···
+
cfg = config.services.pangolin;
+
format = pkgs.formats.yaml { };
+
finalSettings = lib.attrsets.recursiveUpdate pangolinConf cfg.settings;
+
cfgFile = format.generate "config.yml" finalSettings;
+
# override the type to allow for optionality
+
nullOrOpt = t: lib.types.nullOr t // { _optional = true; };
+
gerbil-wg0-fix-script = pkgs.writeShellApplication {
+
name = "gerbil-wg0-fix-script";
+
runtimeInputs = with pkgs; [
+
# will not work if the interface is renamed
+
# https://github.com/fosrl/newt/issues/37#issuecomment-3193385911
+
if [ ! -f /var/lib/pangolin/config/wg0 ]; then
+
touch /var/lib/pangolin/config/wg0
+
systemctl restart gerbil --no-block
+
app.dashboard_url = "https://${cfg.dashboardDomain}";
+
base_domain = cfg.baseDomain;
+
prefer_wildcard_cert = false;
+
integration_port = 3004;
+
# needs to be set, otherwise this fails silently
+
# see https://github.com/fosrl/newt/issues/37
+
internal_hostname = "localhost";
+
gerbil.base_endpoint = cfg.dashboardDomain;
+
flags.enable_integration_api = false;
+
enable = lib.mkEnableOption "Pangolin reverse proxy server";
+
package = lib.mkPackageOption pkgs "fosrl-pangolin" { };
+
settings = lib.mkOption {
+
Additional attributes to be merged with the configuration options and written to Pangolin's `config.yml` file.
+
prefer_wildcard_cert = true;
+
openFirewall = lib.mkEnableOption "opening TCP ports 80 and 443, and UDP port 51820 in the firewall for the Pangolin service(s)";
+
baseDomain = lib.mkOption {
+
type = with lib.types; nullOr str;
+
Your base fully qualified domain name (without any subdomains).
+
example = "example.com";
+
dashboardDomain = lib.mkOption {
+
default = if (isNull cfg.baseDomain) then "" else "pangolin.${cfg.baseDomain}";
+
defaultText = "pangolin.\${config.services.pangolin.baseDomain}";
+
The domain where the application will be hosted. This is used for many things, including generating links. You can run Pangolin on a subdomain or root domain. Do not prefix with `http` or `https`.
+
example = "auth.example.com";
+
letsEncryptEmail = lib.mkOption {
+
type = with lib.types; nullOr str;
+
default = config.security.acme.defaults.email;
+
defaultText = lib.literalExpression "config.security.acme.defaults.email";
+
An email address for SSL certificate registration with Let's Encrypt. This should be an email you have access to.
+
# this assumes that all domains are hosted by the same provider
+
dnsProvider = lib.mkOption {
+
type = nullOrOpt lib.types.str;
+
The DNS provider Traefik will request wildcard certificates from. See the [Traefik Documentation](https://doc.traefik.io/traefik/https/acme/#providers) for more information.
+
# provide path to file to keep secrets out of the nix store
+
environmentFile = lib.mkOption {
+
type = with lib.types; nullOr path;
+
Path to a file containing sensitive environment variables for Pangolin. See the [Pangolin Documentation](https://docs.fossorial.io/Pangolin/Configuration/config) for more information.
+
These will overwrite anything defined in the config.
+
The file should contain environment-variable assignments like:
+
SERVER_SECRET=1234567890abc
+
example = "/etc/nixos/secrets/pangolin.env";
+
dataDir = lib.mkOption {
+
default = "/var/lib/pangolin";
+
example = "/srv/pangolin";
+
description = "Path to variable state data directory for Pangolin.";
+
Specifies the port to listen on for Gerbil.
+
environmentFile = lib.mkOption {
+
type = nullOrOpt lib.types.path;
+
Path to a file containing sensitive environment variables for Gerbil. See the [Gerbil Documentation](https://docs.fossorial.io/Pangolin/Configuration/config) for more information.
