tailscale service fix
This commit is contained in:
parent
39a27a95e8
commit
d87939af0f
20
flake.nix
20
flake.nix
|
@ -14,8 +14,8 @@
|
|||
hyprland.url = "github:hyprwm/Hyprland";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, home-manager, hyprland
|
||||
, agenix, deploy-rs, ... }@inputs:
|
||||
outputs =
|
||||
{ self, nixpkgs, home-manager, agenix, deploy-rs, ... }@inputs:
|
||||
let
|
||||
inherit (self) outputs;
|
||||
lib = nixpkgs.lib;
|
||||
|
@ -23,7 +23,7 @@
|
|||
forEachSystem = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
|
||||
forEachPkgs = f: forEachSystem (sys: f nixpkgs.legacyPackages.${sys});
|
||||
in {
|
||||
packages = forEachPkgs (pkgs: import ./pkgs { inherit pkgs; });
|
||||
packages = forEachPkgs (pkgs: (import ./pkgs { inherit pkgs; }));
|
||||
nixosConfigurations = {
|
||||
lkk-nix-1 = lib.nixosSystem {
|
||||
specialArgs = { inherit inputs; };
|
||||
|
@ -47,12 +47,14 @@
|
|||
};
|
||||
homeConfigurations = {
|
||||
# Laptop
|
||||
"m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration {
|
||||
pkgs = nixpkgs.legacyPackages."x86_64-linux";
|
||||
extraSpecialArgs = { inherit inputs; };
|
||||
modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
|
||||
};
|
||||
"m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration {
|
||||
"m3tam3re@m3-nix" = pkgs:
|
||||
home-manager.lib.homeManagerConfiguration {
|
||||
inherit pkgs;
|
||||
extraSpecialArgs = { inherit inputs outputs; };
|
||||
modules = [ ./home/users/m3tam3re/m3-nix.nix allowUnfree ];
|
||||
};
|
||||
"m3tam3re@lkk-nix-1" = pkgs: home-manager.lib.homeManagerConfiguration {
|
||||
inherit pkgs;
|
||||
extraSpecialArgs = { # pass things to t
|
||||
};
|
||||
modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
./syncthing.nix
|
||||
./waybar.nix
|
||||
./wofi.nix
|
||||
# ./wofi-pass.nix
|
||||
# ./wofi-pass.nix
|
||||
];
|
||||
|
||||
xdg.mimeApps = {
|
||||
|
@ -34,6 +34,15 @@
|
|||
|
||||
services.mako = {
|
||||
enable = true;
|
||||
backgroundColor = "#282a36";
|
||||
textColor = "#80FFEA";
|
||||
borderColor = "#9742b5";
|
||||
width = 400;
|
||||
height = 150;
|
||||
padding = "10,20";
|
||||
borderRadius = 8;
|
||||
borderSize = 1;
|
||||
margin = "20,20";
|
||||
};
|
||||
|
||||
home.packages = with pkgs; [
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
../../features/desktop/plasma.nix
|
||||
../../features/services
|
||||
];
|
||||
|
||||
features = {
|
||||
cli = {
|
||||
fish.enable = true;
|
||||
|
|
|
@ -1,16 +1,11 @@
|
|||
{ lib, pkgs, inputs, outputs, ... }:
|
||||
{
|
||||
imports = [
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
];
|
||||
home-manager = {
|
||||
{ lib, pkgs, inputs, outputs, ... }: {
|
||||
imports = [ inputs.home-manager.nixosModules.home-manager ];
|
||||
home-manager = {
|
||||
useUserPackages = true;
|
||||
extraSpecialArgs = { inherit inputs outputs; };
|
||||
};
|
||||
users.defaultUserShell = pkgs.fish;
|
||||
|
||||
environment.systemPackages = [
|
||||
inputs.agenix.packages.x86_64-linux.default
|
||||
pkgs.busybox
|
||||
];
|
||||
environment.systemPackages =
|
||||
[ inputs.agenix.packages.x86_64-linux.default pkgs.busybox ];
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
|
||||
isNormalUser = true;
|
||||
description = "Produktion";
|
||||
extraGroups = [ "tailscale" "networkmanager" "audio" "video" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
|
||||
];
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
../common/base
|
||||
];
