nixos/modules/services/networking/tailscale-auth.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / networking / tailscale-auth.nix
at master 3.0 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  inherit (lib)
 10    getExe
 11    maintainers
 12    mkEnableOption
 13    mkPackageOption
 14    mkIf
 15    mkOption
 16    types
 17    ;
 18  cfg = config.services.tailscaleAuth;
 19in
 20{
 21  options.services.tailscaleAuth = {
 22    enable = mkEnableOption "tailscale.nginx-auth, to authenticate users via tailscale";
 23
 24    package = mkPackageOption pkgs "tailscale-nginx-auth" { };
 25
 26    user = mkOption {
 27      type = types.str;
 28      default = "tailscale-nginx-auth";
 29      description = "User which runs tailscale-nginx-auth";
 30    };
 31
 32    group = mkOption {
 33      type = types.str;
 34      default = "tailscale-nginx-auth";
 35      description = "Group which runs tailscale-nginx-auth";
 36    };
 37
 38    socketPath = mkOption {
 39      default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
 40      type = types.path;
 41      description = ''
 42        Path of the socket listening to authorization requests.
 43      '';
 44    };
 45  };
 46
 47  config = mkIf cfg.enable {
 48    services.tailscale.enable = true;
 49
 50    users.users.${cfg.user} = {
 51      isSystemUser = true;
 52      inherit (cfg) group;
 53    };
 54    users.groups.${cfg.group} = { };
 55
 56    systemd.sockets.tailscale-nginx-auth = {
 57      description = "Tailscale NGINX Authentication socket";
 58      partOf = [ "tailscale-nginx-auth.service" ];
 59      wantedBy = [ "sockets.target" ];
 60      listenStreams = [ cfg.socketPath ];
 61      socketConfig = {
 62        SocketMode = "0660";
 63        SocketUser = cfg.user;
 64        SocketGroup = cfg.group;
 65      };
 66    };
 67
 68    systemd.services.tailscale-nginx-auth = {
 69      description = "Tailscale NGINX Authentication service";
 70      requires = [ "tailscale-nginx-auth.socket" ];
 71      after = [ "tailscaled.service" ];
 72
 73      serviceConfig = {
 74        ExecStart = getExe cfg.package;
 75        RuntimeDirectory = "tailscale-nginx-auth";
 76        User = cfg.user;
 77        Group = cfg.group;
 78
 79        BindPaths = [ "/run/tailscale/tailscaled.sock" ];
 80
 81        CapabilityBoundingSet = "";
 82        DeviceAllow = "";
 83        LockPersonality = true;
 84        MemoryDenyWriteExecute = true;
 85        PrivateDevices = true;
 86        PrivateUsers = true;
 87        ProtectClock = true;
 88        ProtectControlGroups = true;
 89        ProtectHome = true;
 90        ProtectHostname = true;
 91        ProtectKernelLogs = true;
 92        ProtectKernelModules = true;
 93        ProtectKernelTunables = true;
 94        RestrictNamespaces = true;
 95        RestrictAddressFamilies = [ "AF_UNIX" ];
 96        RestrictRealtime = true;
 97        RestrictSUIDSGID = true;
 98
 99        SystemCallArchitectures = "native";
100        SystemCallErrorNumber = "EPERM";
101        SystemCallFilter = [
102          "@system-service"
103          "~@cpu-emulation"
104          "~@debug"
105          "~@keyring"
106          "~@memlock"
107          "~@obsolete"
108          "~@privileged"
109          "~@setuid"
110        ];
111
112        Restart = "on-failure";
113      };
114    };
115  };
116
117  meta.maintainers = with maintainers; [
118    dan-theriault
119    phaer
120  ];
121}