From c558bad71370f36c98fa236e8f047c48e12ddf2a Mon Sep 17 00:00:00 2001
From: Callum Leslie <git@cleslie.uk>
Date: Mon, 2 Sep 2024 15:05:48 +0100
Subject: [PATCH] tailscale

---
 flake.nix                         |   2 +-
 hosts/artemis/configuration.nix   |   8 ++++++-
 hosts/artemis/default.nix         |   2 +-
 hosts/default.nix                 |  19 +++++++++++-----
 hosts/hermes/configuration.nix    |   8 ++++++-
 hosts/hermes/default.nix          |   3 ++-
 hosts/hermes/headscale.nix        |  20 +++++++++++++++++
 modules/default.nix               |   2 ++
 modules/deploy.nix                |   4 ++--
 modules/tailscale.nix             |  36 ++++++++++++++++++++++++++++++
 secrets/mesh-conf-cleslie.age     |   9 ++++++++
 secrets/mesh-conf-infra.age       | Bin 0 -> 481 bytes
 secrets/secrets-configuration.nix |   6 +++--
 secrets/secrets.nix               |   2 ++
 secrets/wg-conf.age               | Bin 697 -> 697 bytes
 15 files changed, 106 insertions(+), 15 deletions(-)
 create mode 100644 hosts/hermes/headscale.nix
 create mode 100644 modules/tailscale.nix
 create mode 100644 secrets/mesh-conf-cleslie.age
 create mode 100644 secrets/mesh-conf-infra.age

