add tailscale

2023-02-01 21:01:01 +01:00 · 2023-02-01 21:01:01 +01:00 · e38313a530
commit e38313a530
parent d5bdc47109
8 changed files with 52 additions and 2 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -16,6 +16,7 @@
    ./specialization.nix
    ./services/promtail.nix
    ./env.nix
+    ./tailscale.nix
  ];
  services.openssh.enable = true;
  environment.systemPackages = with pkgs; [
--- a/config/instance-20221213-1915.nix
+++ b/config/instance-20221213-1915.nix
@ -74,6 +74,8 @@

  systemd.tmpfiles.rules = [
    "L /var/lib/acme - - - - /persist/var/lib/acme"
+    "L /var/lib/tailscale - - - - /persist/var/lib/tailscale"
+    "D /build - - - - -"
  ];

  networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"];
@ -100,4 +102,5 @@
  services.bind.forwarders = lib.mkForce [];
  boot.loader.systemd-boot.configurationLimit = lib.mkForce 1;
  system.autoUpgrade.allowReboot = true;
+  services.tailscale.useRoutingFeatures = "server";
 }
--- a/config/nas.nix
+++ b/config/nas.nix
@ -302,4 +302,5 @@
    max_parallel_workers = 12;
    max_parallel_maintenance_workers = 4;
  };
+  services.tailscale.useRoutingFeatures = "both";
 }
--- a/config/nixos-8gb-fsn1-1.nix
+++ b/config/nixos-8gb-fsn1-1.nix
@ -206,4 +206,5 @@