+
These will overwrite anything defined in the config.
+
example = "/etc/nixos/secrets/gerbil.env";
+
config = lib.mkIf cfg.enable {
+
(lib.mapAttrsToList (name: value: {
+
# check if the value is optional by looking at the type
+
assertion = (value == null) -> options.services.pangolin."${name}".type._optional or false;
+
message = "services.pangolin.${name} must be provided when Pangolin is enabled.";
+
# wildcards implies (dnsProvider and traefikEnvironmentFile)
+
(finalSettings.traefik.prefer_wildcard_cert or finalSettings.domains.domain1.prefer_wildcard_cert)
+
-> (cfg.dnsProvider != "" && config.services.traefik.environmentFiles != [ ]);
+
message = "services.pangolin.dnsProvider and services.traefik.environmentFile must be provided when prefer_wildcard_cert is true.";
+
networking.firewall = lib.mkIf cfg.openFirewall {
+
allowedUDPPorts = [ 51820 ];
+
description = "Pangolin service user";
+
packages = [ cfg.package ];
+
description = "Gerbil service user";
+
# make tunnels declarative by calling API
+
tmpfiles.settings."10-fossorial-paths" = {
+
"${cfg.dataDir}/config".d = {
+
"${cfg.dataDir}/config/letsencrypt".d = {
+
description = "Pangolin reverse proxy tunneling service";
+
wantedBy = [ "multi-user.target" ];
+
requires = [ "network.target" ];
+
after = [ "network.target" ];
+
mkdir -p ${cfg.dataDir}/config
+
cp -f ${cfgFile} ${cfg.dataDir}/config/config.yml
+
WorkingDirectory = cfg.dataDir;
+
EnvironmentFile = cfg.environmentFile;
+
ProtectSystem = "full";
+
PrivateTmp = "disconnected";
+
ProtectKernelTunables = true;
+
ProtectKernelModules = true;
+
ProtectKernelLogs = true;
+
ProtectControlGroups = true;
+
LockPersonality = true;
+
RestrictRealtime = true;
+
ProtectProc = "noaccess";
+
ProtectHostname = true;
+
NoNewPrivileges = true;
+
RestrictSUIDSGID = true;
+
RestrictAddressFamilies = [
+
CapabilityBoundingSet = [
+
"~@cpu-emulation:EPERM"
+
ExecStart = lib.getExe cfg.package;
+
description = "Gerbil Service";
+
wantedBy = [ "multi-user.target" ];
+
after = [ "pangolin.service" ];
+
requires = [ "pangolin.service" ];
+
before = [ "traefik.service" ];
+
requiredBy = [ "traefik.service" ];
+
# restarting gerbil restarts traefik
+
upholds = [ "traefik.service" ];
+
# provide default to use correct port without envfile
+
LISTEN = "localhost:" + toString config.services.gerbil.port;
+
WorkingDirectory = cfg.dataDir;
+
EnvironmentFile = cfg.environmentFile;
+
ReadWritePaths = "${cfg.dataDir}/config";
+
AmbientCapabilities = [
+
CapabilityBoundingSet = [
+
ProtectSystem = "full";
+
PrivateTmp = "disconnected";
+
ProtectKernelTunables = true;
+
ProtectKernelModules = true;
+
ProtectKernelLogs = true;
+
ProtectControlGroups = true;
+
LockPersonality = true;
+
RestrictRealtime = true;
+
ProtectProc = "noaccess";
+
ProtectHostname = true;
+
NoNewPrivileges = true;
+
RestrictSUIDSGID = true;
+
MemoryDenyWriteExecute = true;
+
RestrictAddressFamilies = [
+
"~@cpu-emulation:EPERM"
+
ExecStart = utils.escapeSystemdExecArgs [
+
(lib.getExe pkgs.fosrl-gerbil)
+
"--reachableAt=http://localhost:${toString config.services.gerbil.port}"
+
"--generateAndSaveKeyTo=${toString cfg.dataDir}/config/key"
+
"--remoteConfig=http://localhost:${toString finalSettings.server.internal_port}/api/v1/gerbil/get-config"
+
# will not work if the interface is renamed
+
# https://github.com/fosrl/newt/issues/37#issuecomment-3193385911
+
ExecStartPost = lib.getExe gerbil-wg0-fix-script;
+
wantedBy = [ "multi-user.target" ];
+
after = [ "gerbil.service" ];
+
requires = [ "gerbil.service" ];
+
partOf = [ "gerbil.service" ];
+
dataDir = "${cfg.dataDir}/config/traefik";
+
staticConfigOptions = {
+
endpoint = "http://localhost:${toString finalSettings.server.internal_port}/api/v1/traefik-config";
