dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/britway: Add tailscale
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 19m49s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-20 00:21:39 +00:00
parent b537524e5a
commit 21136e98b2
3 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/boxes/britway/default.nix
View File

@ -102,6 +102,16 @@ in
{ {
matchConfig.Name = "as211024"; matchConfig.Name = "as211024";
networkConfig.IPv6AcceptRA = mkForce false; networkConfig.IPv6AcceptRA = mkForce false;
routes = map (r: { routeConfig = r; }) [
{
Destination = lib.my.c.colony.prefixes.all.v4;
Gateway = allAssignments.estuary.as211024.ipv4.address;
}
{
Destination = lib.my.c.home.prefixes.all.v4;
Gateway = lib.my.c.home.vips.as211024.v4;
}
];
} }
]; ];
}; };
@ -122,7 +132,17 @@ in
}; };
firewall = { firewall = {
trustedInterfaces = [ "as211024" ]; trustedInterfaces = [ "as211024" "tailscale0" ];
extraRules = ''
table inet nat {
chain postrouting {
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
iifname tailscale0 oifname veth0 snat ip6 to ${assignments.vultr.ipv6.address}
iifname tailscale0 oifname as211024 snat ip to ${assignments.as211024.ipv4.address}
iifname tailscale0 oifname as211024 snat ip6 to ${assignments.as211024.ipv6.address}
}
}
'';
}; };
}; };
} }

21
nixos/boxes/britway/tailscale.nix
View File

@ -1,5 +1,6 @@
{ lib, pkgs, config, assignments, allAssignments, ... }: { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (lib) concatStringsSep;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.britway) prefixes domain; inherit (lib.my.c.britway) prefixes domain;
@ -16,6 +17,13 @@ let
vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc="; vendorHash = "sha256-u9AmJguQ5dnJpfhOeLN43apvMHuraOrJhvlEIp9RoIc=";
}); });
}; };
advRoutes = concatStringsSep "," [
lib.my.c.colony.prefixes.all.v4
lib.my.c.colony.prefixes.all.v6
lib.my.c.home.prefixes.all.v4
lib.my.c.home.prefixes.all.v6
];
in in
{ {
config = { config = {
@ -65,6 +73,18 @@ in
}; };
}; };
}; };
tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale-auth.key".path;
openFirewall = true;
interfaceName = "tailscale0";
extraUpFlags = [
"--login-server=https://ts.nul.ie"
"--advertise-exit-node"
"--advertise-routes=${advRoutes}"
];
};
}; };
my = { my = {
@ -75,6 +95,7 @@ in
group = "headscale"; group = "headscale";
mode = "440"; mode = "440";
}; };
"tailscale-auth.key" = {};
}; };
}; };
}; };

12
secrets/tailscale-auth.key.age Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBrVTJ0
VUhnWE5CMU15UWRvRk01REc2WHRJWHBjUkp3ZGU4eWRUcDB0OWxzCklldVRqa2F6
ZVBFOEx5cUNiUkc1NmFIRVdaT2dUWXliY1FHTHhiSkxMR1UKLT4gWDI1NTE5IEwz
OHVaZnV5OXdIbWNyWVh0TDJzdFh1aEV0NzFZUCtva2VTd1A4ZUlBaVUKUFltdHNm
U3V6QlJFbzZyeUk5QlJDT3J5eEE3VnNjNzRDYUJKcWVndnRGYwotPiAzdmkmLWdy
ZWFzZSBGMSkgKz8qMVcKa2VuTjhhZmhLRFB5RU1BRG8zaWE2NFBoZ2tKM3NmNjly
RDk3NzlwNE5CK3VQaE1XRWJEK2NJV3hraXJiaGtwNApkcVQwaDkyd3hOcXJBMFY1
MEMyRzJBRmkvdVlqTVEKLS0tIFlZNWZUSkU1UVNCb1gvZXpKcjR2d0hZUkNiZ05n
M1BScjNNK1diaWEwZVEKQ9FxixeAUhGgPZLgxPK4lnkMFQ6m84K9VSrDvIfPhjwN
bX52anx1xQhyJ44WD7vuEBeROhn+3J22ji7Bjjk7t+1+XCZsxz96MDbNxbmQVYR8
-----END AGE ENCRYPTED FILE-----