JakeHillion/nixos
1
0
Fork 0
Code Issues 10 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

tailscale: update to included nixos module #245

Merged
JakeHillion merged 1 commits from tailscale into main 2024-04-27 15:54:09 +01:00
Conversation 0 Commits 1 Files Changed 15 +123 -103
15 changed files with 123 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/boron.cx.ts.hillion.co.uk/default.nix
View File

@ -99,11 +99,9 @@
## Tailscale
age.secrets."tailscale/boron.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/boron.cx.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
ipv4Addr = "100.112.54.25";
ipv6Addr = "fd7a:115c:a1e0::2a01:3619";
authKeyFile = config.age.secrets."tailscale/boron.cx.ts.hillion.co.uk".path;
};
};
}

4
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
View File

@ -62,9 +62,9 @@
## Tailscale
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
authKeyFile = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
};
security.sudo.wheelNeedsPassword = lib.mkForce true;

6
hosts/jorah.cx.ts.hillion.co.uk/default.nix
View File

@ -101,11 +101,9 @@
## Tailscale
age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".file = ../../secrets/tailscale/jorah.cx.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
ipv4Addr = "100.96.143.138";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
authKeyFile = config.age.secrets."tailscale/jorah.cx.ts.hillion.co.uk".path;
};
};
}

12
hosts/microserver.home.ts.hillion.co.uk/default.nix
View File

@ -20,11 +20,15 @@
# Networking
## Tailscale
age.secrets."tailscale/microserver.home.ts.hillion.co.uk".file = ../../secrets/tailscale/microserver.home.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
advertiseExitNode = true;
authKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-routes"
"10.64.50.0/24,10.239.19.0/24"
"--advertise-exit-node"
];
};
## Enable IoT VLAN

8
hosts/router.home.ts.hillion.co.uk/default.nix
View File

@ -259,11 +259,9 @@
## Tailscale
age.secrets."tailscale/router.home.ts.hillion.co.uk".file = ../../secrets/tailscale/router.home.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
ipv4Addr = "100.105.71.48";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
authKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path;
};
## Enable btrfs compression
@ -288,7 +286,7 @@
services.caddy = {
enable = true;
virtualHosts."http://graphs.router.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy unix///run/netdata/netdata.sock";
};
};

6
hosts/theon.storage.ts.hillion.co.uk/default.nix
View File

@ -41,11 +41,9 @@
## Tailscale
age.secrets."tailscale/theon.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/theon.storage.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.104.142.22";
ipv6Addr = "fd7a:115c:a1e0::4aa8:8e16";
authKeyFile = config.age.secrets."tailscale/theon.storage.ts.hillion.co.uk".path;
};
## Packages

12
hosts/tywin.storage.ts.hillion.co.uk/default.nix
View File

@ -20,11 +20,9 @@
## Tailscale
age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".file = ../../secrets/tailscale/tywin.storage.ts.hillion.co.uk.age;
custom.tailscale = {
services.tailscale = {
enable = true;
preAuthKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
ipv4Addr = "100.115.31.91";
ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
authKeyFile = config.age.secrets."tailscale/tywin.storage.ts.hillion.co.uk".path;
};
## Filesystems
@ -130,7 +128,7 @@
services.caddy = {
enable = true;
virtualHosts."http://restic.tywin.storage.ts.hillion.co.uk".extraConfig = ''
bind ${config.custom.tailscale.ipv4Addr} ${config.custom.tailscale.ipv6Addr}
bind ${config.custom.dns.tailscale.ipv4} ${config.custom.dns.tailscale.ipv6}
reverse_proxy http://localhost:8000
'';
};
@ -215,10 +213,6 @@
networking.nameservers = lib.mkForce [ ]; # Trust the DHCP nameservers
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
80 # Caddy (restic.tywin.storage.ts.)
14002 # Storj Dashboard (d0.)
14003 # Storj Dashboard (d1.)
14004 # Storj Dashboard (d2.)
14005 # Storj Dashboard (d3.)
];
};
}

2
modules/default.nix
View File

@ -6,6 +6,7 @@
./chia.nix
./defaults.nix
./desktop/awesome/default.nix
./dns.nix
./home/default.nix
./hostinfo.nix
./ids.nix
@ -16,7 +17,6 @@
./shell/default.nix
./ssh/default.nix
./storj.nix
./tailscale.nix
./users.nix
./www/global.nix
./www/www-repo.nix

1
modules/defaults.nix
View File

@ -54,6 +54,7 @@
networking.firewall.enable = true;
# Delegation
custom.dns.enable = true;
custom.home.defaults = true;
custom.hostinfo.enable = true;
custom.shell.enable = true;