|
||||
|
||||
# Bootloader.
|
||||
# Bootloader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
||||
|
@ -18,6 +18,13 @@
|
|||
networkmanager.enable = true;
|
||||
firewall.enable = true;
|
||||
};
|
||||
programs.fish.enable = true;
|
||||
age = {
|
||||
secrets = {
|
||||
tailscale-key.file = ../../secrets/tailscale-key.age;
|
||||
};
|
||||
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
|
@ -25,12 +32,45 @@
|
|||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
};
|
||||
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "client";
|
||||
};
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = [ "network-pre.target" "tailscale.service" ];
|
||||
wants = [ "network-pre.target" "tailscale.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
|
||||
};
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
|
||||
'';
|
||||
};
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
|
@ -93,11 +133,7 @@
|
|||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs;
|
||||
[
|
||||
neovim
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [ neovim ];
|
||||
nix = {
|
||||
gc = {
|
||||
automatic = true;
|
||||
|
|
|
@ -18,6 +18,13 @@
|
|||
networkmanager.enable = true;
|
||||
firewall.enable = true;
|
||||
};
|
||||
programs.fish.enable = true;
|
||||
age = {
|
||||
secrets = {
|
||||
tailscale-key.file = ../../secrets/tailscale-key.age;
|
||||
};
|
||||
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
permitRootLogin = "yes";
|
||||
|
@ -25,7 +32,40 @@
|
|||
services.avahi = {
|
||||
enable = true;
|
||||
nssmdns = true;
|
||||
};
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "client";
|
||||
};
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = [ "network-pre.target" "tailscale.service" ];
|
||||
wants = [ "network-pre.target" "tailscale.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
|
||||
};
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
|
||||
'';
|
||||
};
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
|
|
@ -110,7 +110,7 @@ in {
|
|||
secrets = {
|
||||
tailscale-key.file = ../../secrets/tailscale-key.age;
|
||||
};
|
||||
identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
|
||||
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ pkgs, ... }: {
|
||||
services.tailscale = { enable = true; };
|
||||
|
||||
systemd.services.tailscale-autoconnect = {
|
||||
description = "Automatic connection to Tailscale";
|
||||
|
||||
# make sure tailscale is running before trying to connect to tailscale
|
||||
after = [ "network-pre.target" "tailscale.service" ];
|
||||
wants = [ "network-pre.target" "tailscale.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
# wait for tailscaled to settle
|
||||
sleep 2
|
||||
|
||||
# check if we are already authenticated to tailscale
|
||||
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||
if [ $status = "Running" ]; then # if so, then do nothing
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable)
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, ... }: {
|
||||
{ config, pkgs, ... }: {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "client";
|
||||
|
@ -13,7 +13,10 @@
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
# set this service as a oneshot job
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
|
||||
};
|
||||
|
||||
# have the job run this shell script
|
||||
script = with pkgs; ''
|
||||
|
@ -27,7 +30,7 @@
|
|||
fi
|
||||
|
||||
# otherwise authenticate with tailscale
|
||||
${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key)
|
||||
${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ stdenv, lib, fetchFromGitHub, bash, makeWrapper }:
|
||||
{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:
|
||||
|
||||
with lib;
|
||||
|
||||
|
|
26
secrets.nix
26
secrets.nix
|
@ -1,24 +1,24 @@
|
|||
let
|
||||
root = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
|
||||
system = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
|
||||
in {
|
||||
"mj-smtp-user.age".publicKeys = [ root ];
|
||||
"mj-smtp-pass.age".publicKeys = [ root ];
|
||||
"mj-smtp-user.age".publicKeys = [ system ];
|
||||
"mj-smtp-pass.age".publicKeys = [ system ];
|
||||
|
||||
"n8n-env.age".publicKeys = [ root ];
|
||||
"n8n-env.age".publicKeys = [ system ];
|
||||
|
||||
"godaddy-api-key.age".publicKeys = [ root ];
|
||||
"godaddy-api-secret.age".publicKeys = [ root ];
|
||||
"godaddy-api-key.age".publicKeys = [ system ];
|
||||
"godaddy-api-secret.age".publicKeys = [ system ];
|
||||
|
||||
"searx-environmentFile.age".publicKeys = [ root ];
|
||||
"searx-environmentFile.age".publicKeys = [ system ];
|
||||
|
||||
"tailscale-key.age".publicKeys = [ root ];
|
||||
"tailscale-key.age".publicKeys = [ system ];
|
||||
|
||||
"briefkasten-env.age".publicKeys = [ root ];
|
||||
"briefkasten-env.age".publicKeys = [ system ];
|
||||
|
||||
"littlelink-lanakk-env.age".publicKeys = [ root ];
|
||||
"littlelink-m3tam3re-env.age".publicKeys = [ root ];
|
||||
"littlelink-lanakk-env.age".publicKeys = [ system ];
|
||||
"littlelink-m3tam3re-env.age".publicKeys = [ system ];
|
||||
|
||||
"traefik-env.age".publicKeys = [ root ];
|
||||
"traefik-env.age".publicKeys = [ system ];
|
||||
|
||||
"minio-root-cred.age".publicKeys = [ root ];
|
||||
"minio-system-cred.age".publicKeys = [ system ];
|
||||
}
|
||||
|
|
Binary file not shown.
Loading…
Reference in New Issue