tailscale service fix

This commit is contained in:
m3tam3re 2023-04-21 05:18:13 +02:00
parent 39a27a95e8
commit d87939af0f
13 changed files with 134 additions and 79 deletions

View File

@ -14,8 +14,8 @@
hyprland.url = "github:hyprwm/Hyprland";
};
outputs = { self, nixpkgs, home-manager, hyprland
, agenix, deploy-rs, ... }@inputs:
outputs =
{ self, nixpkgs, home-manager, agenix, deploy-rs, ... }@inputs:
let
inherit (self) outputs;
lib = nixpkgs.lib;
@ -23,7 +23,7 @@
forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys});
in {
packages = forEachPkgs (pkgs: import ./pkgs { inherit pkgs; });
packages = forEachPkgs (pkgs: (import ./pkgs { inherit pkgs; }));
nixosConfigurations = {
lkk-nix-1 = lib.nixosSystem {
specialArgs = { inherit inputs; };
@ -47,12 +47,14 @@
};
homeConfigurations = {
# Laptop
"m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = { inherit inputs; };
modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
};
"m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration {
"m3tam3re@m3-nix" = pkgs:
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs; };
modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
};
"m3tam3re@lkk-nix-1" = pkgs: home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = { # pass things to t
};
modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];

View File

@ -10,7 +10,7 @@
./syncthing.nix
./waybar.nix
./wofi.nix
# ./wofi-pass.nix
# ./wofi-pass.nix
];
xdg.mimeApps = {
@ -34,6 +34,15 @@
services.mako = {
enable = true;
backgroundColor = "#282a36";
textColor = "#80FFEA";
borderColor = "#9742b5";
width = 400;
height = 150;
padding = "10,20";
borderRadius = 8;
borderSize = 1;
margin = "20,20";
};
home.packages = with pkgs; [

View File

@ -5,7 +5,6 @@
../../features/desktop/plasma.nix
../../features/services
];
features = {
cli = {
fish.enable = true;

View File

@ -1,16 +1,11 @@
{ lib, pkgs, inputs, outputs, ... }:
{
imports = [
inputs.home-manager.nixosModules.home-manager
];
home-manager = {
{ lib, pkgs, inputs, outputs, ... }: {
imports = [ inputs.home-manager.nixosModules.home-manager ];
home-manager = {
useUserPackages = true;
extraSpecialArgs = { inherit inputs outputs; };
};
users.defaultUserShell = pkgs.fish;
environment.systemPackages = [
inputs.agenix.packages.x86_64-linux.default
pkgs.busybox
];
environment.systemPackages =
[ inputs.agenix.packages.x86_64-linux.default pkgs.busybox ];
}

View File

@ -3,6 +3,7 @@
isNormalUser = true;
description = "Produktion";
extraGroups = [ "tailscale" "networkmanager" "audio" "video" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
];

View File

@ -7,7 +7,7 @@
../common/base
];
# Bootloader.
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
@ -18,19 +18,59 @@
networkmanager.enable = true;
firewall.enable = true;
};
programs.fish.enable = true;
age = {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
services.avahi = {
enable = true;
nssmdns = true;
services.avahi = {
enable = true;
nssmdns = true;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -93,11 +133,7 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs;
[
neovim
];
environment.systemPackages = with pkgs; [ neovim ];
nix = {
gc = {
automatic = true;

View File

@ -18,6 +18,13 @@
networkmanager.enable = true;
firewall.enable = true;
};
programs.fish.enable = true;
age = {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
services.openssh = {
enable = true;
permitRootLogin = "yes";
@ -25,7 +32,40 @@
services.avahi = {
enable = true;
nssmdns = true;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

View File

@ -110,7 +110,7 @@ in {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
};
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
time.timeZone = "Europe/Berlin";

View File

@ -1,30 +0,0 @@
{ pkgs, ... }: {
services.tailscale = { enable = true; };
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable)
'';
};
}

View File

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{ config, pkgs, ... }: {
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
@ -13,7 +13,10 @@
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
@ -27,7 +30,7 @@
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key)
${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
'';
};
}

View File

@ -1,4 +1,4 @@
{ stdenv, lib, fetchFromGitHub, bash, makeWrapper }:
{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:
with lib;

View File

@ -1,24 +1,24 @@
let
root = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
system = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
in {
"mj-smtp-user.age".publicKeys = [ root ];
"mj-smtp-pass.age".publicKeys = [ root ];
"mj-smtp-user.age".publicKeys = [ system ];
"mj-smtp-pass.age".publicKeys = [ system ];
"n8n-env.age".publicKeys = [ root ];
"n8n-env.age".publicKeys = [ system ];
"godaddy-api-key.age".publicKeys = [ root ];
"godaddy-api-secret.age".publicKeys = [ root ];
"godaddy-api-key.age".publicKeys = [ system ];
"godaddy-api-secret.age".publicKeys = [ system ];
"searx-environmentFile.age".publicKeys = [ root ];
"searx-environmentFile.age".publicKeys = [ system ];
"tailscale-key.age".publicKeys = [ root ];
"tailscale-key.age".publicKeys = [ system ];
"briefkasten-env.age".publicKeys = [ root ];
"briefkasten-env.age".publicKeys = [ system ];
"littlelink-lanakk-env.age".publicKeys = [ root ];
"littlelink-m3tam3re-env.age".publicKeys = [ root ];
"littlelink-lanakk-env.age".publicKeys = [ system ];
"littlelink-m3tam3re-env.age".publicKeys = [ system ];
"traefik-env.age".publicKeys = [ root ];
"traefik-env.age".publicKeys = [ system ];
"minio-root-cred.age".publicKeys = [ root ];
"minio-system-cred.age".publicKeys = [ system ];
}

Binary file not shown.