Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 7e63dd5daa4dce8cc5ceb5d2f130681f0186834c / . / modules / nixos / clicks / services / nginx / tailscaleAuth / default.nix
blob: af9e07f56da224a5c503c9a22ee709daa3d0d68b [file] [log] [blame]
# SPDX-FileCopyrightText: 2024 Clicks Codes
#
# SPDX-License-Identifier: GPL-3.0-only
{ lib, config, ... }:
let
cfg = config.clicks.services.tailscaleAuth;
in
{
options.clicks.services.tailscaleAuth = {
enable = lib.mkEnableOption "Enable tailscaleAuth for Nginx";
expectedTailnet = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "The tailnet to expect when authenticating";
default = null;
};
hosts = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "A list of hosts to put behind tailscale auth";
default = [];
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.expectedTailnet == null || lib.clicks.strings.endsWith ".ts.net" cfg.expectedTailnet;
message = "Your expected tailnet must be an official *.ts.net tailnet, headscale is not supported";
}
];
services.nginx.tailscaleAuth = {
enable = true;
expectedTailnet = lib.modules.mkIf (cfg.expectedTailnet != null) cfg.expectedTailnet;
virtualHosts = cfg.hosts;
};
};
}