Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor tailscale nginx-auth module #293954

Merged
merged 1 commit into from Apr 18, 2024
Merged

Refactor tailscale nginx-auth module #293954

merged 1 commit into from Apr 18, 2024

Conversation

Dan-Theriault
Copy link

@Dan-Theriault Dan-Theriault commented Mar 7, 2024
edited

Description of changes

Tailscale's nginx-auth proxy, despite the name, actually works just fine with caddy and traefik (see tailscale/tailscale#4680). However, the current nixos module is closely coupled with nginx. This change breaks that coupling.

All options of the existing module except virtualHosts (which is nginx-specific) have been moved to a new module without any nginx coupling. The options remain exposed on the nginx-specific module as aliases.

closes #290353

@phaer

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 馃憤 reaction to pull requests you find important.

@Dan-Theriault Dan-Theriault force-pushed the refactor-tailscale-auth branch 2 times, most recently from 1fcfcac to c4dca65 Compare March 8, 2024 22:07
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/3618

@Dan-Theriault Dan-Theriault force-pushed the refactor-tailscale-auth branch 2 times, most recently from 81238e5 to 0e92ac0 Compare March 18, 2024 23:50
phaer
phaer reviewed Mar 20, 2024
View reviewed changes
Copy link
Member

@phaer phaer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good news! Thanks for bringing this to attention.

Do you think it would make sense to wait for results of the upstream issue you linked? I.e. merging this before a rename means, that the program is confusingly still called tailscale-nginx-auth and that it's missing the '/auth-forward' endpoint, suggested in tailscale/tailscale#4680.

nixos/modules/services/networking/tailscale-auth.nix Outdated Show resolved Hide resolved
@Dan-Theriault
Copy link
Author

Dan-Theriault commented Mar 20, 2024
edited

Thank you both for reviewing.

Good news! Thanks for bringing this to attention.

Do you think it would make sense to wait for results of the upstream issue you linked? I.e. merging this before a rename means, that the program is confusingly still called tailscale-nginx-auth and that it's missing the '/auth-forward' endpoint, suggested in tailscale/tailscale#4680.

Caddy officially documents support for the feature. Their suggested workaround for lacking /auth-forward is just three lines of caddy config. I don't think that should prevent this from going ahead. The confusing program name is really the worst bit.

The current upstream situation isn't ideal, but I think it's good enough. There have not been many signs of life on the upstream ticket in the past year, and it is unclear to me if/when improvements are coming.

@Dan-Theriault
Copy link
Author

I think I've addressed all feedback now.

@Dan-Theriault Dan-Theriault force-pushed the refactor-tailscale-auth branch 2 times, most recently from 7cf2818 to f39d198 Compare April 6, 2024 17:14
@Dan-Theriault
Copy link
Author

Got my maintainers entry added in another PR, so I've just rebased this.

nixos/tailscale-auth: init module
3cf6c4d 
This additional module allows the tailscale auth proxy to be configured
independently of nginx. The tailscale auth proxy works with both caddy
and traefik. All prior nginx/tailscale-auth options are retained as
aliases.
@Dan-Theriault
Copy link
Author

Dan-Theriault commented Apr 16, 2024
edited

I've rebased again to resolve conflicts with #303841. I also removed a remaining mkPackageOptionMD while I was at it. Does anyone have further feedback? Not sure what's needed now to get this merged.

@SuperSandro2000 SuperSandro2000 merged commit f417891 into NixOS:master Apr 18, 2024
21 checks passed
@Dan-Theriault Dan-Theriault deleted the refactor-tailscale-auth branch April 18, 2024 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius RaitoBezarius is a code owner

@phaer phaer Awaiting requested review from phaer

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@MinerSebas MinerSebas Awaiting requested review from MinerSebas

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 12. first-time contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tailscale-nginx-auth service should support caddy and traefik
6 participants
@Dan-Theriault @nixos-discourse @phaer @SuperSandro2000 @MinerSebas @NixOSInfra