diff --git a/hosts/boron.cx.ts.hillion.co.uk/default.nix b/hosts/boron.cx.ts.hillion.co.uk/default.nix index 038b2a4..cad4a7f 100644 --- a/hosts/boron.cx.ts.hillion.co.uk/default.nix +++ b/hosts/boron.cx.ts.hillion.co.uk/default.nix @@ -99,11 +99,9 @@ ## Tailscale age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path; - ipv4Addr = "100.112.54.25"; - ipv6Addr = "fd7a:115c:a1e0::2a01:3619"; + authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path; }; }; } diff --git a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix index 2e17c46..959de8b 100644 --- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix +++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix @@ -62,9 +62,9 @@ ## Tailscale age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path; + authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path; }; security.sudo.wheelNeedsPassword = lib.mkForce true; diff --git a/hosts/jorah.cx.ts.hillion.co.uk/default.nix b/hosts/jorah.cx.ts.hillion.co.uk/default.nix index 6b485a3..c8203ad 100644 --- a/hosts/jorah.cx.ts.hillion.co.uk/default.nix +++ b/hosts/jorah.cx.ts.hillion.co.uk/default.nix @@ -101,11 +101,9 @@ ## Tailscale age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path; - ipv4Addr = "100.96.143.138"; - ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a"; + authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path; }; }; } diff --git a/hosts/microserver.home.ts.hillion.co.uk/default.nix b/hosts/microserver.home.ts.hillion.co.uk/default.nix index bd162ab..5b04139 100644 --- a/hosts/microserver.home.ts.hillion.co.uk/default.nix +++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix @@ -20,11 +20,15 @@ # Networking ## Tailscale age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path; - advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ]; - advertiseExitNode = true; + authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path; + useRoutingFeatures = "server"; + extraUpFlags = [ + "--advertise-routes" + "10.64.50.0/24,10.239.19.0/24" + "--advertise-exit-node" + ]; }; ## Enable IoT VLAN diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index b91bf93..c5e2bd7 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -259,11 +259,9 @@ ## Tailscale age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path; - ipv4Addr = "100.105.71.48"; - ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730"; + authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path; }; ## Enable btrfs compression @@ -288,7 +286,7 @@ services.caddy = { enable = true; virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = { - listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ]; + listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ]; extraConfig = "reverse_proxy unix///run/netdata/netdata.sock"; }; }; diff --git a/hosts/theon.storage.ts.hillion.co.uk/default.nix b/hosts/theon.storage.ts.hillion.co.uk/default.nix index 5469054..500c0be 100644 --- a/hosts/theon.storage.ts.hillion.co.uk/default.nix +++ b/hosts/theon.storage.ts.hillion.co.uk/default.nix @@ -41,11 +41,9 @@ ## Tailscale age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path; - ipv4Addr = "100.104.142.22"; - ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16"; + authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path; }; ## Packages diff --git a/hosts/tywin.storage.ts.hillion.co.uk/default.nix b/hosts/tywin.storage.ts.hillion.co.uk/default.nix index e11c8a1..21c12ab 100644 --- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix +++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix @@ -20,11 +20,9 @@ ## Tailscale age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age; - custom.tailscale = { + services.tailscale = { enable = true; - preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path; - ipv4Addr = "100.115.31.91"; - ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b"; + authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path; }; ## Filesystems @@ -130,7 +128,7 @@ services.caddy = { enable = true; virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = '' - bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr} + bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6} reverse_proxy http://localhost:8000 ''; }; @@ -215,10 +213,6 @@ networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 80 # Caddy (restic.tywin.storage.ts.) - 14002 # Storj Dashboard (d0.) - 14003 # Storj Dashboard (d1.) - 14004 # Storj Dashboard (d2.) - 14005 # Storj Dashboard (d3.) ]; }; } diff --git a/modules/default.nix b/modules/default.nix index 00b8c13..041a4b4 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,6 +6,7 @@ ./chia.nix ./defaults.nix ./desktop/awesome/default.nix + ./dns.nix ./home/default.nix ./hostinfo.nix ./ids.nix @@ -16,7 +17,6 @@ ./shell/default.nix ./ssh/default.nix ./storj.nix - ./tailscale.nix ./users.nix ./www/global.nix ./www/www-repo.nix diff --git a/modules/defaults.nix b/modules/defaults.nix index ff19caf..f7240b8 100644 --- a/modules/defaults.nix +++ b/modules/defaults.nix @@ -54,6 +54,7 @@ networking.firewall.enable = true; # Delegation + custom.dns.enable = true; custom.home.defaults = true; custom.hostinfo.enable = true; custom.shell.enable = true; diff --git a/modules/dns.nix b/modules/dns.nix new file mode 100644 index 0000000..613516c --- /dev/null +++ b/modules/dns.nix @@ -0,0 +1,94 @@ +{ pkgs, lib, config, ... }: + +let + cfg = config.custom.dns; + v4Hosts = { + uk = { + co = { + hillion = { + ts = { + cx = { + boron = "100.112.54.25"; + jorah = "100.96.143.138"; + }; + home = { + microserver = "100.105.131.47"; + router = "100.105.71.48"; + }; + jakehillion-terminals = { gendry = "100.70.100.77"; }; + lt = { be = "100.105.166.79"; }; + pop = { li = "100.106.87.35"; }; + storage = { + theon = "100.104.142.22"; + tywin = "100.115.31.91"; + }; + }; + }; + }; + }; + }; + v6Hosts = { + uk = { + co = { + hillion = { + ts = { + cx = { + boron = "fd7a:115c:a1e0::2a01:3619"; + jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a"; + }; + home = { + microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f"; + router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730"; + }; + jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; }; + lt = { be = "fd7a:115c:a1e0::9001:a64f"; }; + pop = { li = "fd7a:115c:a1e0::e701:5723"; }; + storage = { + theon = "fd7a:115c:a1e0::4aa8:8e16"; + tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b"; + }; + }; + }; + }; + }; + }; +in +{ + options.custom.dns = { + enable = lib.mkEnableOption "dns"; + + tailscale = + { + ipv4 = lib.mkOption { + description = "tailscale ipv4 address"; + readOnly = true; + }; + ipv6 = lib.mkOption { + description = "tailscale ipv6 address"; + readOnly = true; + }; + }; + }; + + config = lib.mkIf cfg.enable { + custom.dns.tailscale = + let + lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null; + in + { + ipv4 = lookupFqdn v4Hosts; + ipv6 = lookupFqdn v6Hosts; + }; + + networking.hosts = + let + mkHosts = hosts: + (lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x)) + (lib.mapAttrsRecursive + (path: value: + lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ]) + hosts)); + in + builtins.listToAttrs (mkHosts v4Hosts ++ mkHosts v6Hosts); + }; +} diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 6112b24..71844f5 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -45,7 +45,7 @@ in directories = [ "/etc/nixos" - ] ++ (listIf (config.services.tailscale.enable || config.custom.tailscale.enable) [ "/var/lib/tailscale" ]) ++ + ] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++ (listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++ (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++ (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++ diff --git a/modules/services/downloads.nix b/modules/services/downloads.nix index 8e7b198..0db9eb5 100644 --- a/modules/services/downloads.nix +++ b/modules/services/downloads.nix @@ -31,7 +31,7 @@ in (x: { name = "http://${x}.downloads.ts.hillion.co.uk"; value = { - listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ]; + listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ]; extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock"; }; }) [ "prowlarr" "sonarr" "radarr" "deluge" ]); diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix index 703a8f5..bd78a79 100644 --- a/modules/services/matrix.nix +++ b/modules/services/matrix.nix @@ -76,8 +76,8 @@ in x_forwarded = true; bind_addresses = [ "::1" - config.custom.tailscale.ipv4Addr - config.custom.tailscale.ipv6Addr + config.custom.dns.tailscale.ipv4 + config.custom.dns.tailscale.ipv6 ]; resources = [ { diff --git a/modules/services/zigbee2mqtt.nix b/modules/services/zigbee2mqtt.nix index 32e07b5..40f6745 100644 --- a/modules/services/zigbee2mqtt.nix +++ b/modules/services/zigbee2mqtt.nix @@ -23,7 +23,7 @@ in enable = true; virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = { - listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ]; + listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ]; extraConfig = "reverse_proxy http://127.0.0.1:15606"; }; }; diff --git a/modules/tailscale.nix b/modules/tailscale.nix deleted file mode 100644 index 198c645..0000000 --- a/modules/tailscale.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ pkgs, lib, config, ... }: - -let - cfg = config.custom.tailscale; -in -{ - options.custom.tailscale = { - enable = lib.mkEnableOption "tailscale"; - - preAuthKeyFile = lib.mkOption { - type = lib.types.str; - }; - - advertiseRoutes = lib.mkOption { - type = with lib.types; listOf str; - default = [ ]; - }; - - advertiseExitNode = lib.mkOption { - type = lib.types.bool; - default = false; - }; - - ipv4Addr = lib.mkOption { type = lib.types.str; }; - ipv6Addr = lib.mkOption { type = lib.types.str; }; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ pkgs.tailscale ]; - - services.tailscale.enable = true; - - networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose"; - - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = with pkgs; '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up \ - --authkey "$(<${cfg.preAuthKeyFile})" \ - --advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \ - --advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"} - ''; - }; - }; -}