From d87939af0fcdb2b738e686da2c1fa6a6a7d6b32e Mon Sep 17 00:00:00 2001 From: m3tam3re Date: Fri, 21 Apr 2023 05:18:13 +0200 Subject: [PATCH] tailscale service fix --- flake.nix | 20 ++++---- home/features/desktop/default.nix | 11 ++++- home/users/produktion/lkk-prod-1.nix | 1 - hosts/common/base/default.nix | 15 ++---- hosts/common/users/produktion/default.nix | 1 + hosts/lkk-prod-1/default.nix | 56 ++++++++++++++++++---- hosts/lkk-prod-2/default.nix | 40 ++++++++++++++++ hosts/m3-nix/default.nix | 2 +- hosts/m3-nix/services/#tailscale.nix# | 30 ------------ hosts/m3-nix/services/tailscale.nix | 9 ++-- pkgs/wofi-pass/default.nix | 2 +- secrets.nix | 26 +++++----- secrets/tailscale-key.age | Bin 738 -> 843 bytes 13 files changed, 134 insertions(+), 79 deletions(-) delete mode 100644 hosts/m3-nix/services/#tailscale.nix# diff --git a/flake.nix b/flake.nix index ec089c1..765caf9 100644 --- a/flake.nix +++ b/flake.nix @@ -14,8 +14,8 @@ hyprland.url = "github:hyprwm/Hyprland"; }; - outputs = { self, nixpkgs, home-manager, hyprland - , agenix, deploy-rs, ... }@inputs: + outputs = + { self, nixpkgs, home-manager, agenix, deploy-rs, ... }@inputs: let inherit (self) outputs; lib = nixpkgs.lib; @@ -23,7 +23,7 @@ forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ]; forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys}); in { - packages = forEachPkgs (pkgs: import ./pkgs { inherit pkgs; }); + packages = forEachPkgs (pkgs: (import ./pkgs { inherit pkgs; })); nixosConfigurations = { lkk-nix-1 = lib.nixosSystem { specialArgs = { inherit inputs; }; @@ -47,12 +47,14 @@ }; homeConfigurations = { # Laptop - "m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration { - pkgs = nixpkgs.legacyPackages."x86_64-linux"; - extraSpecialArgs = { inherit inputs; }; - modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ]; - }; - "m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration { + "m3tam3re@m3-nix" = pkgs: + home-manager.lib.homeManagerConfiguration { + inherit pkgs; + extraSpecialArgs = { inherit inputs outputs; }; + modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ]; + }; + "m3tam3re@lkk-nix-1" = pkgs: home-manager.lib.homeManagerConfiguration { + inherit pkgs; extraSpecialArgs = { # pass things to t }; modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ]; diff --git a/home/features/desktop/default.nix b/home/features/desktop/default.nix index d995fa9..520ba1f 100644 --- a/home/features/desktop/default.nix +++ b/home/features/desktop/default.nix @@ -10,7 +10,7 @@ ./syncthing.nix ./waybar.nix ./wofi.nix -# ./wofi-pass.nix + # ./wofi-pass.nix ]; xdg.mimeApps = { @@ -34,6 +34,15 @@ services.mako = { enable = true; + backgroundColor = "#282a36"; + textColor = "#80FFEA"; + borderColor = "#9742b5"; + width = 400; + height = 150; + padding = "10,20"; + borderRadius = 8; + borderSize = 1; + margin = "20,20"; }; home.packages = with pkgs; [ diff --git a/home/users/produktion/lkk-prod-1.nix b/home/users/produktion/lkk-prod-1.nix index 8f7d848..0555d8f 100644 --- a/home/users/produktion/lkk-prod-1.nix +++ b/home/users/produktion/lkk-prod-1.nix @@ -5,7 +5,6 @@ ../../features/desktop/plasma.nix ../../features/services ]; - features = { cli = { fish.enable = true; diff --git a/hosts/common/base/default.nix b/hosts/common/base/default.nix index 0c5cbaa..217b185 100644 --- a/hosts/common/base/default.nix +++ b/hosts/common/base/default.nix @@ -1,16 +1,11 @@ -{ lib, pkgs, inputs, outputs, ... }: -{ - imports = [ - inputs.home-manager.nixosModules.home-manager - ]; - home-manager = { +{ lib, pkgs, inputs, outputs, ... }: { + imports = [ inputs.home-manager.nixosModules.home-manager ]; + home-manager = { useUserPackages = true; extraSpecialArgs = { inherit inputs outputs; }; }; users.defaultUserShell = pkgs.fish; - environment.systemPackages = [ - inputs.agenix.packages.x86_64-linux.default - pkgs.busybox - ]; + environment.systemPackages = + [ inputs.agenix.packages.x86_64-linux.default pkgs.busybox ]; } diff --git a/hosts/common/users/produktion/default.nix b/hosts/common/users/produktion/default.nix index 9fda6cf..b84c593 100644 --- a/hosts/common/users/produktion/default.nix +++ b/hosts/common/users/produktion/default.nix @@ -3,6 +3,7 @@ isNormalUser = true; description = "Produktion"; + extraGroups = [ "tailscale" "networkmanager" "audio" "video" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" ]; diff --git a/hosts/lkk-prod-1/default.nix b/hosts/lkk-prod-1/default.nix index af2cb24..e763e6e 100644 --- a/hosts/lkk-prod-1/default.nix +++ b/hosts/lkk-prod-1/default.nix @@ -7,7 +7,7 @@ ../common/base ]; - # Bootloader. + # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; @@ -18,19 +18,59 @@ networkmanager.enable = true; firewall.enable = true; }; + programs.fish.enable = true; + age = { + secrets = { + tailscale-key.file = ../../secrets/tailscale-key.age; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; services.openssh = { enable = true; permitRootLogin = "yes"; }; - services.avahi = { - enable = true; - nssmdns = true; + services.avahi = { + enable = true; + nssmdns = true; + }; + + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -93,11 +133,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; - [ - neovim - ]; - + environment.systemPackages = with pkgs; [ neovim ]; nix = { gc = { automatic = true; diff --git a/hosts/lkk-prod-2/default.nix b/hosts/lkk-prod-2/default.nix index c092af5..16c0f0a 100644 --- a/hosts/lkk-prod-2/default.nix +++ b/hosts/lkk-prod-2/default.nix @@ -18,6 +18,13 @@ networkmanager.enable = true; firewall.enable = true; }; + programs.fish.enable = true; + age = { + secrets = { + tailscale-key.file = ../../secrets/tailscale-key.age; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; services.openssh = { enable = true; permitRootLogin = "yes"; @@ -25,7 +32,40 @@ services.avahi = { enable = true; nssmdns = true; + }; + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; diff --git a/hosts/m3-nix/default.nix b/hosts/m3-nix/default.nix index a0d8504..523c247 100644 --- a/hosts/m3-nix/default.nix +++ b/hosts/m3-nix/default.nix @@ -110,7 +110,7 @@ in { secrets = { tailscale-key.file = ../../secrets/tailscale-key.age; }; - identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ]; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; }; time.timeZone = "Europe/Berlin"; diff --git a/hosts/m3-nix/services/#tailscale.nix# b/hosts/m3-nix/services/#tailscale.nix# deleted file mode 100644 index 7313f0e..0000000 --- a/hosts/m3-nix/services/#tailscale.nix# +++ /dev/null @@ -1,30 +0,0 @@ -{ pkgs, ... }: { - services.tailscale = { enable = true; }; - - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = with pkgs; '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable) - ''; - }; -} diff --git a/hosts/m3-nix/services/tailscale.nix b/hosts/m3-nix/services/tailscale.nix index 0f6f293..1d0ec2a 100644 --- a/hosts/m3-nix/services/tailscale.nix +++ b/hosts/m3-nix/services/tailscale.