nixos/britway: Add tailscale

2023-12-20 00:21:39 +00:00
parent b537524e5a
commit 21136e98b2
3 changed files with 54 additions and 1 deletions
--- a/nixos/boxes/britway/default.nix
+++ b/nixos/boxes/britway/default.nix
@@ -102,6 +102,16 @@ in
                  {
                    matchConfig.Name = "as211024";
                    networkConfig.IPv6AcceptRA = mkForce false;
+                    routes = map (r: { routeConfig = r; }) [
+                      {
+                        Destination = lib.my.c.colony.prefixes.all.v4;
+                        Gateway = allAssignments.estuary.as211024.ipv4.address;
+                      }
+                      {
+                        Destination = lib.my.c.home.prefixes.all.v4;
+                        Gateway = lib.my.c.home.vips.as211024.v4;
+                      }
+                    ];
                  }
                ];
              };
@@ -122,7 +132,17 @@ in
              };

              firewall = {
-                trustedInterfaces = [ "as211024" ];
+                trustedInterfaces = [ "as211024" "tailscale0" ];
+                extraRules = ''
+                  table inet nat {
+                    chain postrouting {
+                      iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
+                      iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address}
+                      iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address}
+                      iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address}
+                    }
+                  }
+                '';
              };
            };
          }
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -1,5 +1,6 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
+  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

@@ -16,6 +17,13 @@ let
      vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc=";
    });
  };
+
+  advRoutes = concatStringsSep "," [
+    lib.my.c.colony.prefixes.all.v4
+    lib.my.c.colony.prefixes.all.v6
+    lib.my.c.home.prefixes.all.v4
+    lib.my.c.home.prefixes.all.v6
+  ];
 in
 {
  config = {
@@ -65,6 +73,18 @@ in
          };
        };
      };
+
+      tailscale = {
+        enable = true;
+        authKeyFile = config.age.secrets."tailscale-auth.key".path;
+        openFirewall = true;
+        interfaceName = "tailscale0";
+        extraUpFlags = [
+          "--login-server=https://ts.nul.ie"
+          "--advertise-exit-node"
+          "--advertise-routes=${advRoutes}"
+        ];
+      };
    };

    my = {
@@ -75,6 +95,7 @@ in
            group = "headscale";
            mode = "440";
          };
+          "tailscale-auth.key" = {};
        };
      };
    };