tailscale: modularise properly

2023-04-17 21:22:04 +01:00 · 2023-04-17 21:22:04 +01:00 · 07d249a6f9
commit 07d249a6f9
parent 25ae59d96d
8 changed files with 137 additions and 104 deletions
--- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
@ -47,7 +47,10 @@

    ## Tailscale
    age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
-    tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
+    };

    ## Password (for interactive logins)
    age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@ -1,25 +1,30 @@
 { config, pkgs, lib, ... }:

 {
-  config.system.stateVersion = "22.05";
-
-  config.networking.hostName = "microserver";
-  config.networking.domain = "home.ts.hillion.co.uk";
-
  imports = [
    ./hardware-configuration.nix
    ../../modules/common/default.nix
    ../../modules/rpi/rpi4.nix
  ];

+  config = {
+    system.stateVersion = "22.05";
+
+    networking.hostName = "microserver";
+    networking.domain = "home.ts.hillion.co.uk";
+
    # Networking
    ## Tailscale
-  config.tailscaleAdvertiseRoutes = "10.64.50.0/24,10.239.19.0/24";
-  config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
-  config.tailscalePreAuth = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
+    age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
+      advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
+      advertiseExitNode = true;
+    };

    ## Enable IoT VLAN
-  config.networking.vlans = {
+    networking.vlans = {
      vlan2 = {
        id = 2;
        interface = "eth0";
@ -27,12 +32,12 @@
    };

    ## Enable IP forwarding for Tailscale
-  config.boot.kernel.sysctl = {
+    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
    };

    ## Set up simpleproxy to Zigbee bridge
-  config.systemd.services.zigbee-simpleproxy = {
+    systemd.services.zigbee-simpleproxy = {
      description = "Simple TCP Proxy for Zigbee Bridge";

      wantedBy = [ "multi-user.target" ];
@ -45,10 +50,11 @@
        RestartSec = 10;
      };
    };
-  config.networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 8888 ];
+    networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 8888 ];

    ## Run a persistent iperf3 server
-  config.services.iperf3.enable = true;
-  config.services.iperf3.openFirewall = true;
+    services.iperf3.enable = true;
+    services.iperf3.openFirewall = true;
+  };
 }

--- a/hosts/microserver.parents.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.parents.ts.hillion.co.uk/default.nix
@ -1,30 +1,35 @@
 { config, pkgs, lib, ... }:

 {
-  config.system.stateVersion = "22.05";
-
-  config.networking.hostName = "microserver";
-  config.networking.domain = "parents.ts.hillion.co.uk";
-
  imports = [
    ./hardware-configuration.nix
    ../../modules/common/default.nix
    ../../modules/rpi/rpi4.nix
  ];

+  config = {
+    system.stateVersion = "22.05";
+
+    networking.hostName = "microserver";
+    networking.domain = "parents.ts.hillion.co.uk";
+
    # Networking
    ## Tailscale
-  config.tailscaleAdvertiseRoutes = "192.168.1.0/24";
-  config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
-  config.tailscalePreAuth = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
+    age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.parents.ts.hillion.co.uk.age;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/microserver.parents.ts.hillion.co.uk".path;
+      advertiseRoutes = [ "192.168.1.0/24" ];
+    };

    ## Enable IP forwarding for Tailscale
-  config.boot.kernel.sysctl = {
+    boot.kernel.sysctl = {
      "net.ipv4.ip_forward" = true;
    };

    ## Run a persistent iperf3 server
-  config.services.iperf3.enable = true;
-  config.services.iperf3.openFirewall = true;
+    services.iperf3.enable = true;
+    services.iperf3.openFirewall = true;
+  };
 }

--- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
+++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
@ -49,7 +49,10 @@

    ## Tailscale
    age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
-    tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
+    custom.tailscale = {
+      enable = true;
+      preAuthKeyFile = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
+    };

    ## Resilio Sync (Encrypted)
    custom.resilio.enable = true;
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -5,7 +5,6 @@
    ../home/default.nix
    ./shell.nix
    ./ssh.nix
-    ./tailscale.nix
  ];

  nix = {
--- a/modules/common/tailscale.nix
+++ b/modules/common/tailscale.nix
@ -1,46 +0,0 @@
-{ pkgs, lib, config, ... }:
-
-{
-  options.tailscalePreAuth = lib.mkOption {
-    type = lib.types.str;
-  };
-  options.tailscaleAdvertiseRoutes = lib.mkOption {
-    type = lib.types.str;
-    default = "";
-  };
-
-  # make the tailscale command usable to users
-  config.environment.systemPackages = [ pkgs.tailscale ];
-
-  # enable the tailscale service
-  config.services.tailscale.enable = true;
-
-  config.systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = with pkgs; ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up \
-        --authkey "$(<${config.tailscalePreAuth})" \
-        --advertise-routes "${config.tailscaleAdvertiseRoutes}"
-    '';
-  };
-}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -3,6 +3,7 @@
 {
  imports = [
    ./resilio.nix
+    ./tailscale.nix
    ./www/global.nix
    ./www/www-repo.nix
  ];
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -0,0 +1,62 @@
+{ pkgs, lib, config, ... }:
+
+let
+  cfg = config.custom.tailscale;
+in
+{
+  options.custom.tailscale = {
+    enable = lib.mkEnableOption "tailscale";
+
+    preAuthKeyFile = lib.mkOption {
+      type = lib.types.str;
+    };
+
+    advertiseRoutes = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [ ];
+    };
+
+    advertiseExitNode = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.tailscale ];
+
+    services.tailscale.enable = true;
+
+    networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
+
+    systemd.services.tailscale-autoconnect = {
+      description = "Automatic connection to Tailscale";
+
+      # make sure tailscale is running before trying to connect to tailscale
+      after = [ "network-pre.target" "tailscale.service" ];
+      wants = [ "network-pre.target" "tailscale.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      # set this service as a oneshot job
+      serviceConfig.Type = "oneshot";
+
+      # have the job run this shell script
+      script = with pkgs; ''
+        # wait for tailscaled to settle
+        sleep 2
+
+        # check if we are already authenticated to tailscale
+        status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+        if [ $status = "Running" ]; then # if so, then do nothing
+          exit 0
+        fi
+
+        # otherwise authenticate with tailscale
+        ${tailscale}/bin/tailscale up \
+          --authkey "$(<${cfg.preAuthKeyFile})" \
+          --advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
+          --advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
+      '';
+    };
+  };
+}