|
| 1 | +{ |
| 2 | + description = "tsidp - A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet."; |
| 3 | + |
| 4 | + inputs = { |
| 5 | + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; |
| 6 | + systems.url = "github:nix-systems/default"; |
| 7 | + }; |
| 8 | + |
| 9 | + outputs = { |
| 10 | + self, |
| 11 | + nixpkgs, |
| 12 | + systems, |
| 13 | + }: let |
| 14 | + go125Version = "1.24.7"; |
| 15 | + goHash = "sha256-Ko9Q2w+IgDYHxQ1+qINNy3vUg8a0KKkeNg/fhiS0ZGQ="; |
| 16 | + eachSystem = f: |
| 17 | + nixpkgs.lib.genAttrs (import systems) (system: |
| 18 | + f (import nixpkgs { |
| 19 | + system = system; |
| 20 | + overlays = [ |
| 21 | + (final: prev: { |
| 22 | + go_1_24 = prev.go_1_24.overrideAttrs { |
| 23 | + version = go125Version; |
| 24 | + src = prev.fetchurl { |
| 25 | + url = "https://go.dev/dl/go${go125Version}.src.tar.gz"; |
| 26 | + hash = goHash; |
| 27 | + }; |
| 28 | + }; |
| 29 | + }) |
| 30 | + ]; |
| 31 | + })); |
| 32 | + in { |
| 33 | + formatter = eachSystem (pkgs: pkgs.nixpkgs-fmt); |
| 34 | + |
| 35 | + packages = eachSystem (pkgs: { |
| 36 | + default = pkgs.buildGo124Module { |
| 37 | + pname = "tsidp"; |
| 38 | + version = |
| 39 | + if (self ? shortRev) |
| 40 | + then self.shortRev |
| 41 | + else "dev"; |
| 42 | + src = pkgs.nix-gitignore.gitignoreSource [] ./.; |
| 43 | + ldflags = let |
| 44 | + tsVersion = with builtins; |
| 45 | + head (match ".*tailscale.com v([0-9]+\.[0-9]+\.[0-9]+-?[a-zA-Z]?).*" (readFile ./go.mod)); |
| 46 | + in [ |
| 47 | + "-w" |
| 48 | + "-s" |
| 49 | + "-X tailscale.com/version.longStamp=${tsVersion}" |
| 50 | + "-X tailscale.com/version.shortStamp=${tsVersion}" |
| 51 | + ]; |
| 52 | + vendorHash = "sha256-obtcJTg7V4ij3fGVmZMD7QQwKJX6K5PPslpM1XKCk9Q="; # SHA based on vendoring go.mod |
| 53 | + }; |
| 54 | + }); |
| 55 | + |
| 56 | + overlays.default = final: prev: { |
| 57 | + tsidp = self.packages.${prev.stdenv.hostPlatform.system}.default; |
| 58 | + }; |
| 59 | + |
| 60 | + nixosModules.default = { |
| 61 | + config, |
| 62 | + lib, |
| 63 | + pkgs, |
| 64 | + ... |
| 65 | + }: let |
| 66 | + cfg = config.services.tsidp; |
| 67 | + in { |
| 68 | + options.services.tsidp = { |
| 69 | + enable = lib.mkEnableOption "Enable tsidp service"; |
| 70 | + |
| 71 | + package = lib.mkOption { |
| 72 | + type = lib.types.package; |
| 73 | + default = pkgs.tsidp; |
| 74 | + description = "The tsidp package to use."; |
| 75 | + }; |
| 76 | + |
| 77 | + dataDir = lib.mkOption { |
| 78 | + type = lib.types.path; |
| 79 | + default = "/var/lib/tsidp"; |
| 80 | + description = "The directory to store tsidp data."; |
| 81 | + }; |
| 82 | + |
| 83 | + user = lib.mkOption { |
| 84 | + type = lib.types.str; |
| 85 | + default = "tsidp"; |
| 86 | + description = "The user to run the tsidp service as."; |
| 87 | + }; |
| 88 | + |
| 89 | + group = lib.mkOption { |
| 90 | + type = lib.types.str; |
| 91 | + default = "tsidp"; |
| 92 | + description = "The group to run the tsidp service as."; |
| 93 | + }; |
| 94 | + |
| 95 | + enableDebug = lib.mkOption { |
