nixos/modules/services/networking/tailscale-auth.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tailscale-auth.nix
at 25.11-pre 2.9 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  inherit (lib)
 10    getExe
 11    maintainers
 12    mkEnableOption
 13    mkPackageOption
 14    mkIf
 15    mkOption
 16    types
 17    ;
 18  cfg = config.services.tailscaleAuth;
 19in
 20{
 21  options.services.tailscaleAuth = {
 22    enable = mkEnableOption "tailscale.nginx-auth, to authenticate users via tailscale";
 23
 24    package = mkPackageOption pkgs "tailscale-nginx-auth" { };
 25
 26    user = mkOption {
 27      type = types.str;
 28      default = "tailscale-nginx-auth";
 29      description = "User which runs tailscale-nginx-auth";
 30    };
 31
 32    group = mkOption {
 33      type = types.str;
 34      default = "tailscale-nginx-auth";
 35      description = "Group which runs tailscale-nginx-auth";
 36    };
 37
 38    socketPath = mkOption {
 39      default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
 40      type = types.path;
 41      description = ''
 42        Path of the socket listening to authorization requests.
 43      '';
 44    };
 45  };
 46
 47  config = mkIf cfg.enable {
 48    services.tailscale.enable = true;
 49
 50    users.users.${cfg.user} = {
 51      isSystemUser = true;
 52      inherit (cfg) group;
 53    };
 54    users.groups.${cfg.group} = { };
 55
 56    systemd.sockets.tailscale-nginx-auth = {
 57      description = "Tailscale NGINX Authentication socket";
 58      partOf = [ "tailscale-nginx-auth.service" ];
 59      wantedBy = [ "sockets.target" ];
 60      listenStreams = [ cfg.socketPath ];
 61      socketConfig = {
 62        SocketMode = "0660";
 63        SocketUser = cfg.user;
 64        SocketGroup = cfg.group;
 65      };
 66    };
 67
 68    systemd.services.tailscale-nginx-auth = {
 69      description = "Tailscale NGINX Authentication service";
 70      requires = [ "tailscale-nginx-auth.socket" ];
 71
 72      serviceConfig = {
 73        ExecStart = getExe cfg.package;
 74        RuntimeDirectory = "tailscale-nginx-auth";
 75        User = cfg.user;
 76        Group = cfg.group;
 77
 78        BindPaths = [ "/run/tailscale/tailscaled.sock" ];
 79
 80        CapabilityBoundingSet = "";
 81        DeviceAllow = "";
 82        LockPersonality = true;
 83        MemoryDenyWriteExecute = true;
 84        PrivateDevices = true;
 85        PrivateUsers = true;
 86        ProtectClock = true;
 87        ProtectControlGroups = true;
 88        ProtectHome = true;
 89        ProtectHostname = true;
 90        ProtectKernelLogs = true;
 91        ProtectKernelModules = true;
 92        ProtectKernelTunables = true;
 93        RestrictNamespaces = true;
 94        RestrictAddressFamilies = [ "AF_UNIX" ];
 95        RestrictRealtime = true;
 96        RestrictSUIDSGID = true;
 97
 98        SystemCallArchitectures = "native";
 99        SystemCallErrorNumber = "EPERM";
100        SystemCallFilter = [
101          "@system-service"
102          "~@cpu-emulation"
103          "~@debug"
104          "~@keyring"
105          "~@memlock"
106          "~@obsolete"
107          "~@privileged"
108          "~@setuid"
109        ];
110      };
111    };
112  };
113
114  meta.maintainers = with maintainers; [
115    dan-theriault
116    phaer
117  ];
118}