m3tam3re
/
nix-configurations
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tailscale service fix

This commit is contained in:
m3tam3re 2023-04-21 05:18:13 +02:00
parent 39a27a95e8
commit d87939af0f
13 changed files with 134 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
flake.nix
View File

@ -14,8 +14,8 @@
hyprland.url = "github:hyprwm/Hyprland"; hyprland.url = "github:hyprwm/Hyprland";
}; };
outputs = { self, nixpkgs, home-manager, hyprland outputs =
, agenix, deploy-rs, ... }@inputs: { self, nixpkgs, home-manager, agenix, deploy-rs, ... }@inputs:
let let
inherit (self) outputs; inherit (self) outputs;
lib = nixpkgs.lib; lib = nixpkgs.lib;
@ -23,7 +23,7 @@
forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ]; forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys}); forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys});
in { in {
packages = forEachPkgs (pkgs: import ./pkgs { inherit pkgs; }); packages = forEachPkgs (pkgs: (import ./pkgs { inherit pkgs; }));
nixosConfigurations = { nixosConfigurations = {
lkk-nix-1 = lib.nixosSystem { lkk-nix-1 = lib.nixosSystem {
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
@ -47,12 +47,14 @@
}; };
homeConfigurations = { homeConfigurations = {
# Laptop # Laptop
"m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration { "m3tam3re@m3-nix" = pkgs:
pkgs = nixpkgs.legacyPackages."x86_64-linux"; home-manager.lib.homeManagerConfiguration {
extraSpecialArgs = { inherit inputs; }; inherit pkgs;
extraSpecialArgs = { inherit inputs outputs; };
modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ]; modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
}; };
"m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration { "m3tam3re@lkk-nix-1" = pkgs: home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = { # pass things to t extraSpecialArgs = { # pass things to t
}; };
modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ]; modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];

11
home/features/desktop/default.nix
View File

@ -10,7 +10,7 @@
./syncthing.nix ./syncthing.nix
./waybar.nix ./waybar.nix
./wofi.nix ./wofi.nix
# ./wofi-pass.nix # ./wofi-pass.nix
]; ];
xdg.mimeApps = { xdg.mimeApps = {
@ -34,6 +34,15 @@
services.mako = { services.mako = {
enable = true; enable = true;
backgroundColor = "#282a36";
textColor = "#80FFEA";
borderColor = "#9742b5";
width = 400;
height = 150;
padding = "10,20";
borderRadius = 8;
borderSize = 1;
margin = "20,20";
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [

1
home/users/produktion/lkk-prod-1.nix
View File

@ -5,7 +5,6 @@
../../features/desktop/plasma.nix ../../features/desktop/plasma.nix
../../features/services ../../features/services
]; ];
features = { features = {
cli = { cli = {
fish.enable = true; fish.enable = true;

13
hosts/common/base/default.nix
View File

@ -1,16 +1,11 @@
{ lib, pkgs, inputs, outputs, ... }: { lib, pkgs, inputs, outputs, ... }: {
{ imports = [ inputs.home-manager.nixosModules.home-manager ];
imports = [
inputs.home-manager.nixosModules.home-manager
];
home-manager = { home-manager = {
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = { inherit inputs outputs; }; extraSpecialArgs = { inherit inputs outputs; };
}; };
users.defaultUserShell = pkgs.fish; users.defaultUserShell = pkgs.fish;
environment.systemPackages = [ environment.systemPackages =
inputs.agenix.packages.x86_64-linux.default [ inputs.agenix.packages.x86_64-linux.default pkgs.busybox ];
pkgs.busybox
];
} }

1
hosts/common/users/produktion/default.nix
View File

@ -3,6 +3,7 @@
isNormalUser = true; isNormalUser = true;
description = "Produktion"; description = "Produktion";
extraGroups = [ "tailscale" "networkmanager" "audio" "video" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
]; ];

