nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions 1

feat: add brontes to tailscale

Browse source
This commit is contained in:
Nydragon 2024-09-26 15:09:22 +02:00
parent 637e768561
commit d2fe4c6931
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
4 changed files with 75 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/brontes/configuration.nix
View file

@ -33,6 +33,7 @@
services = { services = {
displayManager.sddm.enable = true; displayManager.sddm.enable = true;
dbus.enable = true; dbus.enable = true;
tailscale.enable = true;
}; };
programs = { programs = {
@ -45,6 +46,7 @@
}; };
security.polkit.enable = true; security.polkit.enable = true;
users = { users = {
defaultUserShell = pkgs.fish; defaultUserShell = pkgs.fish;
users.${username} = { users.${username} = {

60
hosts/raptus/headscale.nix
View file

@ -1,10 +1,20 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
inherit (lib) mkIf; inherit (lib) mkIf;
metricsEnable = false;
mkAcl = src: dst: {
action = "accept";
inherit src dst;
};
mkSshAcl = src: dst: users: {
action = "accept";
inherit src dst users;
};
in in
mkIf config.services.headscale.enable { mkIf config.services.headscale.enable {
environment.systemPackages = [ config.services.headscale.package ]; environment.systemPackages = [ config.services.headscale.package ];
@ -24,7 +34,7 @@ mkIf config.services.headscale.enable {
]; ];
ephemeral_node_inactivity_timeout = "30m"; ephemeral_node_inactivity_timeout = "30m";
node_update_check_interval = "10s"; node_update_check_interval = "10s";
metrics_listen_addr = "127.0.0.1:8086"; metrics_listen_addr = mkIf metricsEnable "127.0.0.1:8086";
# logging # logging
log = { log = {
format = "text"; format = "text";
@ -47,7 +57,7 @@ mkIf config.services.headscale.enable {
proxyWebsockets = true; proxyWebsockets = true;
}; };
"/metrics" = { "/metrics" = mkIf metricsEnable {
proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics"; proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";
}; };
}; };
@ -57,4 +67,50 @@ mkIf config.services.headscale.enable {
''; '';
}; };
}; };
systemd.services = {
tailscaled.after = [ "headscale.service" ];
headscale = {
environment = {
# required to use ssh
HEADSCALE_EXPERIMENTAL_FEATURE_SSH = "1";
};
};
};
services.headscale.settings.acl_policy_path = pkgs.writeTextFile {
name = "headscale-acl.json";
text = builtins.toJSON {
acls = [
(mkAcl [ "tag:client" ] [ "tag:client:*" ]) # client -> client
(mkAcl [ "tag:client" ] [ "tag:server:*" ]) # client -> server
];
ssh = [
(mkSshAcl [ "tag:client" ] [
"tag:server"
"tag:client"
] [ "ny" ]) # client -> {client, server}
];
tags = [
"tag:client"
"tag:server"
];
tagOwners =
let
users = [ "ny" ];
tags = map (name: "tag:${name}") [
"server"
"client"
];
in
lib.genAttrs tags (_: users);
autoApprovers = {
exitNode = [ "*" ];
};
};
};
} }

8
hosts/shan/configuration.nix
View file

@ -33,8 +33,12 @@
}; };
}; };
services.openssh.enable = true; services = {
openssh.enable = true;
tailscale = {
enable = true;
};
};
environment.systemPackages = map lib.lowPrio [ environment.systemPackages = map lib.lowPrio [
pkgs.curl pkgs.curl
]; ];

15
modules/default.nix
View file

@ -5,7 +5,11 @@
./locale.nix ./locale.nix
./networking.nix ./networking.nix
./fonts.nix ./fonts.nix
./nix ./secrets.nix
./portals.nix
./env.nix
./home-manager.nix
./programs/firefox.nix ./programs/firefox.nix
./programs/thunderbird.nix ./programs/thunderbird.nix
./programs/sway.nix ./programs/sway.nix
@ -13,13 +17,12 @@
./programs/steam.nix ./programs/steam.nix
./programs/hyprland.nix ./programs/hyprland.nix
./programs/ssh.nix ./programs/ssh.nix
./home-manager.nix
./system/mime.nix
./env.nix
./system/printing.nix ./system/printing.nix
./system/audio.nix ./system/audio.nix
./secrets.nix ./system/mime.nix
./portals.nix
./nix
./themes ./themes
]; ];
} }