Merge pull request #175 from keatonhasse/add-default-url

Add default url option and allow specifying only the port in services

Author: antifuchs

nixos/default.nix

@@ -4,9 +4,49 @@
   lib,
   ...
 }: let
-  serviceSubmodule = with lib; let
+  urlPartsSubmodule.options = with lib; {
+    protocol = mkOption {
+      description = "URL Scheme or protocol to use for reaching the upstream service.";
+      type = types.str;
+      default = "http";
+    };
+
+    host = mkOption {
+      description = "Host where the upstream service can be reached.";
+      type = types.str;
+    };
+
+    port = mkOption {
+      description = "Port where the upstream service can be reached.";
+      type = types.int;
+    };
+  };
+
+  urlPartsSubmoduleWithDefaults.options = with lib; let
     inherit (config.services.tsnsrv) defaults;
   in {
+    protocol = mkOption {
+      description = "URL Scheme or protocol to use for reaching the upstream service.";
+      type = types.str;
+      default = defaults.urlParts.protocol;
+    };
+
+    host = mkOption {
+      description = "Host where the upstream service can be reached.";
+      type = types.str;
+      default = defaults.urlParts.host;
+    };
+
+    port = mkOption {
+      description = "Port where the upstream service can be reached.";
+      type = types.port;
+      default = defaults.urlParts.port;
+    };
+  };
+
+  serviceSubmodule = with lib; let
+    inherit (config.services.tsnsrv) defaults;
+  in ({config, ...}: {
     options = {
       authKeyPath = mkOption {
         description = "Path to a file containing a tailscale auth key. Make this a secret";
@@ -50,7 +90,7 @@
 
       package = mkOption {
         description = "Package to use for this tsnsrv service.";
-        default = config.services.tsnsrv.defaults.package;
+        default = defaults.package;
         type = types.package;
       };
 
@@ -129,9 +169,16 @@
         default = null;
       };
 
+      urlParts = mkOption {
+        description = "URL parts that make up an alternative to the toURL option.";
+        type = types.nullOr (types.submodule urlPartsSubmoduleWithDefaults);
+        default = null;
+      };
+
       toURL = mkOption {
-        description = "URL to forward HTTP requests to";
+        description = "URL to forward HTTP requests to. Either this or the urlParts option must be set.";
         type = types.str;
+        default = "${config.urlParts.protocol}://${config.urlParts.host}:${builtins.toString config.urlParts.port}";
       };
 
       supplementalGroups = mkOption {
@@ -175,7 +222,7 @@
         default = [];
       };
     };
-  };
+  });
 
   serviceArgs = {
     name,
@@ -300,6 +347,11 @@ in {
         type = types.bool;
         default = false;
       };
+
+      urlParts = mkOption {
+        description = "Default URL parts for tsnsrv services. Each service will have the parts here interpolated onto its .toURL option by default.";
+        type = types.submodule urlPartsSubmodule;
+      };
     };
 
     services.tsnsrv.services = mkOption {

nixos/tests/e2e/default.nix

@@ -5,5 +5,7 @@
   ...
 }: {
   systemd = import ./systemd.nix {inherit pkgs nixos-lib nixosModule;};
+  systemd-urlparts = import ./systemd-urlparts.nix {inherit pkgs nixos-lib nixosModule;};
   oci = import ./oci.nix {inherit pkgs nixos-lib nixosModule;};
+  oci-urlparts = import ./oci-urlparts.nix {inherit pkgs nixos-lib nixosModule;};
 }

