JakeHillion/nixos
1
0
Fork 0
Code Issues 10 Pull Requests 6 Actions 1 Packages Projects Releases Wiki Activity

tailscale: modularise properly
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Jake Hillion 2023-04-17 21:22:04 +01:00
parent 25ae59d96d
commit 07d249a6f9
8 changed files with 137 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -47,7 +47,10 @@
## Tailscale ## Tailscale
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age; age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path; custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
};
## Password (for interactive logins) ## Password (for interactive logins)
age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age; age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;

82
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -1,54 +1,60 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
config.system.stateVersion = "22.05";
config.networking.hostName = "microserver";
config.networking.domain = "home.ts.hillion.co.uk";
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/common/default.nix ../../modules/common/default.nix
../../modules/rpi/rpi4.nix ../../modules/rpi/rpi4.nix
]; ];
# Networking config = {
## Tailscale system.stateVersion = "22.05";
config.tailscaleAdvertiseRoutes = "10.64.50.0/24,10.239.19.0/24";
config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
config.tailscalePreAuth = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
## Enable IoT VLAN networking.hostName = "microserver";
config.networking.vlans = { networking.domain = "home.ts.hillion.co.uk";
vlan2 = {
id = 2; # Networking
interface = "eth0"; ## Tailscale
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
advertiseExitNode = true;
}; };
};
## Enable IP forwarding for Tailscale ## Enable IoT VLAN
config.boot.kernel.sysctl = { networking.vlans = {
"net.ipv4.ip_forward" = true; vlan2 = {
}; id = 2;
interface = "eth0";
## Set up simpleproxy to Zigbee bridge };
config.systemd.services.zigbee-simpleproxy = {
description = "Simple TCP Proxy for Zigbee Bridge";
wantedBy = [ "multi-user.target" ];
after = [ "tailscaled.service" ];
serviceConfig = {
DynamicUser = true;
ExecStart = with pkgs; "${simpleproxy}/bin/simpleproxy -L 100.105.131.47:8888 -R 10.239.19.40:8888 -v";
Restart = "always";
RestartSec = 10;
}; };
};
config.networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 8888 ];
## Run a persistent iperf3 server ## Enable IP forwarding for Tailscale
config.services.iperf3.enable = true; boot.kernel.sysctl = {
config.services.iperf3.openFirewall = true; "net.ipv4.ip_forward" = true;
};
## Set up simpleproxy to Zigbee bridge
systemd.services.zigbee-simpleproxy = {
description = "Simple TCP Proxy for Zigbee Bridge";
wantedBy = [ "multi-user.target" ];
after = [ "tailscaled.service" ];
serviceConfig = {
DynamicUser = true;
ExecStart = with pkgs; "${simpleproxy}/bin/simpleproxy -L 100.105.131.47:8888 -R 10.239.19.40:8888 -v";
Restart = "always";
RestartSec = 10;
};
};
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 8888 ];
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
};
} }

39
hosts/microserver.parents.ts.hillion.co.uk/default.nix
View File

@ -1,30 +1,35 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
config.system.stateVersion = "22.05";
config.networking.hostName = "microserver";
config.networking.domain = "parents.ts.hillion.co.uk";
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/common/default.nix ../../modules/common/default.nix
../../modules/rpi/rpi4.nix ../../modules/rpi/rpi4.nix
]; ];
# Networking config = {
## Tailscale system.stateVersion = "22.05";
config.tailscaleAdvertiseRoutes = "192.168.1.0/24";
config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
config.tailscalePreAuth = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
## Enable IP forwarding for Tailscale networking.hostName = "microserver";
config.boot.kernel.sysctl = { networking.domain = "parents.ts.hillion.co.uk";
"net.ipv4.ip_forward" = true;
# Networking
## Tailscale
age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
advertiseRoutes = [ "192.168.1.0/24" ];
};
## Enable IP forwarding for Tailscale
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
};
## Run a persistent iperf3 server
services.iperf3.enable = true;
services.iperf3.openFirewall = true;
}; };
## Run a persistent iperf3 server
config.services.iperf3.enable = true;
config.services.iperf3.openFirewall = true;
} }

5
hosts/vm.strangervm.ts.hillion.co.uk/default.nix
View File

@ -49,7 +49,10 @@
## Tailscale ## Tailscale
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age; age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path; custom.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
};
## Resilio Sync (Encrypted) ## Resilio Sync (Encrypted)
custom.resilio.enable = true; custom.resilio.enable = true;

1
modules/common/default.nix
View File

@ -5,7 +5,6 @@
../home/default.nix ../home/default.nix
./shell.nix ./shell.nix
./ssh.nix ./ssh.nix
./tailscale.nix
]; ];
nix = { nix = {

46
modules/common/tailscale.nix
View File

@ -1,46 +0,0 @@
{ pkgs, lib, config, ... }:
{
options.tailscalePreAuth = lib.mkOption {
type = lib.types.str;
};
options.tailscaleAdvertiseRoutes = lib.mkOption {
type = lib.types.str;
default = "";
};
# make the tailscale command usable to users
config.environment.systemPackages = [ pkgs.tailscale ];
# enable the tailscale service
config.services.tailscale.enable = true;
config.systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up \
--authkey "$(<${config.tailscalePreAuth})" \
--advertise-routes "${config.tailscaleAdvertiseRoutes}"
'';
};
}

1
modules/default.nix
View File

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./resilio.nix ./resilio.nix
./tailscale.nix
./www/global.nix ./www/global.nix
./www/www-repo.nix ./www/www-repo.nix
]; ];

62
modules/tailscale.nix Normal file
View File

@ -0,0 +1,62 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.tailscale;
in
{
options.custom.tailscale = {
enable = lib.mkEnableOption "tailscale";
preAuthKeyFile = lib.mkOption {
type = lib.types.str;
};
advertiseRoutes = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up \
--authkey "$(<${cfg.preAuthKeyFile})" \
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
'';
};
};
}