diff --git a/flake.nix b/flake.nix
index 2f1ce4b..1bda364 100644
--- a/flake.nix
+++ b/flake.nix
@@ -67,7 +67,7 @@
   } @ inputs: let
     inherit (utils.lib) mkApp;
     mods = import ./modules {inherit utils;};
-    hosts = import ./hosts {inherit utils;};
+    hosts = import ./hosts {inherit inputs utils;};
     overlay = import ./overlays {inherit inputs;};
   in
     with mods.nixosModules;
diff --git a/hosts/artemis/configuration.nix b/hosts/artemis/configuration.nix
index 5bc5240..efa4676 100644
--- a/hosts/artemis/configuration.nix
+++ b/hosts/artemis/configuration.nix
@@ -1,11 +1,17 @@
 {
+  config,
   pkgs,
   inputs,
   ...
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = false;
+    keyFile = config.age.secrets.mesh-conf-cleslie.path;
+  };
+  c.services.remote-deploy = {
     enable = false;
     keys = keys.c;
   };
diff --git a/hosts/artemis/default.nix b/hosts/artemis/default.nix
index f3eb160..1db9d12 100644
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix
diff --git a/hosts/default.nix b/hosts/default.nix
index 570ebdc..d14d2f6 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,6 +1,13 @@
-{utils}: let
-  hosts = utils.lib.exportModules [
-    ./artemis
-    ./hermes
-  ];
-in {inherit hosts;}
+{
+  inputs,
+  utils,
+}: let
+  # TODO: function to do this
+  artemis = import ./artemis {inherit inputs;};
+  hermes = import ./hermes {inherit inputs;};
+in {
+  hosts = {
+    inherit artemis;
+    inherit hermes;
+  };
+}
diff --git a/hosts/hermes/configuration.nix b/hosts/hermes/configuration.nix
index b5355d1..8cc5345 100644
--- a/hosts/hermes/configuration.nix
+++ b/hosts/hermes/configuration.nix
@@ -7,7 +7,13 @@
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = true;
+    keyFile = config.age.secrets.mesh-conf-infra.path;
+  };
+
+  c.services.remote-deploy = {
     enable = true;
     host = "media.cleslie.uk";
     port = 62480;
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index 074c149..ca8050d 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix
@@ -7,6 +7,7 @@
     ./networking.nix
     ./ssh.nix
     ./media.nix
+    ./headscale.nix
   ];
   extraArgs = {};
   specialArgs = {};
diff --git a/hosts/hermes/headscale.nix b/hosts/hermes/headscale.nix
new file mode 100644
index 0000000..d907330
--- /dev/null
+++ b/hosts/hermes/headscale.nix
@@ -0,0 +1,20 @@
+{config, ...}: let
+  domain = "mesh.cleslie.uk";
+in {
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        server_url = "https://${domain}";
+        dns_config = {base_domain = "cleslie.uk";};
+
+        ip_prefixes = "100.64.0.0/10";
+      };
+    };
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.headscale.port}
+    '';
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index f8a8af0..0f10192 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -6,12 +6,14 @@
     ./deploy.nix
     ./keys.nix
     ./secret.nix
+    ./tailscale.nix
   ];
   sharedModules = with nixosModules; [
     nix
     hm
     boot
     deploy
+    tailscale
     secret
   ];
 in {inherit nixosModules sharedModules;}
diff --git a/modules/deploy.nix b/modules/deploy.nix
index 9406898..811ab27 100644
--- a/modules/deploy.nix
+++ b/modules/deploy.nix
@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.services.remote-deploy;
+  cfg = config.c.services.remote-deploy;
 in {
-  options.services.remote-deploy = {
+  options.c.services.remote-deploy = {
     enable = mkEnableOption "Enable remote deployment with nixinate.";
     host = mkOption {
       type = types.str;
diff --git a/modules/tailscale.nix b/modules/tailscale.nix
new file mode 100644
index 0000000..cf915c6
--- /dev/null
+++ b/modules/tailscale.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.c.services.mesh;
+in {
+  options.c.services.mesh = {
+    enable = mkEnableOption "Enable tailscale daemon.";
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable advertising as an exit node.";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      description = "Path to key file.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      #authKeyFile = config.age.secrets.mesh-conf.path;
+      authKeyFile = cfg.keyFile;
+      extraUpFlags = ["--login-server" "https://mesh.cleslie.uk"];
+      extraSetFlags = [(mkIf cfg.exitNode "--advertise-exit-node")];
+    };
+    networking.firewall = {
+      #checkReversePath = "loose";
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+    };
+  };
+}
diff --git a/secrets/mesh-conf-cleslie.age b/secrets/mesh-conf-cleslie.age
new file mode 100644
index 0000000..ac1c8f7
--- /dev/null
+++ b/secrets/mesh-conf-cleslie.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg RCXNBh7g6+X5buZJdDCd52elfUAnzgOUfINsdGCAcUg
+0MOZk6dC51NyFWBu/4+6XY9bMgQ9JoCv6ekH9eaghI0
+-> ssh-ed25519 ejjLpg ILRsr6hHJZrX4ssD1hj8FEH8VhqIouHpdLX0phc8qiM
+0G6VMYbLtq+HcYurP8AIT5qCrLbQJQEpyyqNmRrjJ7I
+-> ssh-ed25519 aSaoJQ OVpC763FiqHOaD+uThjZcXgi215AE07aXitPi6Ar3wE
+UGQ4Nnnxi2Z57XPJ+9DCUV+/U7aC+Wuprv4JcEHkFqE
+--- ulRUBJuSDAodVNUVviwGJAYe7l/FOzVNNiQaVzGUWnI
+òÊÈë&‡¬(fsR…v•Kp¬**/-~jž&I-Ô³²/ÄpdEÑÂ$u*öànëÓPnïëïA0Ž–_ìE–ëû‰ÒÏôÿ6·´
\ No newline at end of file
diff --git a/secrets/mesh-conf-infra.age b/secrets/mesh-conf-infra.age
new file mode 100644
index 0000000000000000000000000000000000000000..5e366a600b673483d8d73292ffbfb5dcecd737d9
GIT binary patch
literal 481
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUF52}nvO;<<{4oNNw
z^eQqaaWT#J_R#jNjPfye$}uP?$|!I*F9~sUcJeBU2rSB~$ma^ks<I3zN-TBMb}jQM
z$j&fHE-rHq@{BYw_4Z0jPIO93w8${>t}rQ0^F_BUH7m=fAYDN_$Ir7OFv-Nd%p$BX
zILpM#)G46YJF3diq{73;)4$Rw!Y8EIqO8(4)PO6!BGe<m$TdB`%EiJmKhGd1x!fzy
zB-GF~EwR)%HLD=iD6dlAJ+LaoFdyBv#NfnyuRsN3qliMIg2;eCi*(<N5D#bXz(^n0
z91lY?{gMC!m*TM80ypm@5A*zx@<6VrEZ;nrN}s%}V)xQgkBT7Is4V~Rq@W-p@61T!
zB-2cTVzaR9fOKaQ9}6yBU0sC=^ThP<hzLL9sz?v75Q|)Yr~EX}3L}fijKbtnqq5Az
z;Gm#febaKMh)Ax-IhLnIz0QY3vCs9kwB6gFpf;gW?|pp3^qLb@)6e+UeY?&Y|5>Fm
w?5%{qwNrN`-?VHY+i<A@=9fNycRcNqs#@~<^nM1N#Ud9cA9F3epxu5S0001{o&W#<

