feat: add brontes to tailscale
This commit is contained in:
parent
637e768561
commit
d2fe4c6931
SSH key fingerprint:
SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
4 changed files with 75 additions and 10 deletions
|
|
@ -33,6 +33,7 @@
|
|||
services = {
|
||||
displayManager.sddm.enable = true;
|
||||
dbus.enable = true;
|
||||
tailscale.enable = true;
|
||||
};
|
||||
|
||||
programs = {
|
||||
|
|
@ -45,6 +46,7 @@
|
|||
};
|
||||
|
||||
security.polkit.enable = true;
|
||||
|
||||
users = {
|
||||
defaultUserShell = pkgs.fish;
|
||||
users.${username} = {
|
||||
|
|
|
|||
|
|
@ -1,10 +1,20 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib) mkIf;
|
||||
metricsEnable = false;
|
||||
mkAcl = src: dst: {
|
||||
action = "accept";
|
||||
inherit src dst;
|
||||
};
|
||||
mkSshAcl = src: dst: users: {
|
||||
action = "accept";
|
||||
inherit src dst users;
|
||||
};
|
||||
in
|
||||
mkIf config.services.headscale.enable {
|
||||
environment.systemPackages = [ config.services.headscale.package ];
|
||||
|
|
@ -24,7 +34,7 @@ mkIf config.services.headscale.enable {
|
|||
];
|
||||
ephemeral_node_inactivity_timeout = "30m";
|
||||
node_update_check_interval = "10s";
|
||||
metrics_listen_addr = "127.0.0.1:8086";
|
||||
metrics_listen_addr = mkIf metricsEnable "127.0.0.1:8086";
|
||||
# logging
|
||||
log = {
|
||||
format = "text";
|
||||
|
|
@ -47,7 +57,7 @@ mkIf config.services.headscale.enable {
|
|||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
"/metrics" = {
|
||||
"/metrics" = mkIf metricsEnable {
|
||||
proxyPass = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";
|
||||
};
|
||||
};
|
||||
|
|
@ -57,4 +67,50 @@ mkIf config.services.headscale.enable {
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
tailscaled.after = [ "headscale.service" ];
|
||||
headscale = {
|
||||
environment = {
|
||||
# required to use ssh
|
||||
HEADSCALE_EXPERIMENTAL_FEATURE_SSH = "1";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.headscale.settings.acl_policy_path = pkgs.writeTextFile {
|
||||
name = "headscale-acl.json";
|
||||
text = builtins.toJSON {
|
||||
acls = [
|
||||
(mkAcl [ "tag:client" ] [ "tag:client:*" ]) # client -> client
|
||||
(mkAcl [ "tag:client" ] [ "tag:server:*" ]) # client -> server
|
||||
];
|
||||
|
||||
ssh = [
|
||||
(mkSshAcl [ "tag:client" ] [
|
||||
"tag:server"
|
||||
"tag:client"
|
||||
] [ "ny" ]) # client -> {client, server}
|
||||
];
|
||||
|
||||
tags = [
|
||||
"tag:client"
|
||||
"tag:server"
|
||||
];
|
||||
|
||||
tagOwners =
|
||||
let
|
||||
users = [ "ny" ];
|
||||
tags = map (name: "tag:${name}") [
|
||||
"server"
|
||||
"client"
|
||||
];
|
||||
in
|
||||
lib.genAttrs tags (_: users);
|
||||
|
||||
autoApprovers = {
|
||||
exitNode = [ "*" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,8 +33,12 @@
|
|||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
tailscale = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
environment.systemPackages = map lib.lowPrio [
|
||||
pkgs.curl
|
||||
];
|
||||
|
|
|
|||
|
|
@ -5,7 +5,11 @@
|
|||
./locale.nix
|
||||
./networking.nix
|
||||
./fonts.nix
|
||||
./nix
|
||||
./secrets.nix
|
||||
./portals.nix
|
||||
./env.nix
|
||||
./home-manager.nix
|
||||
|
||||
./programs/firefox.nix
|
||||
./programs/thunderbird.nix
|
||||
./programs/sway.nix
|
||||
|
|
@ -13,13 +17,12 @@
|
|||
./programs/steam.nix
|
||||
./programs/hyprland.nix
|
||||
./programs/ssh.nix
|
||||
./home-manager.nix
|
||||
./system/mime.nix
|
||||
./env.nix
|
||||
|
||||
./system/printing.nix
|
||||
./system/audio.nix
|
||||
./secrets.nix
|
||||
./portals.nix
|
||||
./system/mime.nix
|
||||
|
||||
./nix
|
||||
./themes
|
||||
];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue