Home

tailproxy @f7fbbe8cd6463a86b309415aaaf645627b2e799d - refs - log -
-
https://git.jolheiser.com/tailproxy.git
Tailscale reverse proxy
tailproxy / nix / module.nix
- raw
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.services.tailproxy;
  pkg = pkgs.callPackage ./pkg.nix { inherit pkgs; };
  instanceOptions =
    { name, config, ... }:
    let
      inherit (lib) mkEnableOption mkOption types;
    in
    {
      options = {
        enable = mkEnableOption "Enable tailproxy for ${name}";

        package = mkOption {
          type = types.package;
          description = "tailproxy package to use";
          default = pkg;
        };

        hostname = mkOption {
          type = types.str;
          description = "Tailscale hostname";
        };

        authKey = mkOption {
          type = types.nullOr types.str;
          default = null;
          description = "Tailscale auth key";
        };

        funnel = mkOption {
          type = types.bool;
          default = false;
          description = "Expose on Tailscale funnel";
        };

        dataDir = mkOption {
          type = types.str;
          description = "tsnet data directory";
          default = "/var/lib/tailproxy-${name}";
        };

        port = mkOption {
          type = types.int;
          description = "Port to proxy";
        };

        user = mkOption {
          type = types.str;
          default = "tailproxy";
          description = "User account under which tailproxy runs";
        };

        group = mkOption {
          type = types.str;
          default = "tailproxy";
          description = "Group account under which tailproxy runs";
        };
      };
    };
in
{
  options = {
    services.tailproxy = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule instanceOptions);
      default = { };
      description = "Attribute set of tailproxy instances";
    };
  };
  config = lib.mkIf (cfg != { }) {
    systemd.services = lib.mapAttrs' (
      name: instanceCfg:
      lib.nameValuePair "tailproxy-${name}" {
        description = "tailproxy-${name}";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
          ExecStart =
            let
              args =
                lib.optionals (instanceCfg.authKey != null) [
                  "--auth-key=${instanceCfg.authKey}"
                ]
                ++ [
                  (lib.optionalString instanceCfg.funnel "--funnel")
                  "--hostname=${instanceCfg.hostname}"
                  "--port=${builtins.toString instanceCfg.port}"
                  "--data-dir=${instanceCfg.dataDir}"
                ];
            in
            "${instanceCfg.package}/bin/tailproxy ${lib.concatStringsSep " " args}";
          User = instanceCfg.user;
          Restart = "on-failure";
        };
      }
    ) (lib.filterAttrs (name: instanceCfg: instanceCfg.enable) cfg);

    users.users = lib.mapAttrs' (
      name: instanceCfg:
      lib.nameValuePair instanceCfg.user {
        isSystemUser = true;
        group = instanceCfg.user;
        home = instanceCfg.dataDir;
        createHome = true;
      }
    ) (lib.filterAttrs (name: instanceCfg: instanceCfg.enable) cfg);

    users.groups = lib.mapAttrs' (name: instanceCfg: lib.nameValuePair instanceCfg.user { }) (
      lib.filterAttrs (name: instanceCfg: instanceCfg.enable) cfg
    );
  };
}