tailscale

2025-12-17 03:29:20 +00:00 · 2024-09-02 15:05:48 +01:00 · 2024-09-02 15:05:48 +01:00 · c558bad713
commit c558bad713
parent 961d41b9bf
15 changed files with 106 additions and 15 deletions
--- a/flake.nix
+++ b/flake.nix
@ -67,7 +67,7 @@
  } @ inputs: let
    inherit (utils.lib) mkApp;
    mods = import ./modules {inherit utils;};
-    hosts = import ./hosts {inherit utils;};
+    hosts = import ./hosts {inherit inputs utils;};
    overlay = import ./overlays {inherit inputs;};
  in
    with mods.nixosModules;
--- a/hosts/artemis/configuration.nix
+++ b/hosts/artemis/configuration.nix
@ -1,11 +1,17 @@
 {
+  config,
  pkgs,
  inputs,
  ...
 }: let
  inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = false;
+    keyFile = config.age.secrets.mesh-conf-cleslie.path;
+  };
+  c.services.remote-deploy = {
    enable = false;
    keys = keys.c;
  };
--- a/hosts/artemis/default.nix
+++ b/hosts/artemis/default.nix
@ -1,4 +1,4 @@
-{
+{inputs}: {
  modules = [
    ./hardware-configuration.nix
    ./configuration.nix
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,6 +1,13 @@
-{utils}: let
-  hosts = utils.lib.exportModules [
-    ./artemis
-    ./hermes
-  ];
-in {inherit hosts;}
+{
+  inputs,
+  utils,
+}: let
+  # TODO: function to do this
+  artemis = import ./artemis {inherit inputs;};
+  hermes = import ./hermes {inherit inputs;};
+in {
+  hosts = {
+    inherit artemis;
+    inherit hermes;
+  };
+}
--- a/hosts/hermes/configuration.nix
+++ b/hosts/hermes/configuration.nix
@ -7,7 +7,13 @@
 }: let
  inherit (inputs.self.nixosModules) keys;
 in {
-  services.remote-deploy = {
+  c.services.mesh = {
+    enable = true;
+    exitNode = true;
+    keyFile = config.age.secrets.mesh-conf-infra.path;
+  };
+
+  c.services.remote-deploy = {
    enable = true;
    host = "media.cleslie.uk";
    port = 62480;
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@ -1,4 +1,4 @@
-{
+{inputs}: {
  modules = [
    ./hardware-configuration.nix
    ./configuration.nix
@ -7,6 +7,7 @@
    ./networking.nix
    ./ssh.nix
    ./media.nix
+    ./headscale.nix
  ];
  extraArgs = {};
  specialArgs = {};
--- a/hosts/hermes/headscale.nix
+++ b/hosts/hermes/headscale.nix
@ -0,0 +1,20 @@
+{config, ...}: let
+  domain = "mesh.cleslie.uk";
+in {
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        server_url = "https://${domain}";
+        dns_config = {base_domain = "cleslie.uk";};
+
+        ip_prefixes = "100.64.0.0/10";
+      };
+    };
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.headscale.port}
+    '';
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -6,12 +6,14 @@
    ./deploy.nix
    ./keys.nix
    ./secret.nix
+    ./tailscale.nix
  ];
  sharedModules = with nixosModules; [
    nix
    hm
    boot
    deploy
+    tailscale
    secret
  ];
 in {inherit nixosModules sharedModules;}
--- a/modules/deploy.nix
+++ b/modules/deploy.nix
@ -5,9 +5,9 @@
  ...
 }:
 with lib; let
-  cfg = config.services.remote-deploy;
+  cfg = config.c.services.remote-deploy;
 in {
-  options.services.remote-deploy = {
+  options.c.services.remote-deploy = {
    enable = mkEnableOption "Enable remote deployment with nixinate.";
    host = mkOption {
      type = types.str;
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -0,0 +1,36 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.c.services.mesh;
+in {
+  options.c.services.mesh = {
+    enable = mkEnableOption "Enable tailscale daemon.";
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable advertising as an exit node.";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      description = "Path to key file.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      #authKeyFile = config.age.secrets.mesh-conf.path;
+      authKeyFile = cfg.keyFile;
+      extraUpFlags = ["--login-server" "https://mesh.cleslie.uk"];
+      extraSetFlags = [(mkIf cfg.exitNode "--advertise-exit-node")];
+    };
+    networking.firewall = {
+      #checkReversePath = "loose";
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+    };
+  };
+}
--- a/secrets/mesh-conf-cleslie.age
+++ b/secrets/mesh-conf-cleslie.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg RCXNBh7g6+X5buZJdDCd52elfUAnzgOUfINsdGCAcUg
+0MOZk6dC51NyFWBu/4+6XY9bMgQ9JoCv6ekH9eaghI0
+-> ssh-ed25519 ejjLpg ILRsr6hHJZrX4ssD1hj8FEH8VhqIouHpdLX0phc8qiM
+0G6VMYbLtq+HcYurP8AIT5qCrLbQJQEpyyqNmRrjJ7I
+-> ssh-ed25519 aSaoJQ OVpC763FiqHOaD+uThjZcXgi215AE07aXitPi6Ar3wE
+UGQ4Nnnxi2Z57XPJ+9DCUV+/U7aC+Wuprv4JcEHkFqE
+--- ulRUBJuSDAodVNUVviwGJAYe7l/FOzVNNiQaVzGUWnI
+òÊÈë&‡¬(fsR…v•Kp¬**/-~jž&I-Ô³²/ÄpdEÑÂ$u*öànëÓPnïëïA0Ž–_ìE–ëû‰ÒÏôÿ6·´
--- a/secrets/mesh-conf-infra.age
+++ b/secrets/mesh-conf-infra.age
--- a/secrets/secrets-configuration.nix
+++ b/secrets/secrets-configuration.nix
@ -1,5 +1,7 @@
 {
-  age.secrets."wg-conf" = {
-    file = ./wg-conf.age;
+  age.secrets = {
+    "wg-conf".file = ./wg-conf.age;
+    "mesh-conf-cleslie".file = ./mesh-conf-cleslie.age;
+    "mesh-conf-infra".file = ./mesh-conf-infra.age;
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,4 +7,6 @@ let
  allSystems = builtins.attrValues systems;
 in {
  "wg-conf.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-infra.age".publicKeys = keys.c ++ allSystems;
+  "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
 }
--- a/secrets/wg-conf.age
+++ b/secrets/wg-conf.age