diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix index 595ac9e..49d2f77 100644 --- a/hosts/lkk-nix-1/default.nix +++ b/hosts/lkk-nix-1/default.nix @@ -31,6 +31,7 @@ secrets = { mj-smtp-user.file = ../../secrets/mj-smtp-user.age; mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + tailscale-key.file = ../../secrets/tailscale-key.age; n8n-env = { file = ../../secrets/n8n-env.age; diff --git a/hosts/lkk-nix-1/services/tailscale.nix b/hosts/lkk-nix-1/services/tailscale.nix index efd448c..73d8ceb 100644 --- a/hosts/lkk-nix-1/services/tailscale.nix +++ b/hosts/lkk-nix-1/services/tailscale.nix @@ -29,7 +29,7 @@ fi # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up --advertise-exit-node -authkey tskey-auth-kwmqT37CNTRL-AxiaTDedQJ6YZts2deRtH6PEBDwh9PxXK + ${tailscale}/bin/tailscale up --advertise-exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key) ''; }; } diff --git a/hosts/m3-nix/default.nix b/hosts/m3-nix/default.nix index d99750c..a0d8504 100644 --- a/hosts/m3-nix/default.nix +++ b/hosts/m3-nix/default.nix @@ -106,6 +106,13 @@ in { }; programs.fish.enable = true; + age = { + secrets = { + tailscale-key.file = ../../secrets/tailscale-key.age; + }; + identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ]; + }; + time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "de_DE.utf8"; console.keyMap = "de"; diff --git a/hosts/m3-nix/services/#tailscale.nix# b/hosts/m3-nix/services/#tailscale.nix# new file mode 100644 index 0000000..7313f0e --- /dev/null +++ b/hosts/m3-nix/services/#tailscale.nix# @@ -0,0 +1,30 @@ +{ pkgs, ... }: { + services.tailscale = { enable = true; }; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable) + ''; + }; +} diff --git a/hosts/m3-nix/services/tailscale.nix b/hosts/m3-nix/services/tailscale.nix index 22f7cc9..0f6f293 100644 --- a/hosts/m3-nix/services/tailscale.nix +++ b/hosts/m3-nix/services/tailscale.nix @@ -1,5 +1,8 @@ { pkgs, ... }: { - services.tailscale = { enable = true; }; + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; systemd.services.tailscale-autoconnect = { description = "Automatic connection to Tailscale"; @@ -24,7 +27,7 @@ fi # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-auth-kwmqT37CNTRL-AxiaTDedQJ6YZts2deRtH6PEBDwh9PxXK + ${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key) ''; }; } diff --git a/secrets.nix b/secrets.nix index b43eef2..2ab7d69 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,7 +11,7 @@ in { "searx-environmentFile.age".publicKeys = [ root ]; - "wg-easy-environmentFile.age".publicKeys = [ root ]; + "tailscale-key.age".publicKeys = [ root ]; "briefkasten-env.age".publicKeys = [ root ]; diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age new file mode 100644 index 0000000..4027041 Binary files /dev/null and b/secrets/tailscale-key.age differ diff --git a/secrets/wg-easy-environmentFile.age b/secrets/wg-easy-environmentFile.age deleted file mode 100644 index 73a3c02..0000000 Binary files a/secrets/wg-easy-environmentFile.age and /dev/null differ