wip: dex

elisboa · Oct 16, 2022 · df729dc · df729dc
1 parent 33d028d
commit df729dc
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 18 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/modules/services/dex/default.nix b/modules/services/dex/default.nix
@@ -131,18 +131,15 @@ in
           after = [ "networking.target" ];
 
           preStart = ''
-            if ! test -d "${cfg.stateDir}"; then
-              mkdir -p "${cfg.stateDir}"
-              chmod -R 600 "${cfg.stateDir}"
-            fi
+            cp --remove-destination ${configYaml} ${cfg.stateDir}/config.yaml
 
-            "${pkgs.coreutils}/bin/install -m 600 ${configYaml} ${cfg.stateDir}/config.yaml"
+            chmod 600 ${cfg.stateDir}/config.yaml
 
             ${replace-config-secrets}
           '';
 
           serviceConfig = {
-            ExecStart = "${pkgs.dex-oidc}/bin/dex serve /run/dex/config.yaml";
+            ExecStart = "${pkgs.dex-oidc}/bin/dex serve ${cfg.stateDir}/config.yaml";
             WorkingDirectory = cfg.stateDir;
 
             User = cfg.user;

diff --git a/modules/services/tailscale-authproxy/default.nix b/modules/services/tailscale-authproxy/default.nix
@@ -13,7 +13,7 @@ in
     tcpAddress = mkOpt str "" "The address to listen on";
     socketPath = mkOpt str "" "The unix socket file to listen on";
 
-    restrictTailnet = mkOpt (either [ str null ]) null "Only allow access from a single Tailnet";
+    restrictTailnet = mkOpt (nullOr str) null "Only allow access from a single Tailnet";
 
     allowUnauthorized = mkOpt bool false "Whether or not to allow unauthorized machines";
     dexCallbackUrl = mkOpt str "http://127.0.0.1/dex/callback/tailscale-authproxy" "The url to use for authenticating with Dex";
@@ -40,7 +40,7 @@ in
       partOf = [ "tailscale-authproxy.service" ];
 
       socketConfig = {
-        ListenStream = "/var/run/tailscale-authproxy.sock";
+        ListenStream = "/run/tailscale-authproxy.sock";
       };
     };
 
@@ -52,17 +52,18 @@ in
         Type = "simple";
         User = cfg.user;
         Group = cfg.group;
-        Restart = "always";
-        RestartSec = 20;
+
+        # Restart = "always";
+        # RestartSec = 20;
+
         ExecStart =
           let
-            args = [
-              "-listen-type=systemd"
-              "-dex-callback-url='${cfg.dexCallbackUrl}'"
-            ] ++ optional (cfg.allowUnauthorized) "-allow-unauthorized"
-            ++ optional (cfg.restrictTailnet != null) "-restrict-tailnet='${cfg.restrictTailnet}'";
+            args =
+              [ "-listen-type=systemd" "-dex-callback-url='${cfg.dexCallbackUrl}'" ]
+              ++ optional (cfg.allowUnauthorized) "-allow-unauthorized"
+              ++ optional (cfg.restrictTailnet != null) "-restrict-tailnet='${cfg.restrictTailnet}'";
           in
-          "${pkgs.tailscale-authproxy} -listen-type=systemd -dex-callback-url='${cfg.dexCallbackUrl}'";
+          "${pkgs.tailscale-authproxy}/bin/tailscale-authproxy ${concatStringsSep " " args}'";
       };
     };
   };