+
# TODO to change this once #437073 is merged.
+
experimental.plugins.badger = {
+
moduleName = "github.com/fosrl/badger";
+
certificatesResolvers.letsencrypt.acme =
+
if finalSettings.domains.domain1.prefer_wildcard_cert then
+
# see https://doc.traefik.io/traefik/https/acme/#providers
+
dnsChallenge.provider = cfg.dnsProvider;
+
httpChallenge.entryPoint = "web";
+
email = cfg.letsEncryptEmail;
+
storage = "${cfg.dataDir}/config/letsencrypt/acme.json";
+
caServer = "https://acme-v02.api.letsencrypt.org/directory";
+
transport.respondingTimeouts.readTimeout = "30m";
+
http.tls.certResolver = "letsencrypt";
+
dynamicConfigOptions = {
+
middlewares.redirect-to-https.redirectScheme.scheme = "https";
+
# HTTP to HTTPS redirect router
+
main-app-router-redirect = {
+
rule = "Host(`${cfg.dashboardDomain}`)";
+
service = "next-service";
+
entryPoints = [ "web" ];
+
middlewares = [ "redirect-to-https" ];
+
# Next.js router (handles everything except API and WebSocket paths)
+
rule = "Host(`${cfg.dashboardDomain}`) && !PathPrefix(`/api/v1`)";
+
service = "next-service";
+
entryPoints = [ "websecure" ];
+
lib.optionalAttrs (finalSettings.domains.domain1.prefer_wildcard_cert) {
+
{ main = cfg.baseDomain; }
+
{ sans = "*.${cfg.baseDomain}"; }
+
certResolver = "letsencrypt";
+
# API router (handles /api/v1 paths)
+
rule = "Host(`${cfg.dashboardDomain}`) && PathPrefix(`/api/v1`)";
+
service = "api-service";
+
entryPoints = [ "websecure" ];
+
tls.certResolver = "letsencrypt";
+
rule = "Host(`${cfg.dashboardDomain}`)";
+
service = "api-service";
+
entryPoints = [ "websecure" ];
+
tls.certResolver = "letsencrypt";
+
# Integration API router
+
int-api-router-redirect = lib.mkIf (finalSettings.flags.enable_integration_api) {
+
rule = "Host(`api.${cfg.baseDomain}`)";
+
service = "int-api-service";
+
entryPoints = [ "web" ];
+
middlewares = [ "redirect-to-https" ];
+
int-api-router = lib.mkIf (finalSettings.flags.enable_integration_api) {
+
rule = "Host(`api.${cfg.baseDomain}`)";
+
service = "int-api-service";
+
entryPoints = [ "websecure" ];
+
tls.certResolver = "letsencrypt";
+
next-service.loadBalancer.servers = [
+
{ url = "http://localhost:${toString finalSettings.server.next_port}"; }
+
api-service.loadBalancer.servers = [
+
{ url = "http://localhost:${toString finalSettings.server.external_port}"; }
+
# Integration API server
+
int-api-service.loadBalancer.servers = lib.mkIf (finalSettings.flags.enable_integration_api) [
+
{ url = "http://localhost:${toString finalSettings.server.integration_port}"; }
+
meta.maintainers = with lib.maintainers; [
pyrox.dev