99 lines
2.9 KiB
Nix
99 lines
2.9 KiB
Nix
{
|
|
description = "tsnet-proxy: proxy onto tsnet";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
|
};
|
|
|
|
outputs = {
|
|
self,
|
|
nixpkgs,
|
|
systems,
|
|
}: let
|
|
eachSystem = f:
|
|
nixpkgs.lib.genAttrs (import systems) (system:
|
|
f rec {
|
|
inherit system;
|
|
pkgs = nixpkgs.legacyPackages.${system};
|
|
inherit (pkgs) callPackage;
|
|
});
|
|
in {
|
|
packages = eachSystem ({callPackage, ...}: {
|
|
default = callPackage ./. {};
|
|
});
|
|
devShells = eachSystem ({callPackage, ...}: {
|
|
default = callPackage ./shell.nix {};
|
|
});
|
|
nixosModules.default = {
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
options.services.bluepython508.tsnet-proxy = with lib;
|
|
with types; {
|
|
clientId = mkOption {
|
|
type = str;
|
|
};
|
|
clientSecretFile = mkOption {
|
|
type = str;
|
|
};
|
|
tags = mkOption {type = listOf str;};
|
|
proxies = mkOption {
|
|
type = attrsOf (submodule ({config, ...}: {
|
|
options = let
|
|
proto = enum ["udp" "tcp" "unix"];
|
|
in {
|
|
enable = mkOption {
|
|
type = bool;
|
|
default = true;
|
|
};
|
|
forwards = mkOption {
|
|
type = listOf (submodule {
|
|
options = {
|
|
proto = mkOption {type = proto;};
|
|
port = mkOption {type = port;};
|
|
dest = mkOption {type = str;};
|
|
};
|
|
});
|
|
};
|
|
};
|
|
}));
|
|
};
|
|
};
|
|
config.systemd.services = let
|
|
cfg = config.services.bluepython508.tsnet-proxy;
|
|
get-authkey = pkgs.tailscale.overrideAttrs {
|
|
subPackages = ["cmd/get-authkey"];
|
|
postInstall = "";
|
|
};
|
|
in
|
|
lib.mapAttrs' (hostname: {
|
|
forwards,
|
|
enable,
|
|
...
|
|
}: let
|
|
name = "tsnet-proxy-${hostname}";
|
|
in {
|
|
inherit name;
|
|
value = {
|
|
inherit enable;
|
|
script = ''
|
|
TS_AUTHKEY=$(cat $RUNTIME_DIRECTORY/authkey) ${lib.getExe self.packages.${pkgs.system}.default} ${hostname} ${lib.concatMapStringsSep " " ({proto, port, dest}: "${proto}:${port}:${dest}") forwards}
|
|
'';
|
|
wantedBy = ["multi-user.target"];
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
RuntimeDirectory = name;
|
|
ExecStartPre = "!${pkgs.writeShellScript "get-authkey" ''
|
|
TS_API_CLIENT_ID=${cfg.clientId} TS_API_CLIENT_SECRET=$(cat ${cfg.clientSecretFile}) ${get-authkey}/bin/get-authkey -ephemeral -tags ${lib.concatStringsSep "," cfg.tags} > $RUNTIME_DIRECTORY/authkey
|
|
chown ${name}:${name} $RUNTIME_DIRECTORY/authkey
|
|
''}";
|
|
};
|
|
};
|
|
})
|
|
cfg.proxies;
|
|
};
|
|
};
|
|
}
|