diff --git a/nixos/boxes/britway/default.nix b/nixos/boxes/britway/default.nix index 753bd6d..956c04d 100644 --- a/nixos/boxes/britway/default.nix +++ b/nixos/boxes/britway/default.nix @@ -102,6 +102,16 @@ in { matchConfig.Name = "as211024"; networkConfig.IPv6AcceptRA = mkForce false; + routes = map (r: { routeConfig = r; }) [ + { + Destination = lib.my.c.colony.prefixes.all.v4; + Gateway = allAssignments.estuary.as211024.ipv4.address; + } + { + Destination = lib.my.c.home.prefixes.all.v4; + Gateway = lib.my.c.home.vips.as211024.v4; + } + ]; } ]; }; @@ -122,7 +132,17 @@ in }; firewall = { - trustedInterfaces = [ "as211024" ]; + trustedInterfaces = [ "as211024" "tailscale0" ]; + extraRules = '' + table inet nat { + chain postrouting { + iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address} + iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address} + iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address} + iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address} + } + } + ''; }; }; } diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index 7826436..306f31c 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -1,5 +1,6 @@ { lib, pkgs, config, assignments, allAssignments, ... }: let + inherit (lib) concatStringsSep; inherit (lib.my.c) pubDomain; inherit (lib.my.c.britway) prefixes domain; @@ -16,6 +17,13 @@ let vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc="; }); }; + + advRoutes = concatStringsSep "," [ + lib.my.c.colony.prefixes.all.v4 + lib.my.c.colony.prefixes.all.v6 + lib.my.c.home.prefixes.all.v4 + lib.my.c.home.prefixes.all.v6 + ]; in { config = { @@ -65,6 +73,18 @@ in }; }; }; + + tailscale = { + enable = true; + authKeyFile = config.age.secrets."tailscale-auth.key".path; + openFirewall = true; + interfaceName = "tailscale0"; + extraUpFlags = [ + "--login-server=https://ts.nul.ie" + "--advertise-exit-node" + "--advertise-routes=${advRoutes}" + ]; + }; }; my = { @@ -75,6 +95,7 @@ in group = "headscale"; mode = "440"; }; + "tailscale-auth.key" = {}; }; }; }; diff --git a/secrets/tailscale-auth.key.age b/secrets/tailscale-auth.key.age new file mode 100644 index 0000000..bd6cadd --- /dev/null +++ b/secrets/tailscale-auth.key.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBrVTJ0 +VUhnWE5CMU15UWRvRk01REc2WHRJWHBjUkp3ZGU4eWRUcDB0OWxzCklldVRqa2F6 +ZVBFOEx5cUNiUkc1NmFIRVdaT2dUWXliY1FHTHhiSkxMR1UKLT4gWDI1NTE5IEwz +OHVaZnV5OXdIbWNyWVh0TDJzdFh1aEV0NzFZUCtva2VTd1A4ZUlBaVUKUFltdHNm +U3V6QlJFbzZyeUk5QlJDT3J5eEE3VnNjNzRDYUJKcWVndnRGYwotPiAzdmkmLWdy +ZWFzZSBGMSkgKz8qMVcKa2VuTjhhZmhLRFB5RU1BRG8zaWE2NFBoZ2tKM3NmNjly +RDk3NzlwNE5CK3VQaE1XRWJEK2NJV3hraXJiaGtwNApkcVQwaDkyd3hOcXJBMFY1 +MEMyRzJBRmkvdVlqTVEKLS0tIFlZNWZUSkU1UVNCb1gvZXpKcjR2d0hZUkNiZ05n +M1BScjNNK1diaWEwZVEKQ9FxixeAUhGgPZLgxPK4lnkMFQ6m84K9VSrDvIfPhjwN +bX52anx1xQhyJ44WD7vuEBeROhn+3J22ji7Bjjk7t+1+XCZsxz96MDbNxbmQVYR8 +-----END AGE ENCRYPTED FILE-----