nixos/tests/e2e/oci-urlparts.nix

@@ -0,0 +1,144 @@
+{
+  pkgs,
+  nixos-lib,
+  nixosModule,
+}: let
+  stunPort = 3478;
+in
+  nixos-lib.runTest {
+    name = "tsnsrv-nixos";
+    hostPkgs = pkgs;
+
+    nodes.headscale = {
+      environment.systemPackages = [pkgs.headscale];
+      services.headscale = {
+        enable = true;
+        address = "[::]";
+        settings = {
+          ip_prefixes = ["100.64.0.0/10"];
+          dns.magic_dns = false;
+          derp.server = {
+            enabled = true;
+            region_id = 999;
+            stun_listen_addr = "0.0.0.0:${toString stunPort}";
+          };
+          server_url = "http://headscale:8080";
+        };
+      };
+      networking.firewall = {
+        allowedTCPPorts = [8080 443];
+        allowedUDPPorts = [stunPort];
+      };
+    };
+
+    nodes.machine = {
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
+      imports = [
+        nixosModule
+      ];
+
+      environment.systemPackages = [pkgs.tailscale];
+      virtualisation.cores = 4;
+      virtualisation.memorySize = 1024;
+      services.tailscale.enable = true;
+      systemd.services.tailscaled.serviceConfig.Environment = ["TS_NO_LOGS_NO_SUPPORT=true"];
+
+      services.tsnsrv = {
+        enable = true;
+        defaults.tsnetVerbose = true;
+        defaults.loginServerUrl = "http://headscale:8080";
+        defaults.authKeyPath = "/run/ts-authkey";
+        defaults.urlParts.host = "127.0.0.1";
+      };
+      virtualisation.oci-sidecars.tsnsrv = {
+        enable = true;
+        containers.web-server-tsnsrv = {
+          name = "web-server";
+          forContainer = "web-server";
+          service = {
+            timeout = "10s";
+            listenAddr = ":80";
+            plaintext = true;
+            urlParts.port = 3000;
+          };
+        };
+      };
+      virtualisation.oci-containers = let
+        htmlRoot = pkgs.writeTextDir "index.html" "It works!";
+      in {
+        backend = "podman";
+        containers.web-server = {
+          image = "web-server:latest";
+          imageFile = pkgs.dockerTools.buildImage {
+            name = "web-server";
+            tag = "latest";
+            created = "now";
+            copyToRoot = pkgs.buildEnv {
+              name = "image-root";
+              paths = [pkgs.static-web-server htmlRoot];
+              pathsToLink = ["/bin"];
+            };
+            config.Cmd = ["/bin/static-web-server" "--port" "3000" "--root" htmlRoot];
+          };
+        };
+      };
+      systemd.services.podman-web-server-tsnsrv.enableStrictShellChecks = true;
+      networking.firewall.trustedInterfaces = ["podman0"];
+
+      # Delay starting the container machinery until we have an authkey:
+      systemd.services.podman-web-server.serviceConfig.ConditionPathExists = "/run/ts-authkey";
+
+      # Serve DNS to the podman containers, otherwise they have no idea who headscale is:
+      virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
+      services.resolved = {
+        enable = true;
+      };
+    };
+
+    testScript = ''
+      import time
+      import json
+
+      headscale.start()
+      machine.start()
+
+      headscale.wait_for_unit("headscale.service", timeout=30)
+      headscale.succeed("headscale users create machine")
+      authkey = headscale.succeed("headscale preauthkeys create --reusable -e 24h -u machine")
+      with open("authkey", "w") as k:
+          k.write(authkey)
+
+      machine.copy_from_host("authkey", "/run/ts-authkey")
+      machine.wait_for_unit("tailscaled.service", timeout=30)
+      machine.succeed('tailscale up --login-server=http://headscale:8080 --auth-key="$(cat /run/ts-authkey)"')
+
+      @polling_condition
+      def tsnsrv_running():
+          machine.succeed("systemctl is-active podman-web-server-tsnsrv")
+
+      def wait_for_tsnsrv_registered():
+          "Poll until tsnsrv appears in the list of hosts, then return its IP."
+          while True:
+              output = json.loads(headscale.succeed("headscale nodes list -o json-line"))
+              basic_entry = [elt["ip_addresses"][0] for elt in output if elt["given_name"] == "web-server"]
+              if len(basic_entry) == 1:
+                  return basic_entry[0]
+              time.sleep(1)
+
+      def test_script_e2e():
+          headscale.wait_until_succeeds("headscale nodes list -o json-line")
+          machine.wait_for_unit("podman-web-server-tsnsrv", timeout=30)
+          with tsnsrv_running:
+              # We don't have magic DNS in this setup, so let's figure out the IP from the node list:
+              tsnsrv_ip = wait_for_tsnsrv_registered()
+              print(f"tsnsrv seems up, with IP {tsnsrv_ip}")
+              machine.wait_until_succeeds(f"tailscale ping {tsnsrv_ip}", timeout=30)
+              print(machine.succeed(f"curl -f http://{tsnsrv_ip}"))
+      test_script_e2e()
+
+    '';
+  }

