diff --git a/hosts/brontes/configuration.nix b/hosts/brontes/configuration.nix index 4c323bf..a936f7c 100644 --- a/hosts/brontes/configuration.nix +++ b/hosts/brontes/configuration.nix @@ -33,6 +33,7 @@ services = { displayManager.sddm.enable = true; dbus.enable = true; + tailscale.enable = true; }; programs = { @@ -45,6 +46,7 @@ }; security.polkit.enable = true; + users = { defaultUserShell = pkgs.fish; users.${username} = { diff --git a/hosts/raptus/headscale.nix b/hosts/raptus/headscale.nix index 76cc8f1..fbf5625 100644 --- a/hosts/raptus/headscale.nix +++ b/hosts/raptus/headscale.nix @@ -1,10 +1,20 @@ { config, lib, + pkgs, ... }: let inherit (lib) mkIf; + metricsEnable = false; + mkAcl = src: dst: { + action = "accept"; + inherit src dst; + }; + mkSshAcl = src: dst: users: { + action = "accept"; + inherit src dst users; + }; in mkIf config.services.headscale.enable { environment.systemPackages = [ config.services.headscale.package ]; @@ -24,7 +34,7 @@ mkIf config.services.headscale.enable { ]; ephemeral_node_inactivity_timeout = "30m"; node_update_check_interval = "10s"; - metrics_listen_addr = "127.0.0.1:8086"; + metrics_listen_addr = mkIf metricsEnable "127.0.0.1:8086"; # logging log = { format = "text"; @@ -47,7 +57,7 @@ mkIf config.services.headscale.enable { proxyWebsockets = true; }; - "/metrics" = { + "/metrics" = mkIf metricsEnable { proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics"; }; }; @@ -57,4 +67,50 @@ mkIf config.services.headscale.enable { ''; }; }; + + systemd.services = { + tailscaled.after = [ "headscale.service" ]; + headscale = { + environment = { + # required to use ssh + HEADSCALE_EXPERIMENTAL_FEATURE_SSH = "1"; + }; + }; + }; + + services.headscale.settings.acl_policy_path = pkgs.writeTextFile { + name = "headscale-acl.json"; + text = builtins.toJSON { + acls = [ + (mkAcl [ "tag:client" ] [ "tag:client:*" ]) # client -> client + (mkAcl [ "tag:client" ] [ "tag:server:*" ]) # client -> server + ]; + + ssh = [ + (mkSshAcl [ "tag:client" ] [ + "tag:server" + "tag:client" + ] [ "ny" ]) # client -> {client, server} + ]; + + tags = [ + "tag:client" + "tag:server" + ]; + + tagOwners = + let + users = [ "ny" ]; + tags = map (name: "tag:${name}") [ + "server" + "client" + ]; + in + lib.genAttrs tags (_: users); + + autoApprovers = { + exitNode = [ "*" ]; + }; + }; + }; } diff --git a/hosts/shan/configuration.nix b/hosts/shan/configuration.nix index 0084dc1..b9c32a7 100644 --- a/hosts/shan/configuration.nix +++ b/hosts/shan/configuration.nix @@ -33,8 +33,12 @@ }; }; - services.openssh.enable = true; - + services = { + openssh.enable = true; + tailscale = { + enable = true; + }; + }; environment.systemPackages = map lib.lowPrio [ pkgs.curl ]; diff --git a/modules/default.nix b/modules/default.nix index e99a807..ccd93a1 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,7 +5,11 @@ ./locale.nix ./networking.nix ./fonts.nix - ./nix + ./secrets.nix + ./portals.nix + ./env.nix + ./home-manager.nix + ./programs/firefox.nix ./programs/thunderbird.nix ./programs/sway.nix @@ -13,13 +17,12 @@ ./programs/steam.nix ./programs/hyprland.nix ./programs/ssh.nix - ./home-manager.nix - ./system/mime.nix - ./env.nix + ./system/printing.nix ./system/audio.nix - ./secrets.nix - ./portals.nix + ./system/mime.nix + + ./nix ./themes ]; }