = "${pkgs.envoy}/bin/envoy -c ${validateConfig conf}";
+ DynamicUser = true;
+ Restart = "no";
+ CacheDirectory = "envoy";
+ LogsDirectory = "envoy";
+ AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+ CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+ RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_XDP";
+ SystemCallArchitectures = "native";
+ LockPersonality = true;
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
+ PrivateDevices = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "ptraceable";
+ ProtectHostname = true;
+ ProtectSystem = "strict";
+ UMask = "0066";
+ SystemCallFilter = "~@clock @module @mount @reboot @swap @obsolete @cpu-emulation";
+ };
+ };
+ };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index ffccb6b4466..9f0ecf74763 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -142,6 +142,7 @@ in
engelsystem = handleTest ./engelsystem.nix {};
enlightenment = handleTest ./enlightenment.nix {};
env = handleTest ./env.nix {};
+ envoy = handleTest ./envoy.nix {};
ergo = handleTest ./ergo.nix {};
ergochat = handleTest ./ergochat.nix {};
etc = pkgs.callPackage ../modules/system/etc/test.nix { inherit evalMinimalConfig; };
diff --git a/nixos/tests/envoy.nix b/nixos/tests/envoy.nix
new file mode 100644
index 00000000000..9d2c32ce102
--- /dev/null
+++ b/nixos/tests/envoy.nix
@@ -0,0 +1,33 @@
+import ./make-test-python.nix ({ pkgs, lib, ...} : {
+ name = "envoy";
+ meta = with pkgs.lib.maintainers; {
+ maintainers = [ cameronnemo ];
+ };
+
+ nodes.machine = { pkgs, ... }: {
+ services.envoy.enable = true;
+ services.envoy.settings = {
+ admin = {
+ access_log_path = "/dev/null";
+ address = {
+ socket_address = {
+ protocol = "TCP";
+ address = "127.0.0.1";
+ port_value = 9901;
+ };
+ };
+ };
+ static_resources = {
+ listeners = [];
+ clusters = [];
+ };
+ };
+ };
+
+ testScript = ''
+ machine.start()
+ machine.wait_for_unit("envoy.service")
+ machine.wait_for_open_port(9901)
+ machine.wait_until_succeeds("curl -fsS localhost:9901/ready")
+ '';
+})
diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix
index 0c5038898ea..64565a57ff9 100644
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@@ -127,8 +127,9 @@ buildBazelPackage rec {
];
passthru.tests = {
- # No tests for Envoy itself (yet), but it's tested as a core component of Pomerium.
- inherit (nixosTests) pomerium;
+ envoy = nixosTests.envoy;
+ # tested as a core component of Pomerium
+ pomerium = nixosTests.pomerium;
};
meta = with lib; {