48
hosts/lkk-prod-1/default.nix
View File

@ -18,6 +18,13 @@
networkmanager.enable = true; networkmanager.enable = true;
firewall.enable = true; firewall.enable = true;
}; };
programs.fish.enable = true;
age = {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "yes"; permitRootLogin = "yes";
@ -26,11 +33,44 @@
enable = true; enable = true;
nssmdns = true; nssmdns = true;
}; };
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -93,11 +133,7 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs; [ neovim ];
[
neovim
];
nix = { nix = {
gc = { gc = {
automatic = true; automatic = true;

40
hosts/lkk-prod-2/default.nix
View File

@ -18,6 +18,13 @@
networkmanager.enable = true; networkmanager.enable = true;
firewall.enable = true; firewall.enable = true;
}; };
programs.fish.enable = true;
age = {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "yes"; permitRootLogin = "yes";
@ -26,6 +33,39 @@
enable = true; enable = true;
nssmdns = true; nssmdns = true;
}; };
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

2
hosts/m3-nix/default.nix
View File

@ -110,7 +110,7 @@ in {
secrets = { secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age; tailscale-key.file = ../../secrets/tailscale-key.age;
}; };
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ]; identityPaths = [ "/root/.ssh/lkk-nix-1" ];
}; };
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";

30
hosts/m3-nix/services/#tailscale.nix#
View File

@ -1,30 +0,0 @@
{ pkgs, ... }: {
services.tailscale = { enable = true; };
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable)
'';
};
}

9
hosts/m3-nix/services/tailscale.nix
View File

@ -1,4 +1,4 @@
{ pkgs, ... }: { { config, pkgs, ... }: {
services.tailscale = { services.tailscale = {
enable = true; enable = true;
useRoutingFeatures = "client"; useRoutingFeatures = "client";
@ -13,7 +13,10 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job # set this service as a oneshot job
serviceConfig.Type = "oneshot"; serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script # have the job run this shell script
script = with pkgs; '' script = with pkgs; ''
@ -27,7 +30,7 @@
fi fi
# otherwise authenticate with tailscale # otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key) ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
''; '';
}; };
} }

2
pkgs/wofi-pass/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, lib, fetchFromGitHub, bash, makeWrapper }: { stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:
with lib; with lib;

26
secrets.nix
View File

@ -1,24 +1,24 @@
let let
root = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; system = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
in { in {
"mj-smtp-user.age".publicKeys = [ root ]; "mj-smtp-user.age".publicKeys = [ system ];
"mj-smtp-pass.age".publicKeys = [ root ]; "mj-smtp-pass.age".publicKeys = [ system ];
"n8n-env.age".publicKeys = [ root ]; "n8n-env.age".publicKeys = [ system ];
"godaddy-api-key.age".publicKeys = [ root ]; "godaddy-api-key.age".publicKeys = [ system ];
"godaddy-api-secret.age".publicKeys = [ root ]; "godaddy-api-secret.age".publicKeys = [ system ];
"searx-environmentFile.age".publicKeys = [ root ]; "searx-environmentFile.age".publicKeys = [ system ];
"tailscale-key.age".publicKeys = [ root ]; "tailscale-key.age".publicKeys = [ system ];
"briefkasten-env.age".publicKeys = [ root ]; "briefkasten-env.age".publicKeys = [ system ];
"littlelink-lanakk-env.age".publicKeys = [ root ]; "littlelink-lanakk-env.age".publicKeys = [ system ];
"littlelink-m3tam3re-env.age".publicKeys = [ root ]; "littlelink-m3tam3re-env.age".publicKeys = [ system ];
"traefik-env.age".publicKeys = [ root ]; "traefik-env.age".publicKeys = [ system ];
"minio-root-cred.age".publicKeys = [ root ]; "minio-system-cred.age".publicKeys = [ system ];
} }

BIN
secrets/tailscale-key.age
View File

Binary file not shown.