From 0405f0270c15bb288489b584fc29bac0a196573a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Wed, 29 Jan 2025 00:23:43 +0100
Subject: [PATCH] nixos/tailscale-derper: drop nginx upstream to improve
 reliability

When I initially tested this, the upstream seemed a good idea and worked
as expected but it no longer does and disconnects clients every 60
seconds indicated by the following line in tailscaled on the client:

magicsock: [0xc00444a640] derp.Recv(derp-901): derp.Recv: EOF

By connecting directly things work more reliable and there are no
connection resets every 60 seconds anymore.
---
 nixos/modules/services/networking/tailscale-derper.nix | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/nixos/modules/services/networking/tailscale-derper.nix b/nixos/modules/services/networking/tailscale-derper.nix
index 9549cc5c6640..43a898465ef2 100644
--- a/nixos/modules/services/networking/tailscale-derper.nix
+++ b/nixos/modules/services/networking/tailscale-derper.nix
@@ -68,16 +68,10 @@ in
     services = {
       nginx = {
         enable = true;
-        upstreams.tailscale-derper = {
-          servers."127.0.0.1:${toString cfg.port}" = { };
-          extraConfig = ''
-            keepalive 64;
-          '';
-        };
         virtualHosts."${cfg.domain}" = {
           addSSL = true; # this cannot be forceSSL as derper sends some information over port 80, too.
           locations."/" = {
-            proxyPass = "http://tailscale-derper";
+            proxyPass = "http://127.0.0.1:${toString cfg.port}";
             proxyWebsockets = true;
             extraConfig = ''
               keepalive_timeout 0;