depot/third_party/nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
Default email 587713944a Project import generated by Copybara.
GitOrigin-RevId: 6143fc5eeb9c4f00163267708e26191d1e918932
2024-04-21 17:54:59 +02:00

98 lines
3.4 KiB
Nix

{ config, lib, pkgs, ... }:
let
inherit (lib)
genAttrs
maintainers
mkAliasOptionModule
mkEnableOption
mkIf
mkOption
types
;
cfg = config.services.nginx.tailscaleAuth;
cfgAuth = config.services.tailscaleAuth;
in
{
imports = [
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "package" ] [ "services" "tailscaleAuth" "package" ])
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "user" ] [ "services" "tailscaleAuth" "user" ])
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "group" ] [ "services" "tailscaleAuth" "group" ])
(mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "socketPath" ] [ "services" "tailscaleAuth" "socketPath" ])
];
options.services.nginx.tailscaleAuth = {
enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale.";
expectedTailnet = mkOption {
default = "";
type = types.nullOr types.str;
example = "tailnet012345.ts.net";
description = ''
If you want to prevent node sharing from allowing users to access services
across tailnets, declare your expected tailnets domain here.
'';
};
virtualHosts = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of nginx virtual hosts to put behind tailscale.nginx-auth
'';
};
};
config = mkIf cfg.enable {
services.tailscaleAuth.enable = true;
services.nginx.enable = true;
users.users.${config.services.nginx.user}.extraGroups = [ cfgAuth.group ];
systemd.services.tailscale-nginx-auth = {
after = [ "nginx.service" ];
wants = [ "nginx.service" ];
};
services.nginx.virtualHosts = genAttrs
cfg.virtualHosts
(vhost: {
locations."/auth" = {
extraConfig = ''
internal;
proxy_pass http://unix:${cfgAuth.socketPath};
proxy_pass_request_body off;
# Upstream uses $http_host here, but we are using gixy to check nginx configurations
# gixy wants us to use $host: https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
proxy_set_header Host $host;
proxy_set_header Remote-Addr $remote_addr;
proxy_set_header Remote-Port $remote_port;
proxy_set_header Original-URI $request_uri;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."/".extraConfig = ''
auth_request /auth;
auth_request_set $auth_user $upstream_http_tailscale_user;
auth_request_set $auth_name $upstream_http_tailscale_name;
auth_request_set $auth_login $upstream_http_tailscale_login;
auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet;
auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture;
proxy_set_header X-Webauth-User "$auth_user";
proxy_set_header X-Webauth-Name "$auth_name";
proxy_set_header X-Webauth-Login "$auth_login";
proxy_set_header X-Webauth-Tailnet "$auth_tailnet";
proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture";
${lib.optionalString (cfg.expectedTailnet != "") ''proxy_set_header Expected-Tailnet "${cfg.expectedTailnet}";''}
'';
});
};
meta.maintainers = with maintainers; [ phaer ];
}