mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-10-07 04:57:26 +03:00
Merge pull request #293954 from Dan-Theriault/refactor-tailscale-auth
This commit is contained in:
commit
f417891699
@ -1166,6 +1166,7 @@
|
|||||||
./services/networking/syncthing-relay.nix
|
./services/networking/syncthing-relay.nix
|
||||||
./services/networking/syncthing.nix
|
./services/networking/syncthing.nix
|
||||||
./services/networking/tailscale.nix
|
./services/networking/tailscale.nix
|
||||||
|
./services/networking/tailscale-auth.nix
|
||||||
./services/networking/tayga.nix
|
./services/networking/tayga.nix
|
||||||
./services/networking/tcpcrypt.nix
|
./services/networking/tcpcrypt.nix
|
||||||
./services/networking/teamspeak3.nix
|
./services/networking/teamspeak3.nix
|
||||||
|
104
nixos/modules/services/networking/tailscale-auth.nix
Normal file
104
nixos/modules/services/networking/tailscale-auth.nix
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib)
|
||||||
|
getExe
|
||||||
|
maintainers
|
||||||
|
mkEnableOption
|
||||||
|
mkPackageOption
|
||||||
|
mkIf
|
||||||
|
mkOption
|
||||||
|
types
|
||||||
|
;
|
||||||
|
cfg = config.services.tailscaleAuth;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.tailscaleAuth = {
|
||||||
|
enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate users via tailscale.";
|
||||||
|
|
||||||
|
package = mkPackageOption pkgs "tailscale-nginx-auth" {};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "tailscale-nginx-auth";
|
||||||
|
description = "User which runs tailscale-nginx-auth";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "tailscale-nginx-auth";
|
||||||
|
description = "Group which runs tailscale-nginx-auth";
|
||||||
|
};
|
||||||
|
|
||||||
|
socketPath = mkOption {
|
||||||
|
default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
|
||||||
|
type = types.path;
|
||||||
|
description = ''
|
||||||
|
Path of the socket listening to authorization requests.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.tailscale.enable = true;
|
||||||
|
|
||||||
|
users.users.${cfg.user} = {
|
||||||
|
isSystemUser = true;
|
||||||
|
inherit (cfg) group;
|
||||||
|
};
|
||||||
|
users.groups.${cfg.group} = { };
|
||||||
|
|
||||||
|
systemd.sockets.tailscale-nginx-auth = {
|
||||||
|
description = "Tailscale NGINX Authentication socket";
|
||||||
|
partOf = [ "tailscale-nginx-auth.service" ];
|
||||||
|
wantedBy = [ "sockets.target" ];
|
||||||
|
listenStreams = [ cfg.socketPath ];
|
||||||
|
socketConfig = {
|
||||||
|
SocketMode = "0660";
|
||||||
|
SocketUser = cfg.user;
|
||||||
|
SocketGroup = cfg.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.tailscale-nginx-auth = {
|
||||||
|
description = "Tailscale NGINX Authentication service";
|
||||||
|
requires = [ "tailscale-nginx-auth.socket" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = getExe cfg.package;
|
||||||
|
RuntimeDirectory = "tailscale-nginx-auth";
|
||||||
|
User = cfg.user;
|
||||||
|
Group = cfg.group;
|
||||||
|
|
||||||
|
BindPaths = [ "/run/tailscale/tailscaled.sock" ];
|
||||||
|
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
DeviceAllow = "";
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictAddressFamilies = [ "AF_UNIX" ];
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallErrorNumber = "EPERM";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
meta.maintainers = with maintainers; [ dan-theriault phaer ];
|
||||||
|
}
|
@ -1,28 +1,29 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
|
inherit (lib)
|
||||||
|
genAttrs
|
||||||
|
maintainers
|
||||||
|
mkAliasOptionModule
|
||||||
|
mkEnableOption
|
||||||
|
mkIf
|
||||||
|
mkOption
|
||||||
|
types
|
||||||
|
;
|
||||||
cfg = config.services.nginx.tailscaleAuth;
|
cfg = config.services.nginx.tailscaleAuth;
|
||||||
|
cfgAuth = config.services.tailscaleAuth;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "package" ] [ "services" "tailscaleAuth" "package" ])
|
||||||
|
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "user" ] [ "services" "tailscaleAuth" "user" ])
|
||||||
|