literal 0
HcmV?d00001

diff --git a/secrets/secrets-configuration.nix b/secrets/secrets-configuration.nix
index 96c2c1c..1ac2d3b 100644
--- a/secrets/secrets-configuration.nix
+++ b/secrets/secrets-configuration.nix
@@ -1,5 +1,7 @@
 {
-  age.secrets."wg-conf" = {
-    file = ./wg-conf.age;
+  age.secrets = {
+    "wg-conf".file = ./wg-conf.age;
+    "mesh-conf-cleslie".file = ./mesh-conf-cleslie.age;
+    "mesh-conf-infra".file = ./mesh-conf-infra.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8bed17e..08e52fb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,6 @@ let
   allSystems = builtins.attrValues systems;
 in {
   "wg-conf.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-infra.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
 }
diff --git a/secrets/wg-conf.age b/secrets/wg-conf.age
index 7ec71f6da90d2985b89825166544740b17b445c2..8e4bf6e5e199ee82d223a54e88a8e2b0ef70b85a 100644
GIT binary patch
delta 644
zcmdnVx|4N+PJNn_Sy-f_hk=uGU}UMIvujzfxsSeghHs&TyRm+VX}(86SZb(uWO|Wt
zBv(>!dXT=UM?h7Si+f<XXR2FCX1cbcQ+ilHRY1C-zgcLoiNCLJR)|wlD3`9CLUD11
zZfc5=si~o*LTXl)PeHnZUy`SZca^cHUur>#cSgCsk88P8xOqjYb5K;Veq~sgVXCW9
zijTg#Z%%GGm$Q*&N=Rz3e@U)SMN&mkfS*N(hg+$?nR`L8OGu`pqn}$vQlv{pSdRb1
z4-)kup{_xesg|aR!P+JkNs%5-#^z!ACQbz=hMrO39!37zA<2>9NugOOuK8S<iFrw$
z?iop5Mgc`mCYkBMfu^aU#*W(MMea`J`6YfyA-OpLu4%5J+MZmxy1EJ(M#-)bmZrtw
zNoD~h1{ndlmgcz@rTLcmWx2&6p8gizUheg-Mp^!TiCM{9j()j)Z*OGG@KQb_Rh#qY
z?|qNE;Wyo0R4wZ7&)DOeay$Q2f&QB5ChJOm9PTdL#1r}WqnAhcGaHSKm%EH7d|tUv
z$us|GrgJ09bUiH<+xdY$RxVrKIXQ^GtMg{~Y_R43yNylfEA1XG)GaCwkUusnf%g?#
zM(3v$^?PP{eQW-7=-k5BlK+FJDRb_Befia$OKj`R<qhxFt6Z~>-*NrTv_}`6KWn6D
zm|D)Y{&qXDFk{E9tFgXD&(6zTO~1LJ(f;nKYft(YskY7V`E+CVHp|H+;%lZkS7dkT
z@x8qLx#n!Q=EL2|K4F4wE>ZjYid!c;tUBvd$Gg#N$AtceCT)j#oUUwL7q(+|U%)1b
sk5RoA+B41h7XMigp>27q@r7z$X;vzy@k}GG#rva!s<YomZaef30NIEMSO5S3

delta 644
zcmdnVx|4N+PJO;pN>Qb&YobeeX;7+rXhyDic!hSDg}y~WkgsKAm|s<~nSOb2l#xN6
zCzn@tvU^B)Mp;H=dUip1pl4WeluxE(NqVJIYO1?ofRnjds$p=1vtfo$D3`9CLUD11
zZfc5=si~o*LTXl)PeHmuWk^U#W=>^pwtjkwc3zcJnrmQ=Sw(V^S5cN>iC1x|v1O)L
zQG~C%xp{aXS5i)XWtp*QL4aF^Ymlj<QF3rZxofyfh>K@cNM%l>c2!l5Pf(tAo>$n!
z4-)lZNui#JA!e@L0f9bQp2emvu94<0zM1LHj!DTzCV>&j#`+b8`fh37j>%lkIf416
zWntyM7CEji9?r%|VHGBBW@TZP<wceerTL{9!Aa)E;lZJ4CXQUXy1ELPxxtBMX@U7E
z1{V63+2zTOA(<)0zJ`IG`H3l6zR8j17Gd=U1{N+BS+0>>{F`pynqbECPq1)bo6kO%
zu63W8cIubZlpk18_jJ+Tc~5?|g;p;<V`rbM`KDNrJu){tJnaAE8)qukwsd`*ruRTq
z(ZTPZ{9%_{&+3++vpk;3%6?$p6TxPujcV+X5nhHLGc%v0_wqj0(v!EDyt%17w5j1z
z*4r1{_1YHuq&wBcXCLFz-jE~tD|YU}shVlphc~~z<SOR5_5$a=C)TV=3=`|Om|P9r
zduzAplQ|u8vU4JD9z7{7q^W*(|K83O9$T||LQXyjnIK=@c0m36!IMl<#}&A~t7>yj
zV$eD(V)x8;0@u?mzqUu`u^04A{ca@2H|<%?TFxrjTbfr*3MY351r<t)ObFd#x#xE0
rzVz0-Cbf$nohEOZqA9FXET8Of<kgW*)eYW{59)~6{@2c)60ZON{?q>W