tailscale

flake.nix

@@ -67,7 +67,7 @@
   } @ inputs: let
     inherit (utils.lib) mkApp;
     mods = import ./modules {inherit utils;};
-    hosts = import ./hosts {inherit utils;};
+    hosts = import ./hosts {inherit inputs utils;};
     overlay = import ./overlays {inherit inputs;};
   in
     with mods.nixosModules;

hosts/artemis/configuration.nix

@@ -1,11 +1,17 @@
 {
+  config,
   pkgs,
   inputs,
   ...
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = false;
+    keyFile = config.age.secrets.mesh-conf-cleslie.path;
+  };
+  c.services.remote-deploy = {
     enable = false;
     keys = keys.c;
   };

hosts/artemis/default.nix

@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix

hosts/default.nix

@@ -1,6 +1,13 @@
-{utils}: let
+{
-  hosts = utils.lib.exportModules [
+  inputs,
-    ./artemis
+  utils,
-    ./hermes
+}: let
-  ];
+  # TODO: function to do this
-in {inherit hosts;}
+  artemis = import ./artemis {inherit inputs;};
+  hermes = import ./hermes {inherit inputs;};
+in {
+  hosts = {
+    inherit artemis;
+    inherit hermes;
+  };
+}

hosts/hermes/configuration.nix

@@ -7,7 +7,13 @@
 }: let
   inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = true;
+    keyFile = config.age.secrets.mesh-conf-infra.path;
+  };
+
+  c.services.remote-deploy = {
     enable = true;
     host = "media.cleslie.uk";
     port = 62480;

hosts/hermes/default.nix

@@ -1,4 +1,4 @@
-{
+{inputs}: {
   modules = [
     ./hardware-configuration.nix
     ./configuration.nix
@@ -7,6 +7,7 @@
     ./networking.nix
     ./ssh.nix
     ./media.nix
+    ./headscale.nix
   ];
   extraArgs = {};
   specialArgs = {};

hosts/hermes/headscale.nix

@@ -0,0 +1,20 @@
+{config, ...}: let
+  domain = "mesh.cleslie.uk";
+in {
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        server_url = "https://${domain}";
+        dns_config = {base_domain = "cleslie.uk";};
+
+        ip_prefixes = "100.64.0.0/10";
+      };
+    };
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.headscale.port}
+    '';
+  };
+}

modules/default.nix

@@ -6,12 +6,14 @@
     ./deploy.nix
     ./keys.nix
     ./secret.nix
+    ./tailscale.nix
   ];
   sharedModules = with nixosModules; [
     nix
     hm
     boot
     deploy
+    tailscale
     secret
   ];
 in {inherit nixosModules sharedModules;}

modules/deploy.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.services.remote-deploy;
+  cfg = config.c.services.remote-deploy;
 in {
-  options.services.remote-deploy = {
+  options.c.services.remote-deploy = {
     enable = mkEnableOption "Enable remote deployment with nixinate.";
     host = mkOption {
       type = types.str;

modules/tailscale.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.c.services.mesh;
+in {
+  options.c.services.mesh = {
+    enable = mkEnableOption "Enable tailscale daemon.";
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable advertising as an exit node.";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      description = "Path to key file.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      #authKeyFile = config.age.secrets.mesh-conf.path;
+      authKeyFile = cfg.keyFile;
+      extraUpFlags = ["--login-server" "https://mesh.cleslie.uk"];
+      extraSetFlags = [(mkIf cfg.exitNode "--advertise-exit-node")];
+    };
+    networking.firewall = {
+      #checkReversePath = "loose";
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+    };
+  };
+}

secrets/mesh-conf-cleslie.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg RCXNBh7g6+X5buZJdDCd52elfUAnzgOUfINsdGCAcUg
+0MOZk6dC51NyFWBu/4+6XY9bMgQ9JoCv6ekH9eaghI0
+-> ssh-ed25519 ejjLpg ILRsr6hHJZrX4ssD1hj8FEH8VhqIouHpdLX0phc8qiM
+0G6VMYbLtq+HcYurP8AIT5qCrLbQJQEpyyqNmRrjJ7I
+-> ssh-ed25519 aSaoJQ OVpC763FiqHOaD+uThjZcXgi215AE07aXitPi6Ar3wE
+UGQ4Nnnxi2Z57XPJ+9DCUV+/U7aC+Wuprv4JcEHkFqE
+--- ulRUBJuSDAodVNUVviwGJAYe7l/FOzVNNiQaVzGUWnI
+òÊÈë&‡¬(fsR…v•Kp¬**/-~jž&I-Ô³²/ÄpdEÑÂ$u*öànëÓPnïëïA0Ž–_ìE–ëû‰ÒÏôÿ6·´

secrets/secrets-configuration.nix

@@ -1,5 +1,7 @@
 {
-  age.secrets."wg-conf" = {
+  age.secrets = {
-    file = ./wg-conf.age;
+    "wg-conf".file = ./wg-conf.age;
+    "mesh-conf-cleslie".file = ./mesh-conf-cleslie.age;
+    "mesh-conf-infra".file = ./mesh-conf-infra.age;
   };
 }

secrets/secrets.nix

@@ -7,4 +7,6 @@ let
   allSystems = builtins.attrValues systems;
 in {
   "wg-conf.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-infra.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
 }