Home

tailpolicy @main - refs - log -
-
https://git.jolheiser.com/tailpolicy.git
Tailscale policy editor on your tailnet
tailpolicy / nix / module.nix
- raw
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.services.tailpolicy;
  pkg = pkgs.callPackage ./pkg.nix { inherit pkgs; };
in
{
  options =
    let
      inherit (lib) mkEnableOption mkOption types;
    in
    {
      services.tailpolicy = {
        enable = mkEnableOption "Enable tailpolicy";

        package = mkOption {
          type = types.package;
          description = "tailpolicy package to use";
          default = pkg;
        };

        repo-url = mkOption {
          type = types.str;
          description = "Repo URL for the Tailscale policy";
        };
        repo-location = mkOption {
          type = types.str;
          description = "Repo location to perform git operations against";
        };
        hostname = mkOption {
          type = types.str;
          description = "Tailnet hostname";
          default = "policy";
        };
        data-dir = mkOption {
          type = types.str;
          description = "tsnet data directory";
          default = ".tsnet";

        };
        auth-key = mkOption {
          type = types.str;
          description = "tsnet auth key";
        };
        oauth-id = mkOption {
          type = types.str;
          description = "Tailscale oauth ID";
        };
        oauth-secret = mkOption {
          type = types.str;
          description = "Tailscale oauth secret";
        };

        user = mkOption {
          type = types.str;
          default = "tailpolicy";
          description = "User account under which tailpolicy runs";
        };

        group = mkOption {
          type = types.str;
          default = "tailpolicy";
          description = "Group account under which tailpolicy runs";
        };
      };
    };
  config = lib.mkIf cfg.enable {
    users.users."${cfg.user}" = {
      home = "/var/lib/tailpolicy";
      createHome = true;
      group = "${cfg.group}";
      isSystemUser = true;
      isNormalUser = false;
      description = "user for tailpolicy service";
    };
    users.groups."${cfg.group}" = { };

    systemd.services = {
      tailpolicy = {
        enable = true;
        script =
          let
            args = [
              "--repo-url=${cfg.repo-url}"
              "--repo-location=${cfg.repo-location}"
              "--hostname=${cfg.hostname}"
              "--data-dir=${cfg.data-dir}"
              "--auth-key=${cfg.auth-key}"
              "--oauth-id=${cfg.oauth-id}"
              "--oauth-secret=${cfg.oauth-secret}"
            ];
          in
          "${cfg.package}/bin/tailpolicy ${builtins.concatStringsSep " " args}";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        path = [
          cfg.package
        ];
        serviceConfig = {
          User = cfg.user;
          Group = cfg.group;
          Restart = "always";
          RestartSec = "15";
          WorkingDirectory = "/var/lib/tailpolicy";
        };
      };
    };
  };
}