94
modules/dns.nix Normal file
View File

@ -0,0 +1,94 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.dns;
v4Hosts = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "100.112.54.25";
jorah = "100.96.143.138";
};
home = {
microserver = "100.105.131.47";
router = "100.105.71.48";
};
jakehillion-terminals = { gendry = "100.70.100.77"; };
lt = { be = "100.105.166.79"; };
pop = { li = "100.106.87.35"; };
storage = {
theon = "100.104.142.22";
tywin = "100.115.31.91";
};
};
};
};
};
};
v6Hosts = {
uk = {
co = {
hillion = {
ts = {
cx = {
boron = "fd7a:115c:a1e0::2a01:3619";
jorah = "fd7a:115c:a1e0:ab12:4843:cd96:6260:8f8a";
};
home = {
microserver = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
router = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730";
};
jakehillion-terminals = { gendry = "fd7a:115c:a1e0:ab12:4843:cd96:6246:644d"; };
lt = { be = "fd7a:115c:a1e0::9001:a64f"; };
pop = { li = "fd7a:115c:a1e0::e701:5723"; };
storage = {
theon = "fd7a:115c:a1e0::4aa8:8e16";
tywin = "fd7a:115c:a1e0:ab12:4843:cd96:6273:1f5b";
};
};
};
};
};
};
in
{
options.custom.dns = {
enable = lib.mkEnableOption "dns";
tailscale =
{
ipv4 = lib.mkOption {
description = "tailscale ipv4 address";
readOnly = true;
};
ipv6 = lib.mkOption {
description = "tailscale ipv6 address";
readOnly = true;
};
};
};
config = lib.mkIf cfg.enable {
custom.dns.tailscale =
let
lookupFqdn = lib.attrsets.attrByPath (lib.reverseList (lib.splitString "." config.networking.fqdn)) null;
in
{
ipv4 = lookupFqdn v4Hosts;
ipv6 = lookupFqdn v6Hosts;
};
networking.hosts =
let
mkHosts = hosts:
(lib.collect (x: (builtins.hasAttr "name" x && builtins.hasAttr "value" x))
(lib.mapAttrsRecursive
(path: value:
lib.nameValuePair value [ (lib.concatStringsSep "." (lib.reverseList path)) ])
hosts));
in
builtins.listToAttrs (mkHosts v4Hosts ++ mkHosts v6Hosts);
};
}

2
modules/impermanence.nix
View File

@ -45,7 +45,7 @@ in
directories = [
"/etc/nixos"
] ++ (listIf (config.services.tailscale.enable || config.custom.tailscale.enable) [ "/var/lib/tailscale" ]) ++
] ++ (listIf config.services.tailscale.enable [ "/var/lib/tailscale" ]) ++
(listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++
(listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++
(listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++

2
modules/services/downloads.nix
View File

@ -31,7 +31,7 @@ in
(x: {
name = "http://${x}.downloads.ts.hillion.co.uk";
value = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy unix//${cfg.metadataPath}/caddy/caddy.sock";
};
}) [ "prowlarr" "sonarr" "radarr" "deluge" ]);

4
modules/services/matrix.nix
View File

@ -76,8 +76,8 @@ in
x_forwarded = true;
bind_addresses = [
"::1"
config.custom.tailscale.ipv4Addr
config.custom.tailscale.ipv6Addr
config.custom.dns.tailscale.ipv4
config.custom.dns.tailscale.ipv6
];
resources = [
{

2
modules/services/zigbee2mqtt.nix
View File

@ -23,7 +23,7 @@ in
enable = true;
virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = {
listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
listenAddresses = [ config.custom.dns.tailscale.ipv4 config.custom.dns.tailscale.ipv6 ];
extraConfig = "reverse_proxy http://127.0.0.1:15606";
};
};

65
modules/tailscale.nix
View File

@ -1,65 +0,0 @@
{ pkgs, lib, config, ... }:
let
cfg = config.custom.tailscale;
in
{
options.custom.tailscale = {
enable = lib.mkEnableOption "tailscale";
preAuthKeyFile = lib.mkOption {
type = lib.types.str;
};
advertiseRoutes = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
ipv4Addr = lib.mkOption { type = lib.types.str; };
ipv6Addr = lib.mkOption { type = lib.types.str; };
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
networking.firewall.checkReversePath = lib.mkIf cfg.advertiseExitNode "loose";
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up \
--authkey "$(<${cfg.preAuthKeyFile})" \
--advertise-routes "${lib.concatStringsSep "," cfg.advertiseRoutes}" \
--advertise-exit-node=${if cfg.advertiseExitNode then "true" else "false"}
'';
};
};
}