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "group" ] [ "services" "tailscaleAuth" "group" ])
|
||||||
|
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "socketPath" ] [ "services" "tailscaleAuth" "socketPath" ])
|
||||||
|
];
|
||||||
|
|
||||||
options.services.nginx.tailscaleAuth = {
|
options.services.nginx.tailscaleAuth = {
|
||||||
enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale.";
|
enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale.";
|
||||||
|
|
||||||
package = lib.mkPackageOptionMD pkgs "tailscale-nginx-auth" {};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "tailscale-nginx-auth";
|
|
||||||
description = "User which runs tailscale-nginx-auth";
|
|
||||||
};
|
|
||||||
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "tailscale-nginx-auth";
|
|
||||||
description = "Group which runs tailscale-nginx-auth";
|
|
||||||
};
|
|
||||||
|
|
||||||
expectedTailnet = mkOption {
|
expectedTailnet = mkOption {
|
||||||
default = "";
|
default = "";
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
@ -33,14 +34,6 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
socketPath = mkOption {
|
|
||||||
default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
|
|
||||||
type = types.path;
|
|
||||||
description = ''
|
|
||||||
Path of the socket listening to nginx authorization requests.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualHosts = mkOption {
|
virtualHosts = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [];
|
default = [];
|
||||||
@ -51,67 +44,14 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.tailscale.enable = true;
|
services.tailscaleAuth.enable = true;
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
users.users.${config.services.nginx.user}.extraGroups = [ cfgAuth.group ];
|
||||||
isSystemUser = true;
|
|
||||||
inherit (cfg) group;
|
|
||||||
};
|
|
||||||
users.groups.${cfg.group} = { };
|
|
||||||
users.users.${config.services.nginx.user}.extraGroups = [ cfg.group ];
|
|
||||||
systemd.sockets.tailscale-nginx-auth = {
|
|
||||||
description = "Tailscale NGINX Authentication socket";
|
|
||||||
partOf = [ "tailscale-nginx-auth.service" ];
|
|
||||||
wantedBy = [ "sockets.target" ];
|
|
||||||
listenStreams = [ cfg.socketPath ];
|
|
||||||
socketConfig = {
|
|
||||||
SocketMode = "0660";
|
|
||||||
SocketUser = cfg.user;
|
|
||||||
SocketGroup = cfg.group;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
systemd.services.tailscale-nginx-auth = {
|
systemd.services.tailscale-nginx-auth = {
|
||||||
description = "Tailscale NGINX Authentication service";
|
|
||||||
after = [ "nginx.service" ];
|
after = [ "nginx.service" ];
|
||||||
wants = [ "nginx.service" ];
|
wants = [ "nginx.service" ];
|
||||||
requires = [ "tailscale-nginx-auth.socket" ];
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${lib.getExe cfg.package}";
|
|
||||||
RuntimeDirectory = "tailscale-nginx-auth";
|
|
||||||
User = cfg.user;
|
|
||||||
Group = cfg.group;
|
|
||||||
|
|
||||||
BindPaths = [ "/run/tailscale/tailscaled.sock" ];
|
|
||||||
|
|
||||||
CapabilityBoundingSet = "";
|
|
||||||
DeviceAllow = "";
|
|
||||||
LockPersonality = true;
|
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
PrivateDevices = true;
|
|
||||||
PrivateUsers = true;
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictAddressFamilies = [ "AF_UNIX" ];
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallErrorNumber = "EPERM";
|
|
||||||
SystemCallFilter = [
|
|
||||||
"@system-service"
|
|
||||||
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts = genAttrs
|
services.nginx.virtualHosts = genAttrs
|
||||||
@ -121,7 +61,7 @@ in
|
|||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
internal;
|
internal;
|
||||||
|
|
||||||
proxy_pass http://unix:${cfg.socketPath};
|
proxy_pass http://unix:${cfgAuth.socketPath};
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
|
|
||||||
# Upstream uses $http_host here, but we are using gixy to check nginx configurations
|
# Upstream uses $http_host here, but we are using gixy to check nginx configurations
|
||||||
|
Loading…
Reference in New Issue
Block a user