WIP: envoy configuration

Author: jfroche

nix/systemConfigs.nix

@@ -1,9 +1,14 @@
  { self, inputs, ... }:
  let
    mkModules = system: [
+     self.systemModules.envoy
      ({
        services.nginx.enable = true;
        nixpkgs.hostPlatform = system;
++      supabase.services.envoy = {
++        enable = true;
++        enableTLS = true;
++      };
      })
    ];
 

nix/systemModules/default.nix

@@ -5,7 +5,7 @@
   imports = [ ./tests ];
   flake = {
     systemModules = {
-      envoy = ./envoy.nix;
+      envoy = ./envoy;
     };
   };
 }

nix/systemModules/envoy.nix

@@ -0,0 +1,19 @@
+[
+  {
+    name = "envoy.access_loggers.stdout";
+    filter = {
+      status_code_filter = {
+        comparison = {
+          op = "GE";
+          value = {
+            default_value = 400;
+            runtime_key = "unused";
+          };
+        };
+      };
+    };
+    typed_config = {
+      "@type" = "type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog";
+    };
+  }
+]

nix/systemModules/envoy/access_log.nix

@@ -0,0 +1,125 @@
+{
+  config = {
+    name = "admin_api";
+    load_assignment = {
+      cluster_name = "admin_api";
+      endpoints = [
+        {
+          lb_endpoints = [
+            {
+              endpoint = {
+                address = {
+                  socket_address = {
+                    address = "127.0.0.1";
+                    port_value = 8085;
+                  };
+                };
+              };
+            }
+          ];
+        }
+      ];
+    };
+    circuit_breakers = {
+      thresholds = [
+        {
+          priority = "DEFAULT";
+          max_connections = 10000;
+          max_pending_requests = 10000;
+          max_requests = 10000;
+          retry_budget = {
+            budget_percent = {
+              value = 100;
+            };
+            min_retry_concurrency = 100;
+          };
+        }
+      ];
+    };
+  };
+  routes = [
+    {
+      match = {
+        prefix = "/admin/v1/";
+      };
+      request_headers_to_remove = [ "sb-opk" ];
+      route = {
+        cluster = "admin_api";
+        prefix_rewrite = "/";
+        timeout = "600s";
+      };
+    }
+    {
+      match = {
+        prefix = "/customer/v1/privileged/";
+      };
+      request_headers_to_remove = [ "sb-opk" ];
+      route = {
+        cluster = "admin_api";
+        prefix_rewrite = "/privileged/";
+      };
+      typed_per_filter_config = {
+        "envoy.filters.http.rbac" = {
+          "@type" = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
+          rbac = {
+            rules = {
+              action = "DENY";
+              policies = {
+                basic_auth = {
+                  permissions = [ { any = true; } ];
+                  principals = [
+                    {
+                      header = {
+                        name = "authorization";
+                        invert_match = true;
+                        string_match = {
+                          exact = "Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5";
+                        };
+                        treat_missing_header_as_empty = true;
+                      };
+                    }
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    }
+    {
+      match = {
+        prefix = "/metrics/aggregated";
+      };
+      request_headers_to_remove = [ "sb-opk" ];
+      route = {
+        cluster = "admin_api";
+        prefix_rewrite = "/supabase-internal/metrics";
+      };
+      typed_per_filter_config = {
+        "envoy.filters.http.rbac" = {
+          "@type" = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
+          rbac = {
+            rules = {
+              action = "DENY";
+              policies = {
+                not_private_ip = {
+                  permissions = [ { any = true; } ];
+                  principals = [
+                    {
+                      not_id = {
+                        direct_remote_ip = {
+                          address_prefix = "10.0.0.0";
+                          prefix_len = 8;
+                        };
+                      };
+                    }
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    }
+  ];
+}

nix/systemModules/envoy/admin_api.nix

@@ -0,0 +1,125 @@
+{
+  lib,
+  nixosModulesPath,
+  self,
+  system,
+  config,
+  ...
+}:
+let
+  cfg = config.supabase.services.envoy;
+  services = [ (import ./admin_api.nix) ];
+  mkFilters = services: [
+    {
+      name = "envoy.filters.network.http_connection_manager";
+      typed_config = {
+        "@type" =
+          "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager";
+        access_log = import ./access_log.nix;
+        generate_request_id = false;
+        http_filters = import ./http_filters.nix;
+        local_reply_config = import ./local_reply_config.nix;
+        merge_slashes = true;
+        route_config = import ./route_config.nix {
+          inherit services;
+        };
+        stat_prefix = "ingress_http";
+      };
+    }
+  ];
+  filters = mkFilters services;
+in
+{
+  imports = map (path: nixosModulesPath + path) [
+    "/services/networking/envoy.nix"
+  ];
+
+  options = {
+    supabase.services.envoy = {
+      enable = lib.mkEnableOption "Envoy proxy";
+      enableTLS = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = ''
+          Whether to enable TLS support in Envoy.
+          If enabled, you must provide the TLS certificate and key files.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.envoy = {
+      enable = true;
+      package = self.packages.${system}.envoy-bin;
+      # We don't validate the config at build time if TLS is enabled,
+      # because it requires the TLS certificate and key files to be present.
+      requireValidConfig = !cfg.enableTLS;
+      settings = {
+        node = {
+          cluster = "cluster_0";
+          id = "node_0";
+        };
+        stats_config = {
+          stats_matcher = {
+            reject_all = true;
+          };
+        };
+        static_resources = {
+          clusters = map (cluster: cluster.config) services;
+          listeners = [
+            {
+              name = "http_listener";
+              address = {
+                socket_address = {
+                  address = "::";
+                  port_value = 80;
+                  ipv4_compat = true;
+                };
+              };
+              filter_chains = {
+                inherit filters;
+              };
+            }
+            (lib.mkIf cfg.enableTLS {
+              name = "https_listener";
+              address = {
+                socket_address = {
+                  address = "::";
+                  port_value = 443;
+                  ipv4_compat = true;
+                };
+              };
+              filter_chains = {
+                inherit filters;
+                transport_socket = {
+                  name = "envoy.transport_sockets.tls";
+                  typed_config = {
+                    "@type" = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext";
+                    common_tls_context = {
+                      tls_certificates = [
+                        {
+                          certificate_chain = {
+                            filename = "/etc/envoy/fullChain.pem";
+                          };
+                          private_key = {
+                            filename = "/etc/envoy/privKey.pem";
+                          };
+                        }
+                      ];
+                    };
+                  };
+                };
+              };
+            })
+          ];
+        };
+      };
+    };
+    systemd.services.envoy = {
+      wantedBy = lib.mkForce [
+        "system-manager.target"
+      ];
+    };
+  };
+}