  services.resolved.enable = false;
  services.bind.forwarders = lib.mkForce [];
+  services.tailscale.useRoutingFeatures = "server";
 }
--- a/config/nutty-noon.nix
+++ b/config/nutty-noon.nix
@ -191,4 +191,5 @@
    "https://hydra.int.chir.rs/"
    "https://cache.nixos.org/"
  ];
+  services.tailscale.useRoutingFeatures = "client";
 }
--- a/config/tailscale.nix
+++ b/config/tailscale.nix
@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."tailscale" = {
+    sopsFile = ../secrets/shared.yaml;
+    key = "tailscale";
+  };
+  environment.systemPackages = [pkgs.tailscale];
+  services.tailscale.enable = true;
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets."tailscale".path})
+    '';
+  };
+
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = ["tailscale0"];
+}
--- a/config/thinkrac.nix
+++ b/config/thinkrac.nix
@ -177,4 +177,5 @@
  services.joycond.enable = true;
  hardware.bluetooth.enable = true;
  services.blueman.enable = true;
+  services.tailscale.useRoutingFeatures = "client";
 }
--- a/secrets/shared.yaml
+++ b/secrets/shared.yaml
@ -4,6 +4,7 @@ ssh:
    builder_id_ed25519: ENC[AES256_GCM,data:SjNV5HtKVjQd+cwCPGGgT9bSFKhdwJxqGclCBfWAm4UzTco/ho3TZV9OX/BxI/W0ztzSlctFUecOi98qAdtWX737dlyVmQpkGcvbDIQWt6JqpWRGsLsJ1lhlmSOIS1jkASyGksCLaSou3FZ1+dQ2+BWyh9XjWpC7nCGvEHsGOn8cCSj3tlV8cloBZKzxpwEXkEUmpZpuJb0PZp8LL0okxLF553NxClS1zty0cmucRcR71ObevwiWvJmJNI9Un1D4FhSDYFHffoOtmyHixZnNRMI8gW7Cx1suHIsslrsI4YgmD+QxJrIkx96ajkPzIBPsMu5mO+h8y2epEJpRenbTMhgdQvnspsJ1PrWOzsHWMTI9EsjmiZZEsk6lRiVgnOQwf0Bc+Sf4uro6TcbgsIWJdwOthXWi7s72JHfGHqcP03eQyA8wZf21w4oTGh4L5aDtwb29fOLdSv1xf20PP5Qiy4iUdvCV7tdsLcEA0i3aUeJCkklk9cUoWELT+Vu6CqMxnLbSeKHnP452EkK52EZnpn1MNVtFczPWW+oj,iv:7KO7yFoHCttTpw6gDcZRA43qW6F1a8xqpa5VRYUerz4=,tag:OlCbnoS0vQO1Wyn6iWlYDw==,type:str]
 attic:
    config.toml: ENC[AES256_GCM,data:CudpPIXCotu4rOzHlIxPA3kq8yjT/Kng4TyjKExlmoVJ+jxI6C7vnlSJRP4aYq7DsewMspfIcbgjALe8qvIrsNDSGb+Zvb12I/pwle+7AWCoWZbhoQEFfCv6wKioGkbtzctx2seTuUISoJ2ig4llBCdqMtt/JwyiBKtjVt80j0kg6MrDpG3e5o72+7rv0jChSIwcvnfiwjTVjVl2nyycIiJGep2T2dTlsDemYLTy1D9vfhVnRbomlAk/sZHUZHefDfnSgk99/0fp+SW3BKyiIUMGRCRJKYOdU2bV3w+kYkDV6h3ZNkyiTQK+HPX1duCxdzrct2svAmVy8r4MUtxMBCds5Iuq0fwSJ02AbQBg0mybSh9wYTbneGBES2ge8WVD5ARam1hVWM1+WdG7/un7gQU6XwYRoNb6LEV2TYOlzv0xd8ovj7B5cXDFVQ==,iv:6eO7TzrYsf9aaEYIK+WRPaV/47Vuj9jdvisL9q2x0aI=,tag:WT9DFJ1DZAmfWX5XAfyfmg==,type:str]
+tailscale: ENC[AES256_GCM,data:XxNTdbHd6lShS6PWuCUCNQe0pjx2vbp24//7mwaxx+jvdnggDZv9nzAH7zdYyVH9VxQBoR03b2LD,iv:FtGlso1CHchVCJQxWfuUVfbCIrYyzcq+tleXxh5YgwU=,tag:kmeQ3ewXypIzWSJb6zdo2Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -55,8 +56,8 @@ sops:
            ZFNubXhZdG1KVDB1d0FWOVVDS1ovOHcKO5m7BFeZzt+nBfaZJoH8Pkw6aeDExQrQ
            Gfp6KQ0oJOuquhZtMW0GpLuKnuQjjGEBaIbcZcR4OosKKlLYfOKabA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-20T14:57:32Z"
-    mac: ENC[AES256_GCM,data:iNAjaOvlAIUgEy2v0HXxC1eHQIj1us7lIqqf2V+H4L8lmYotlDCPb7Si9PK9PxPjWuWKoHz/sRvXnvvTmDkGEdt7aaY1HQSqMvBn/5ovd3wHW6UNsmOxpeDgVfZ3Df8gwSY0+5AzUNPERJTsIlt1R/EUg57eFehKXVHVZ4ebs4I=,iv:c64NfOiu9eO9B3PXj+hwb6MqnbwhDqfGtIl43mv7Nuc=,tag:mRYb/4WfJHu/z5Nu8zOf6w==,type:str]
+    lastmodified: "2023-02-01T19:55:19Z"
+    mac: ENC[AES256_GCM,data:qPXx3ASsjsmA0rrRvxM3rjLTcaC5Tun2H5/2rZROuJy0GM2yrfKHUA/297x2NnzWmVeATLT9K0+DpM9Kp4MRvV4g65g0JnlH5HMaZRtal8HA2tO5vphBxRldBofZjN1qClSxilpB5G0SzPqcNqYlb2vh+7fyAMTkUYSDyowt9+s=,iv:mFgY0YHFU6WQRjdXNrjrqot2AkVG3YjJZPAKioaWYXk=,tag:XGa2ZZywk1Vf3Et02fewBA==,type:str]
    pgp:
        - created_at: "2022-12-14T15:34:33Z"
          enc: |