nixos/modules/services/networking/tailscale-auth.nix

   1 {
   2   config,
   3   lib,
   4   pkgs,
   5   ...
   6 }:
   7
   8 let
   9   inherit (lib)
  10     getExe
  11     maintainers
  12     mkEnableOption
  13     mkPackageOption
  14     mkIf
  15     mkOption
  16     types
  17     ;
  18   cfg = config.services.tailscaleAuth;
  19 in
  20 {
  21   options.services.tailscaleAuth = {
  22     enable = mkEnableOption "tailscale.nginx-auth, to authenticate users via tailscale";
  23
  24     package = mkPackageOption pkgs "tailscale-nginx-auth" { };
  25
  26     user = mkOption {
  27       type = types.str;
  28       default = "tailscale-nginx-auth";
  29       description = "User which runs tailscale-nginx-auth";
  30     };
  31
  32     group = mkOption {
  33       type = types.str;
  34       default = "tailscale-nginx-auth";
  35       description = "Group which runs tailscale-nginx-auth";
  36     };
  37
  38     socketPath = mkOption {
  39       default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
  40       type = types.path;
  41       description = ''
  42         Path of the socket listening to authorization requests.
  43       '';
  44     };
  45   };
  46
  47   config = mkIf cfg.enable {
  48     services.tailscale.enable = true;
  49
  50     users.users.${cfg.user} = {
  51       isSystemUser = true;
  52       inherit (cfg) group;
  53     };
  54     users.groups.${cfg.group} = { };
  55
  56     systemd.sockets.tailscale-nginx-auth = {
  57       description = "Tailscale NGINX Authentication socket";
  58       partOf = [ "tailscale-nginx-auth.service" ];
  59       wantedBy = [ "sockets.target" ];
  60       listenStreams = [ cfg.socketPath ];
  61       socketConfig = {
  62         SocketMode = "0660";
  63         SocketUser = cfg.user;
  64         SocketGroup = cfg.group;
  65       };
  66     };
  67
  68     systemd.services.tailscale-nginx-auth = {
  69       description = "Tailscale NGINX Authentication service";
  70       requires = [ "tailscale-nginx-auth.socket" ];
  71
  72       serviceConfig = {
  73         ExecStart = getExe cfg.package;
  74         RuntimeDirectory = "tailscale-nginx-auth";
  75         User = cfg.user;
  76         Group = cfg.group;
  77
  78         BindPaths = [ "/run/tailscale/tailscaled.sock" ];
  79
  80         CapabilityBoundingSet = "";
  81         DeviceAllow = "";
  82         LockPersonality = true;
  83         MemoryDenyWriteExecute = true;
  84         PrivateDevices = true;
  85         PrivateUsers = true;
  86         ProtectClock = true;
  87         ProtectControlGroups = true;
  88         ProtectHome = true;
  89         ProtectHostname = true;
  90         ProtectKernelLogs = true;
  91         ProtectKernelModules = true;
  92         ProtectKernelTunables = true;
  93         RestrictNamespaces = true;
  94         RestrictAddressFamilies = [ "AF_UNIX" ];
  95         RestrictRealtime = true;
  96         RestrictSUIDSGID = true;
  97
  98         SystemCallArchitectures = "native";
  99         SystemCallErrorNumber = "EPERM";
 100         SystemCallFilter = [
 101           "@system-service"
 102           "~@cpu-emulation"
 103           "~@debug"
 104           "~@keyring"
 105           "~@memlock"
 106           "~@obsolete"
 107           "~@privileged"
 108           "~@setuid"
 109         ];
 110       };
 111     };
 112   };
 113
 114   meta.maintainers = with maintainers; [
 115     dan-theriault
 116     phaer
 117   ];
 118 }