tailscale service fix

2023-04-21 05:18:13 +02:00 · 2023-04-21 05:18:13 +02:00 · d87939af0f
parent 39a27a95e8
commit d87939af0f
13 changed files with 134 additions and 79 deletions
--- a/flake.nix
+++ b/flake.nix
@ -14,8 +14,8 @@
    hyprland.url = "github:hyprwm/Hyprland";
  };

-  outputs = { self, nixpkgs, home-manager, hyprland
-    , agenix, deploy-rs, ... }@inputs:
+  outputs =
+    { self, nixpkgs, home-manager, agenix, deploy-rs, ... }@inputs:
    let
      inherit (self) outputs;
      lib = nixpkgs.lib;
@ -23,7 +23,7 @@
      forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
      forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys});
    in {
-      packages = forEachPkgs (pkgs: import ./pkgs { inherit pkgs; });
+      packages = forEachPkgs (pkgs: (import ./pkgs { inherit pkgs; }));
      nixosConfigurations = {
        lkk-nix-1 = lib.nixosSystem {
          specialArgs = { inherit inputs; };
@ -47,12 +47,14 @@
      };
      homeConfigurations = {
        # Laptop
-        "m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration {
-          pkgs = nixpkgs.legacyPackages."x86_64-linux";
-          extraSpecialArgs = { inherit inputs; };
-          modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
-        };
-        "m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration {
+        "m3tam3re@m3-nix" = pkgs:
+          home-manager.lib.homeManagerConfiguration {
+            inherit pkgs;
+            extraSpecialArgs = { inherit inputs outputs; };
+            modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
+          };
+        "m3tam3re@lkk-nix-1" = pkgs: home-manager.lib.homeManagerConfiguration {
+          inherit pkgs;
          extraSpecialArgs = { # pass things to t
          };
          modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];
--- a/home/features/desktop/default.nix
+++ b/home/features/desktop/default.nix
@ -10,7 +10,7 @@
    ./syncthing.nix
    ./waybar.nix
    ./wofi.nix
-#    ./wofi-pass.nix
+    #    ./wofi-pass.nix
  ];

  xdg.mimeApps = {
@ -34,6 +34,15 @@

  services.mako = {
    enable = true;
+    backgroundColor = "#282a36";
+    textColor = "#80FFEA";
+    borderColor = "#9742b5";
+    width = 400;
+    height = 150;
+    padding = "10,20";
+    borderRadius = 8;
+    borderSize = 1;
+    margin = "20,20";
  };

  home.packages = with pkgs; [
--- a/home/users/produktion/lkk-prod-1.nix
+++ b/home/users/produktion/lkk-prod-1.nix
@ -5,7 +5,6 @@
    ../../features/desktop/plasma.nix
    ../../features/services
  ];
-
  features = {
    cli = {
      fish.enable = true;
--- a/hosts/common/base/default.nix
+++ b/hosts/common/base/default.nix
@ -1,16 +1,11 @@
-{ lib, pkgs, inputs, outputs, ... }:
-{
-  imports = [
-    inputs.home-manager.nixosModules.home-manager
-  ];
-    home-manager = {
+{ lib, pkgs, inputs, outputs, ... }: {
+  imports = [ inputs.home-manager.nixosModules.home-manager ];
+  home-manager = {
    useUserPackages = true;
    extraSpecialArgs = { inherit inputs outputs; };
  };
  users.defaultUserShell = pkgs.fish;

-  environment.systemPackages = [
-    inputs.agenix.packages.x86_64-linux.default
-    pkgs.busybox
-  ];
+  environment.systemPackages =
+    [ inputs.agenix.packages.x86_64-linux.default pkgs.busybox ];
 }
--- a/hosts/common/users/produktion/default.nix
+++ b/hosts/common/users/produktion/default.nix
@ -3,6 +3,7 @@
    
    isNormalUser = true;
    description = "Produktion";
+    extraGroups = [ "tailscale" "networkmanager" "audio" "video" ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
    ];
--- a/hosts/lkk-prod-1/default.nix
+++ b/hosts/lkk-prod-1/default.nix
@ -7,7 +7,7 @@
    ../common/base
  ];

- # Bootloader.
+  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
@ -18,19 +18,59 @@
    networkmanager.enable = true;
    firewall.enable = true;
  };
+  programs.fish.enable = true;
+  age = {
+    secrets = {
+      tailscale-key.file = ../../secrets/tailscale-key.age;
+    };
+    identityPaths = [ "/root/.ssh/lkk-nix-1" ];
+  };
  services.openssh = {
    enable = true;
    permitRootLogin = "yes";
  };
-  services.avahi = { 
-    enable = true; 
-    nssmdns = true; 
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+  };
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
    };
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
+    '';
+  };
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