| 96 | + type = lib.types.bool; |
| 97 | + default = false; |
| 98 | + description = "Enable debug printing of requests to the server."; |
| 99 | + }; |
| 100 | + |
| 101 | + enableSts = lib.mkOption { |
| 102 | + type = lib.types.bool; |
| 103 | + default = true; |
| 104 | + description = "Enable OIDC STS token exchange support."; |
| 105 | + }; |
| 106 | + |
| 107 | + hostName = lib.mkOption { |
| 108 | + type = lib.types.str; |
| 109 | + default = "idp"; |
| 110 | + description = "The hostname to use for the tsidp server."; |
| 111 | + }; |
| 112 | + |
| 113 | + funnel = lib.mkOption { |
| 114 | + type = lib.types.bool; |
| 115 | + default = false; |
| 116 | + description = "Enable Tailscale Funnel support."; |
| 117 | + }; |
| 118 | + |
| 119 | + port = lib.mkOption { |
| 120 | + type = lib.types.int; |
| 121 | + default = 443; |
| 122 | + description = "The port to run the tsidp server on."; |
| 123 | + }; |
| 124 | + |
| 125 | + localPort = lib.mkOption { |
| 126 | + type = lib.types.int; |
| 127 | + default = -1; |
| 128 | + description = "allow requests from localhost, -1 disables this."; |
| 129 | + }; |
| 130 | + |
| 131 | + verbose = lib.mkOption { |
| 132 | + type = lib.types.bool; |
| 133 | + default = false; |
| 134 | + description = "Enable verbose logging."; |
| 135 | + }; |
| 136 | + }; |
| 137 | + |
| 138 | + config = lib.mkIf cfg.enable { |
| 139 | + nixpkgs.overlays = [self.overlays.default]; |
| 140 | + |
| 141 | + users.groups."${cfg.group}" = {}; |
| 142 | + users.users."${cfg.user}" = { |
| 143 | + home = cfg.dataDir; |
| 144 | + group = cfg.group; |
| 145 | + createHome = true; |
| 146 | + isSystemUser = true; |
| 147 | + isNormalUser = false; |
| 148 | + description = "tsidp service user"; |
| 149 | + }; |
| 150 | + |
| 151 | + systemd.services.tsidp = { |
| 152 | + description = "tsidp service"; |
| 153 | + after = ["network.target"]; |
| 154 | + wants = ["network.target"]; |
| 155 | + wantedBy = ["multi-user.target" "network-online.target"]; |
| 156 | + environment = { |
| 157 | + TAILSCALE_USE_WIP_CODE = "1"; |
| 158 | + }; |
| 159 | + serviceConfig = { |
| 160 | + User = cfg.user; |
| 161 | + Group = cfg.group; |
| 162 | + Restart = "always"; |
| 163 | + RestartSec = "15"; |
| 164 | + WorkingDirectory = "${cfg.dataDir}"; |
| 165 | + ExecStart = '' |
| 166 | + ${cfg.package}/bin/tsidp \ |
| 167 | + --dir ${cfg.dataDir} \ |
| 168 | + ${lib.optionalString (cfg.hostName != "idp") ("--hostname " + cfg.hostName)} \ |
| 169 | + ${lib.optionalString (cfg.port != 443) ("--port " + toString cfg.port)} \ |
| 170 | + ${lib.optionalString (cfg.localPort != -1) ("--local-port " + toString cfg.localPort)} \ |
| 171 | + ${lib.optionalString (cfg.enableDebug) "--debug"} \ |
| 172 | + ${lib.optionalString (cfg.verbose) "--verbose"} \ |
| 173 | + ${lib.optionalString (cfg.enableSts) "--enable-sts"} \ |
| 174 | + ${lib.optionalString (cfg.funnel) "--funnel"} |
| 175 | + ''; |
| 176 | + }; |
| 177 | + }; |
| 178 | + }; |
| 179 | + }; |
| 180 | + }; |
| 181 | +} |
0 commit comments