nixos/modules/services/networking/tailscale-auth.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tailscale-auth.nix
at 24.11-pre 2.8 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3let
  4  inherit (lib)
  5    getExe
  6    maintainers
  7    mkEnableOption
  8    mkPackageOption
  9    mkIf
 10    mkOption
 11    types
 12    ;
 13  cfg = config.services.tailscaleAuth;
 14in
 15{
 16  options.services.tailscaleAuth = {
 17    enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate users via tailscale.";
 18
 19    package = mkPackageOption pkgs "tailscale-nginx-auth" {};
 20
 21    user = mkOption {
 22      type = types.str;
 23      default = "tailscale-nginx-auth";
 24      description = "User which runs tailscale-nginx-auth";
 25    };
 26
 27    group = mkOption {
 28      type = types.str;
 29      default = "tailscale-nginx-auth";
 30      description = "Group which runs tailscale-nginx-auth";
 31    };
 32
 33    socketPath = mkOption {
 34      default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
 35      type = types.path;
 36      description = ''
 37        Path of the socket listening to authorization requests.
 38      '';
 39    };
 40  };
 41
 42  config = mkIf cfg.enable {
 43    services.tailscale.enable = true;
 44
 45    users.users.${cfg.user} = {
 46      isSystemUser = true;
 47      inherit (cfg) group;
 48    };
 49    users.groups.${cfg.group} = { };
 50
 51    systemd.sockets.tailscale-nginx-auth = {
 52      description = "Tailscale NGINX Authentication socket";
 53      partOf = [ "tailscale-nginx-auth.service" ];
 54      wantedBy = [ "sockets.target" ];
 55      listenStreams = [ cfg.socketPath ];
 56      socketConfig = {
 57        SocketMode = "0660";
 58        SocketUser = cfg.user;
 59        SocketGroup = cfg.group;
 60      };
 61    };
 62
 63    systemd.services.tailscale-nginx-auth = {
 64      description = "Tailscale NGINX Authentication service";
 65      requires = [ "tailscale-nginx-auth.socket" ];
 66
 67      serviceConfig = {
 68        ExecStart = getExe cfg.package;
 69        RuntimeDirectory = "tailscale-nginx-auth";
 70        User = cfg.user;
 71        Group = cfg.group;
 72
 73        BindPaths = [ "/run/tailscale/tailscaled.sock" ];
 74
 75        CapabilityBoundingSet = "";
 76        DeviceAllow = "";
 77        LockPersonality = true;
 78        MemoryDenyWriteExecute = true;
 79        PrivateDevices = true;
 80        PrivateUsers = true;
 81        ProtectClock = true;
 82        ProtectControlGroups = true;
 83        ProtectHome = true;
 84        ProtectHostname = true;
 85        ProtectKernelLogs = true;
 86        ProtectKernelModules = true;
 87        ProtectKernelTunables = true;
 88        RestrictNamespaces = true;
 89        RestrictAddressFamilies = [ "AF_UNIX" ];
 90        RestrictRealtime = true;
 91        RestrictSUIDSGID = true;
 92
 93        SystemCallArchitectures = "native";
 94        SystemCallErrorNumber = "EPERM";
 95        SystemCallFilter = [
 96          "@system-service"
 97          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
 98        ];
 99      };
100    };
101  };
102
103  meta.maintainers = with maintainers; [ dan-theriault phaer ];
104}