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: { +{ config, pkgs, ... }: { services.tailscale = { enable = true; useRoutingFeatures = "client"; @@ -13,7 +13,10 @@ wantedBy = [ "multi-user.target" ]; # set this service as a oneshot job - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; # have the job run this shell script script = with pkgs; '' @@ -27,7 +30,7 @@ fi # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key) + ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY ''; }; } diff --git a/pkgs/wofi-pass/default.nix b/pkgs/wofi-pass/default.nix index ce212ec..21ebe51 100644 --- a/pkgs/wofi-pass/default.nix +++ b/pkgs/wofi-pass/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, bash, makeWrapper }: +{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }: with lib; diff --git a/secrets.nix b/secrets.nix index 2ab7d69..65e1f94 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,24 +1,24 @@ let - root = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; + system = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; in { - "mj-smtp-user.age".publicKeys = [ root ]; - "mj-smtp-pass.age".publicKeys = [ root ]; + "mj-smtp-user.age".publicKeys = [ system ]; + "mj-smtp-pass.age".publicKeys = [ system ]; - "n8n-env.age".publicKeys = [ root ]; + "n8n-env.age".publicKeys = [ system ]; - "godaddy-api-key.age".publicKeys = [ root ]; - "godaddy-api-secret.age".publicKeys = [ root ]; + "godaddy-api-key.age".publicKeys = [ system ]; + "godaddy-api-secret.age".publicKeys = [ system ]; - "searx-environmentFile.age".publicKeys = [ root ]; + "searx-environmentFile.age".publicKeys = [ system ]; - "tailscale-key.age".publicKeys = [ root ]; + "tailscale-key.age".publicKeys = [ system ]; - "briefkasten-env.age".publicKeys = [ root ]; + "briefkasten-env.age".publicKeys = [ system ]; - "littlelink-lanakk-env.age".publicKeys = [ root ]; - "littlelink-m3tam3re-env.age".publicKeys = [ root ]; + "littlelink-lanakk-env.age".publicKeys = [ system ]; + "littlelink-m3tam3re-env.age".publicKeys = [ system ]; - "traefik-env.age".publicKeys = [ root ]; + "traefik-env.age".publicKeys = [ system ]; - "minio-root-cred.age".publicKeys = [ root ]; + "minio-system-cred.age".publicKeys = [ system ]; } diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age index 4027041b2eda9b4bad17223b9b8e87bae2bfb11d..f1ab6091defd28f8ec8f98c13b3f0f6550ee5652 100644 GIT binary patch literal 843 zcmWmCyX)h0003}25F~>NIymVM&%+_sG)>ziA_r;nXwrV0NArgBOwzp5q`$n=K^+_p z{UNB6i-Ha}$&II*o1=(0IJqb~D2L#Q!#zCzfzR}DLVx7vUO61=xX52E$`EN$Xms_g zs-jU@IcKz-F?a{LQ^az8_Wb06XdR6eRG+QuXza{IQUp9_+Jdq2^=W09RFMzv;LQeu zJ&k9eJWS+*WT0MTR(M62M^!ouqEu)ByFW3)PDW%_6GJBtDiO6}RaA8`z$sGi5~HHocNcbu!OR#JN%m=XZE+HP707etJ< z9Ryb>sE$)*8t9W0#PocKimkst(S@QIbptksRa+NAw$7Zw#Y5mHg$xV_c)We0b& zbps%mruDwv3i$l!b37jP@W#s4@+u&vWK1QMgZSg+*LO(nk=((QI*5hR`lrZFV^V4#XUwZ|b$(j7-^)cZDC%3 zSL75m)e=8%NoYyq5f{oL64t9Dne$V`4V#72+a~MRE`Q11c87r6@|$q)D45O`2T4PLVWkk~VFVG;h)-6%=t& zT*S>qL|lafe}RIEgNiOLa)XWsB8Z@q`U9TraRRUEMQ&Oq*))!};xxck1X8_JfpAhy zp;HmfxwO4Tl9jBBMl6uShHRy#icZp)1)a>IQCwMRtP`!Luw(L`R4aP9 zz@V&+U^4=Z_+*7H^D@-ZB5O;uZ0;;VTk$0@55*dn^lM{4xO75JJOMWwR=z0Pb%l`o zWKbd&ELN0nx$Syg(LldD$dj4R_&iXQE^Et7Wb{x949tu)2|8wR0kW_8oM!RBt#9_ zP=g*dHM7as%{uw2Me3y%Hv6?Y6Z_DsrvomA?WqUpQRow1xpL&fb(Zu@izYtT6GzB4 zwN1rc$sFrmfd)Nc+0tk%F(J_=Bdo{(C^U84QW7T^-%W%u-e(e9ia39k`U}1`g!}u@|~tFYp}aiZM_*F|7&!w zveh8<9OzZH>zq=#ai-#6I+<2-^7Q34wnXHOhE%K7iYcdl?9zE!sFX9XQQa@mOe~V& zoCSF{Hk2mQqDmu`GaNa1cKyhq;x6;>i}B}L_#r&??O^|~{3*D-`{ww^;zIY<9(!@` z`Dfyu_3Om$yBE#J?_a(;bF=aA(b0E%;nvfy=dYYQ_VcdwWdC5V`daz^`{e!n&e^RW H58nO-s4f8G