From 3cf6c4ddb3e92f4a459b6664daa3fff4825c81f7 Mon Sep 17 00:00:00 2001 From: Dan Theriault Date: Wed, 6 Mar 2024 23:15:44 -0500 Subject: nixos/tailscale-auth: init module This additional module allows the tailscale auth proxy to be configured independently of nginx. The tailscale auth proxy works with both caddy and traefik. All prior nginx/tailscale-auth options are retained as aliases. --- nixos/modules/module-list.nix | 1 + .../modules/services/networking/tailscale-auth.nix | 104 +++++++++++++++++++++ .../services/web-servers/nginx/tailscale-auth.nix | 100 ++++---------------- 3 files changed, 125 insertions(+), 80 deletions(-) create mode 100644 nixos/modules/services/networking/tailscale-auth.nix (limited to 'nixos') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index dda647ac19942..0d7434d2bb3bd 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1164,6 +1164,7 @@ ./services/networking/syncthing-relay.nix ./services/networking/syncthing.nix ./services/networking/tailscale.nix + ./services/networking/tailscale-auth.nix ./services/networking/tayga.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix diff --git a/nixos/modules/services/networking/tailscale-auth.nix b/nixos/modules/services/networking/tailscale-auth.nix new file mode 100644 index 0000000000000..c3a515212e782 --- /dev/null +++ b/nixos/modules/services/networking/tailscale-auth.nix @@ -0,0 +1,104 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + getExe + maintainers + mkEnableOption + mkPackageOption + mkIf + mkOption + types + ; + cfg = config.services.tailscaleAuth; +in +{ + options.services.tailscaleAuth = { + enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate users via tailscale."; + + package = mkPackageOption pkgs "tailscale-nginx-auth" {}; + + user = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = "User which runs tailscale-nginx-auth"; + }; + + group = mkOption { + type = types.str; + default = "tailscale-nginx-auth"; + description = "Group which runs tailscale-nginx-auth"; + }; + + socketPath = mkOption { + default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock"; + type = types.path; + description = '' + Path of the socket listening to authorization requests. + ''; + }; + }; + + config = mkIf cfg.enable { + services.tailscale.enable = true; + + users.users.${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + }; + users.groups.${cfg.group} = { }; + + systemd.sockets.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication socket"; + partOf = [ "tailscale-nginx-auth.service" ]; + wantedBy = [ "sockets.target" ]; + listenStreams = [ cfg.socketPath ]; + socketConfig = { + SocketMode = "0660"; + SocketUser = cfg.user; + SocketGroup = cfg.group; + }; + }; + + systemd.services.tailscale-nginx-auth = { + description = "Tailscale NGINX Authentication service"; + requires = [ "tailscale-nginx-auth.socket" ]; + + serviceConfig = { + ExecStart = getExe cfg.package; + RuntimeDirectory = "tailscale-nginx-auth"; + User = cfg.user; + Group = cfg.group; + + BindPaths = [ "/run/tailscale/tailscaled.sock" ]; + + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictAddressFamilies = [ "AF_UNIX" ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" + ]; + }; + }; + }; + + meta.maintainers = with maintainers; [ dan-theriault phaer ]; +} diff --git a/nixos/modules/services/web-servers/nginx/tailscale-auth.nix b/nixos/modules/services/web-servers/nginx/tailscale-auth.nix index 79d02c40de0c3..ca272268f5724 100644 --- a/nixos/modules/services/web-servers/nginx/tailscale-auth.nix +++ b/nixos/modules/services/web-servers/nginx/tailscale-auth.nix @@ -1,28 +1,29 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) + genAttrs + maintainers + mkAliasOptionModule + mkEnableOption + mkIf + mkOption + types + ; cfg = config.services.nginx.tailscaleAuth; + cfgAuth = config.services.tailscaleAuth; in { + imports = [ + (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "package" ] [ "services" "tailscaleAuth" "package" ]) + (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "user" ] [ "services" "tailscaleAuth" "user" ]) + (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "group" ] [ "services" "tailscaleAuth" "group" ]) + (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "socketPath" ] [ "services" "tailscaleAuth" "socketPath" ]) + ]; + options.services.nginx.tailscaleAuth = { enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale."; - package = lib.mkPackageOptionMD pkgs "tailscale-nginx-auth" {}; - - user = mkOption { - type = types.str; - default = "tailscale-nginx-auth"; - description = "User which runs tailscale-nginx-auth"; - }; - - group = mkOption { - type = types.str; - default = "tailscale-nginx-auth"; - description = "Group which runs tailscale-nginx-auth"; - }; - expectedTailnet = mkOption { default = ""; type = types.nullOr types.str; @@ -33,14 +34,6 @@ in ''; }; - socketPath = mkOption { - default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock"; - type = types.path; - description = '' - Path of the socket listening to nginx authorization requests. - ''; - }; - virtualHosts = mkOption { type = types.listOf types.str; default = []; @@ -51,67 +44,14 @@ in }; config = mkIf cfg.enable { - services.tailscale.enable = true; + services.tailscaleAuth.enable = true; services.nginx.enable = true; - users.users.${cfg.user} = { - isSystemUser = true; - inherit (cfg) group; - }; - users.groups.${cfg.group} = { }; - users.users.${config.services.nginx.user}.extraGroups = [ cfg.group ]; - systemd.sockets.tailscale-nginx-auth = { - description = "Tailscale NGINX Authentication socket"; - partOf = [ "tailscale-nginx-auth.service" ]; - wantedBy = [ "sockets.target" ]; - listenStreams = [ cfg.socketPath ]; - socketConfig = { - SocketMode = "0660"; - SocketUser = cfg.user; - SocketGroup = cfg.group; - }; - }; - + users.users.${config.services.nginx.user}.extraGroups = [ cfgAuth.group ]; systemd.services.tailscale-nginx-auth = { - description = "Tailscale NGINX Authentication service"; after = [ "nginx.service" ]; wants = [ "nginx.service" ]; - requires = [ "tailscale-nginx-auth.socket" ]; - - serviceConfig = { - ExecStart = "${lib.getExe cfg.package}"; - RuntimeDirectory = "tailscale-nginx-auth"; - User = cfg.user; - Group = cfg.group; - - BindPaths = [ "/run/tailscale/tailscaled.sock" ]; - - CapabilityBoundingSet = ""; - DeviceAllow = ""; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateDevices = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictNamespaces = true; - RestrictAddressFamilies = [ "AF_UNIX" ]; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = [ - "@system-service" - "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" - ]; - }; }; services.nginx.virtualHosts = genAttrs @@ -121,7 +61,7 @@ in extraConfig = '' internal; - proxy_pass http://unix:${cfg.socketPath}; + proxy_pass http://unix:${cfgAuth.socketPath}; proxy_pass_request_body off; # Upstream uses $http_host here, but we are using gixy to check nginx configurations -- cgit 1.4.1