nixos/tests/e2e/systemd-urlparts.nix

@@ -0,0 +1,138 @@
+{
+  pkgs,
+  nixos-lib,
+  nixosModule,
+}: let
+  stunPort = 3478;
+in
+  nixos-lib.runTest {
+    name = "tsnsrv-nixos";
+    hostPkgs = pkgs;
+
+    defaults.services.tsnsrv.enable = true;
+    defaults.services.tsnsrv.defaults.tsnetVerbose = true;
+
+    nodes.machine = {
+      config,
+      pkgs,
+      lib,
+      ...
+    }: {
+      imports = [
+        nixosModule
+      ];
+
+      environment.systemPackages = [
+        pkgs.headscale
+        pkgs.tailscale
+        (pkgs.writeShellApplication {
+          name = "tailscale-up-for-tests";
+          text = ''
+            systemctl start --wait generate-tsnsrv-authkey@tailscaled.service
+            tailscale up \
+              --login-server=${config.services.headscale.settings.server_url} \
+              --auth-key="$(cat /var/lib/headscale-authkeys/tailscaled.preauth-key)"
+          '';
+        })
+      ];
+      virtualisation.cores = 4;
+      virtualisation.memorySize = 1024;
+      services.headscale = {
+        enable = true;
+        settings = {
+          ip_prefixes = ["100.64.0.0/10"];
+          dns.magic_dns = false;
+          derp.server = {
+            enabled = true;
+            region_id = 999;
+            stun_listen_addr = "0.0.0.0:${toString stunPort}";
+          };
+        };
+      };
+      services.tailscale.enable = true;
+      systemd.services.tailscaled.serviceConfig.Environment = ["TS_NO_LOGS_NO_SUPPORT=true"];
+      networking.firewall = {
+        allowedTCPPorts = [80 443];
+        allowedUDPPorts = [stunPort];
+      };
+
+      systemd.services."generate-tsnsrv-authkey@" = {
+        description = "Generate headscale authkey for %i";
+        serviceConfig.ExecStart = let
+          startScript = pkgs.writeShellApplication {
+            name = "generate-tsnsrv-authkey";
+            runtimeInputs = [pkgs.headscale pkgs.jq];
+            text = ''
+              set -x
+              headscale users create "$1"
+              headscale preauthkeys create --reusable -e 24h -u "$1" > "$STATE_DIRECTORY"/"$1".preauth-key
+              echo generated "$STATE_DIRECTORY"/"$1".preauth-key
+              cat "$STATE_DIRECTORY"/"$1".preauth-key
+            '';
+          };
+        in "${lib.getExe startScript} %i";
+        wants = ["headscale.service"];
+        after = ["headscale.service"];
+        serviceConfig.Type = "oneshot";
+        serviceConfig.StateDirectory = "headscale-authkeys";
+        serviceConfig.Group = "tsnsrv";
+        unitConfig.Requires = ["headscale.service"];
+      };
+
+      systemd.services.tsnsrv-basic = {
+        enableStrictShellChecks = true;
+        wants = ["generate-tsnsrv-authkey@basic.service"];
+        after = ["generate-tsnsrv-authkey@basic.service"];
+        unitConfig.Requires = ["generate-tsnsrv-authkey@basic.service"];
+      };
+      services.static-web-server = {
+        enable = true;
+        listen = "127.0.0.1:3000";
+        root = pkgs.writeTextDir "index.html" "It works!";
+      };
+      services.tsnsrv = {
+        defaults.urlParts.host = "127.0.0.1";
+        defaults.loginServerUrl = config.services.headscale.settings.server_url;
+        defaults.authKeyPath = "/var/lib/headscale-authkeys/basic.preauth-key";
+        services.basic = {
+          timeout = "10s";
+          listenAddr = ":80";
+          plaintext = true; # HTTPS requires certs
+          urlParts.port = 3000;
+        };
+      };
+    };
+
+    testScript = ''
+      machine.start()
+      machine.wait_for_unit("tailscaled.service", timeout=30)
+      machine.succeed("tailscale-up-for-tests", timeout=30)
+      import time
+      import json
+
+      @polling_condition
+      def tsnsrv_running():
+          machine.succeed("systemctl is-active tsnsrv-basic")
+
+      def wait_for_tsnsrv_registered():
+          "Poll until tsnsrv appears in the list of hosts, then return its IP."
+          while True:
+              output = json.loads(machine.succeed("headscale nodes list -o json-line"))
+              basic_entry = [elt["ip_addresses"][0] for elt in output if elt["given_name"] == "basic"]
+              if len(basic_entry) == 1:
+                  return basic_entry[0]
+              time.sleep(1)
+
+      def test_script_e2e():
+          machine.wait_until_succeeds("headscale nodes list -o json-line")
+          machine.wait_for_unit("tsnsrv-basic", timeout=30)
+          with tsnsrv_running:
+              # We don't have magic DNS in this setup, so let's figure out the IP from the node list:
+              tsnsrv_ip = wait_for_tsnsrv_registered()
+              print(f"tsnsrv seems up, with IP {tsnsrv_ip}")
+              machine.wait_until_succeeds(f"tailscale ping {tsnsrv_ip}", timeout=30)
+              print(machine.succeed(f"curl -f http://{tsnsrv_ip}"))
+      test_script_e2e()
+
+    '';
+  }