From aa847e484403bbba1572cee70c77854ce976ad5f Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Tue, 10 Mar 2026 01:09:36 +0000
Subject: [PATCH] Flatten conditional branches; eliminate unwrap().

Signed-off-by: Jason Volk <jason@zemos.net>
---
 src/router/serve.rs       | 83 +++++++++++++++++++--------------------
 src/router/serve/plain.rs | 13 +++---
 src/router/serve/tls.rs   | 34 +++++++---------
 3 files changed, 64 insertions(+), 66 deletions(-)

diff --git a/src/router/serve.rs b/src/router/serve.rs
index 2bd1240c..63b569f0 100644
--- a/src/router/serve.rs
+++ b/src/router/serve.rs
@@ -3,8 +3,6 @@ mod plain;
 mod tls;
 mod unix;
 
-#[cfg(all(feature = "systemd", target_os = "linux"))]
-use std::os::fd::FromRawFd;
 use std::{
 	net::{SocketAddr, TcpListener},
 	sync::{Arc, atomic::Ordering},
@@ -34,55 +32,32 @@ pub(super) async fn serve(services: Arc<Services>, handle: ServerHandle) -> Resu
 			.await?;
 	}
 
-	let mut listen_addrs: Vec<SocketAddr> = vec![];
+	let systemd_listeners: Vec<_> = systemd_listeners().collect();
+	let systemd_listeners_is_empty = systemd_listeners.is_empty();
+	let (listeners, addrs): (Vec<_>, Vec<_>) = config
+		.get_bind_addrs()
+		.into_iter()
+		.filter(|_| systemd_listeners_is_empty)
+		.map(|addr| {
+			let listener = TcpListener::bind(addr)
+				.expect("Failed to bind configured TcpListener to {addr:?}");
 
-	#[cfg(all(feature = "systemd", target_os = "linux"))]
-	let mut listeners: Vec<TcpListener> = if let Ok(fds) = sd_notify::listen_fds() {
-		fds.filter_map(|fd| {
-			// SAFETY: systemd should already take care of providing
-			// the correct TCP socket, so we just use it via raw fd
-			let listener = unsafe { TcpListener::from_raw_fd(fd) };
+			(listener, addr)
+		})
+		.chain(systemd_listeners)
+		.inspect(|(listener, _)| {
 			listener
 				.set_nonblocking(true)
 				.expect("Failed to set non-blocking");
-			if let Ok(addr) = listener.local_addr() {
-				listen_addrs.push(addr);
-				Some(listener)
-			} else {
-				None
-			}
 		})
-		.collect()
-	} else {
-		vec![]
-	};
-
-	#[cfg(not(all(feature = "systemd", target_os = "linux")))]
-	let mut listeners: Vec<TcpListener> = vec![];
-
-	let addrs = config.get_bind_addrs();
-
-	if !addrs.is_empty() && listeners.is_empty() {
-		listeners = addrs
-			.clone()
-			.into_iter()
-			.map(|addr| {
-				let listener = TcpListener::bind(addr).expect("Failed to bind {addr:?}");
-				listener
-					.set_nonblocking(true)
-					.expect("Failed to set non-blocking");
-				listen_addrs.push(addr);
-				listener
-			})
-			.collect();
-	}
+		.unzip();
 
 	#[cfg_attr(not(feature = "direct_tls"), expect(clippy::redundant_else))]
 	if config.tls.certs.is_some() {
 		#[cfg(feature = "direct_tls")]
 		{
 			services.globals.init_rustls_provider()?;
-			tls::serve(server, &app, &handle.handle_ip, &mut join_set, &listen_addrs, &listeners)
+			tls::serve(server, &app, &handle.handle_ip, &mut join_set, &listeners, &addrs)
 				.await?;
 		}
 
@@ -92,7 +67,7 @@ pub(super) async fn serve(services: Arc<Services>, handle: ServerHandle) -> Resu
 			"tuwunel was not built with direct TLS support (\"direct_tls\")"
 		));
 	} else {
-		plain::serve(server, &app, &handle.handle_ip, &mut join_set, &listen_addrs, &listeners);
+		plain::serve(server, &app, &handle.handle_ip, &mut join_set, &listeners, &addrs)?;
 	}
 
 	assert!(!join_set.is_empty(), "at least one listener should be installed");
@@ -114,10 +89,34 @@ pub(super) async fn serve(services: Arc<Services>, handle: ServerHandle) -> Resu
 			.requests_panic
 			.load(Ordering::Acquire),
 		handle_active,
-		"Stopped listening on {listen_addrs:?}",
+		"Stopped listening on {addrs:?}",
 	);
 
 	debug_assert_eq!(0, handle_active, "active request handles still pending");
 