-
  # Set your time zone.
  time.timeZone = "Europe/Berlin";

@ -93,11 +133,7 @@

  # List packages installed in system profile. To search, run:
  # $ nix search wget
-  environment.systemPackages = with pkgs;
-    [
-      neovim
-    ];
-
+  environment.systemPackages = with pkgs; [ neovim ];
  nix = {
    gc = {
      automatic = true;
--- a/hosts/lkk-prod-2/default.nix
+++ b/hosts/lkk-prod-2/default.nix
@ -18,6 +18,13 @@
    networkmanager.enable = true;
    firewall.enable = true;
  };
+  programs.fish.enable = true;
+  age = {
+    secrets = {
+      tailscale-key.file = ../../secrets/tailscale-key.age;
+    };
+    identityPaths = [ "/root/.ssh/lkk-nix-1" ];
+  };
  services.openssh = {
    enable = true;
    permitRootLogin = "yes";
@ -25,7 +32,40 @@
  services.avahi = { 
    enable = true; 
    nssmdns = true; 
+  };
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
    };
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
+    '';
+  };
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
--- a/hosts/m3-nix/default.nix
+++ b/hosts/m3-nix/default.nix
@ -110,7 +110,7 @@ in {
    secrets = {
      tailscale-key.file = ../../secrets/tailscale-key.age;
    };
-    identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
+    identityPaths = [ "/root/.ssh/lkk-nix-1" ];
  };
  
  time.timeZone = "Europe/Berlin";
--- a/hosts/m3-nix/services/#tailscale.nix#
+++ b/hosts/m3-nix/services/#tailscale.nix#
@ -1,30 +0,0 @@
-{ pkgs, ... }: {
-  services.tailscale = { enable = true; };
-
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = with pkgs; ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable)
-    '';
-  };
-}
--- a/hosts/m3-nix/services/tailscale.nix
+++ b/hosts/m3-nix/services/tailscale.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{ config, pkgs, ... }: {
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "client";
@ -13,7 +13,10 @@
    wantedBy = [ "multi-user.target" ];

    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
+    };

    # have the job run this shell script
    script = with pkgs; ''
@ -27,7 +30,7 @@
      fi

      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key)
+      ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
    '';
  };
 }
--- a/pkgs/wofi-pass/default.nix
+++ b/pkgs/wofi-pass/default.nix
@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, bash, makeWrapper }:
+{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:

 with lib;

--- a/secrets.nix
+++ b/secrets.nix
@ -1,24 +1,24 @@
 let
-  root = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
+  system = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
 in {
-  "mj-smtp-user.age".publicKeys = [ root ];
-  "mj-smtp-pass.age".publicKeys = [ root ];
+  "mj-smtp-user.age".publicKeys = [ system ];
+  "mj-smtp-pass.age".publicKeys = [ system ];

-  "n8n-env.age".publicKeys = [ root ];
+  "n8n-env.age".publicKeys = [ system ];

-  "godaddy-api-key.age".publicKeys = [ root ];
-  "godaddy-api-secret.age".publicKeys = [ root ];
+  "godaddy-api-key.age".publicKeys = [ system ];
+  "godaddy-api-secret.age".publicKeys = [ system ];

-  "searx-environmentFile.age".publicKeys = [ root ];
+  "searx-environmentFile.age".publicKeys = [ system ];

-  "tailscale-key.age".publicKeys = [ root ];
+  "tailscale-key.age".publicKeys = [ system ];
  
-  "briefkasten-env.age".publicKeys = [ root ];
+  "briefkasten-env.age".publicKeys = [ system ];

-  "littlelink-lanakk-env.age".publicKeys = [ root ];
-  "littlelink-m3tam3re-env.age".publicKeys = [ root ];
+  "littlelink-lanakk-env.age".publicKeys = [ system ];
+  "littlelink-m3tam3re-env.age".publicKeys = [ system ];

-  "traefik-env.age".publicKeys = [ root ];
+  "traefik-env.age".publicKeys = [ system ];

-  "minio-root-cred.age".publicKeys = [ root ];
+  "minio-system-cred.age".publicKeys = [ system ];
 }
--- a/secrets/tailscale-key.age
+++ b/secrets/tailscale-key.age