 	Ok(())
 }
+
+#[cfg(all(feature = "systemd", target_os = "linux"))]
+fn systemd_listeners() -> impl Iterator<Item = (TcpListener, SocketAddr)> {
+	sd_notify::listen_fds()
+		.into_iter()
+		.flatten()
+		.filter_map(|fd| {
+			use std::os::fd::FromRawFd;
+
+			debug_assert!(fd >= 3, "fdno probably not a listener socket");
+			// SAFETY: systemd should already take care of providing
+			// the correct TCP socket, so we just use it via raw fd
+			let listener = unsafe { TcpListener::from_raw_fd(fd) };
+
+			let Ok(addr) = listener.local_addr() else {
+				return None;
+			};
+
+			Some((listener, addr))
+		})
+}
+
+#[cfg(any(not(feature = "systemd"), not(target_os = "linux")))]
+fn systemd_listeners() -> impl Iterator<Item = (TcpListener, SocketAddr)> { std::iter::empty() }
diff --git a/src/router/serve/plain.rs b/src/router/serve/plain.rs
index 9826d0f5..91ffc10b 100644
--- a/src/router/serve/plain.rs
+++ b/src/router/serve/plain.rs
@@ -6,26 +6,29 @@ use std::{
 use axum::Router;
 use axum_server::Handle;
 use tokio::task::JoinSet;
-use tuwunel_core::{Server, info};
+use tuwunel_core::{Result, Server, info};
 
 pub(super) fn serve(
 	server: &Arc<Server>,
 	router: &Router,
 	handle: &Handle<SocketAddr>,
 	join_set: &mut JoinSet<Result<(), std::io::Error>>,
+	listeners: &[TcpListener],
 	addrs: &[SocketAddr],
-	listeners: &Vec<TcpListener>,
-) {
+) -> Result {
 	let router = router
 		.clone()
 		.into_make_service_with_connect_info::<SocketAddr>();
+
 	for listener in listeners {
-		let acceptor = axum_server::from_tcp(listener.try_clone().unwrap())
-			.unwrap()
+		let acceptor = axum_server::from_tcp(listener.try_clone()?)?
 			.handle(handle.clone())
 			.serve(router.clone());
+
 		join_set.spawn_on(acceptor, server.runtime());
 	}
 
 	info!("Listening on {addrs:?}");
+
+	Ok(())
 }
diff --git a/src/router/serve/tls.rs b/src/router/serve/tls.rs
index d11e7d5e..bd599a0e 100644
--- a/src/router/serve/tls.rs
+++ b/src/router/serve/tls.rs
@@ -14,8 +14,8 @@ pub(super) async fn serve(
 	app: &Router,
 	handle: &Handle<SocketAddr>,
 	join_set: &mut JoinSet<core::result::Result<(), std::io::Error>>,
+	listeners: &[TcpListener],
 	addrs: &[SocketAddr],
-	listeners: &Vec<TcpListener>,
 ) -> Result {
 	let tls = &server.config.tls;
 	let certs = tls.certs.as_ref().unwrap();
@@ -35,17 +35,15 @@ pub(super) async fn serve(
 		.into_make_service_with_connect_info::<SocketAddr>();
 	if tls.dual_protocol {
 		for listener in listeners {
-			join_set.spawn_on(
-				axum_server_dual_protocol::from_tcp_dual_protocol(
-					listener.try_clone().unwrap(),
-					conf.clone(),
-				)
-				.unwrap()
-				.set_upgrade(false)
-				.handle(handle.clone())
-				.serve(app.clone()),
-				server.runtime(),
-			);
+			let acceptor = axum_server_dual_protocol::from_tcp_dual_protocol(
+				listener.try_clone()?,
+				conf.clone(),
+			)?
+			.set_upgrade(false)
+			.handle(handle.clone())
+			.serve(app.clone());
+
+			join_set.spawn_on(acceptor, server.runtime());
 		}
 
 		warn!(
@@ -54,13 +52,11 @@ pub(super) async fn serve(
 		);
 	} else {
 		for listener in listeners {
-			join_set.spawn_on(
-				axum_server::from_tcp_rustls(listener.try_clone().unwrap(), conf.clone())
-					.unwrap()
-					.handle(handle.clone())
-					.serve(app.clone()),
-				server.runtime(),
-			);
+			let acceptor = axum_server::from_tcp_rustls(listener.try_clone()?, conf.clone())?
+				.handle(handle.clone())
+				.serve(app.clone());
+
+			join_set.spawn_on(acceptor, server.runtime());
 		}
 
 		info!("Listening on {addrs:?} with TLS certificate {certs}");