diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index a07b43d..876d1c1 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -1,5 +1,6 @@ { lib, pkgs, config, assignments, allAssignments, ... }: let + inherit (lib) concatStringsSep; inherit (lib.my.c) pubDomain; inherit (lib.my.c.britway) prefixes domain; @@ -19,6 +20,10 @@ let }); }); + advRoutes = concatStringsSep "," [ + lib.my.c.home.prefixes.all.v4 + lib.my.c.home.prefixes.all.v6 + ]; pubNameservers = [ "1.1.1.1" "1.0.0.1" @@ -85,6 +90,7 @@ in "--login-server=https://hs.nul.ie" "--netfilter-mode=off" "--advertise-exit-node" + "--advertise-routes=${advRoutes}" "--accept-routes=false" ]; }; diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix index 1ed7d1c..5bec941 100644 --- a/nixos/boxes/home/routing-common/default.nix +++ b/nixos/boxes/home/routing-common/default.nix @@ -1,7 +1,6 @@ index: { lib, allAssignments, ... }: let inherit (builtins) elemAt; - inherit (lib) concatStringsSep; inherit (lib.my) net mkVLAN; inherit (lib.my.c) pubDomain; inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4; @@ -151,28 +150,6 @@ in }; nginx.enable = true; - - tailscale = - let - advRoutes = concatStringsSep "," [ - prefixes.all.v4 - prefixes.all.v6 - ]; - in - { - enable = true; - authKeyFile = config.age.secrets."tailscale-auth.key".path; - openFirewall = true; - interfaceName = "tailscale0"; - extraUpFlags = [ - "--operator=${config.my.user.config.name}" - "--login-server=https://hs.nul.ie" - "--netfilter-mode=off" - "--advertise-exit-node" - "--advertise-routes=${advRoutes}" - "--accept-routes=false" - ]; - }; }; networking = { inherit domain; }; @@ -304,6 +281,15 @@ in Destination = lib.my.c.colony.prefixes.all.v4; Gateway = allAssignments.estuary.as211024.ipv4.address; } + + { + Destination = lib.my.c.tailscale.prefix.v4; + Gateway = allAssignments.britway.as211024.ipv4.address; + } + { + Destination = lib.my.c.tailscale.prefix.v6; + Gateway = allAssignments.britway.as211024.ipv6.address; + } ]; } ]; @@ -330,7 +316,6 @@ in secrets = { files = { "l2mesh/as211024.key" = {}; - "tailscale-auth.key" = {}; }; }; @@ -340,7 +325,7 @@ in }; }; firewall = { - trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ]; + trustedInterfaces = [ "lan-hi" "lan-lo" ]; udp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ]; nat = { diff --git a/nixos/boxes/home/routing-common/keepalived.nix b/nixos/boxes/home/routing-common/keepalived.nix index 7c89804..e1c4370 100644 --- a/nixos/boxes/home/routing-common/keepalived.nix +++ b/nixos/boxes/home/routing-common/keepalived.nix @@ -61,12 +61,7 @@ in v6Alive = pingScriptFor "v6" [ "2606:4700:4700::1111" "2001:4860:4860::8888" "2600::" ]; }; vrrpInstances = { - v4 = mkVRRP "v4" 51 // { - extraConfig = '' - notify_master "${config.systemd.package}/bin/systemctl start tailscaled.service" root - notify_backup "${config.systemd.package}/bin/systemctl stop tailscaled.service" root - ''; - }; + v4 = mkVRRP "v4" 51; v6 = (mkVRRP "v6" 52) // { extraConfig = '' notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root diff --git a/secrets/tailscale-auth.key.age b/secrets/tailscale-auth.key.age index 001f2bd..5acf408 100644 --- a/secrets/tailscale-auth.key.age +++ b/secrets/tailscale-auth.key.age @@ -1,18 +1,14 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBtay96 -encxaVJmQWhqenRmVjZkdDVFdnNINENTT0RLUGxsUkdoK1pvMjBjCjUycDh3ZTAr -QnN5MkdaY1ozR1pRNGVVL0pQZWtYMXd0dlo3cnNiQWhjSkUKLT4gc3NoLWVkMjU1 -MTkgWk5xSW9nIDIvNFZURjZQeW4wRkpqZS9YRXhhRFYwMmx3Mks4czJidFo3elht -ZVhBejQKTXpqUGVHcytSbENoc3hQZ01wcXBQMklMNU1XTnp4TmtvenFoaGphS3Qz -MAotPiBzc2gtZWQyNTUxOSBzK3FSZmcgV2J4TlhYQXVwdisyWmF1QTkzUXUvNEVt -ZTRoM0ppQVdFZDFsUCtYbnlUUQpqWmYxYTZ3ZnFVYk5SSWN5QUt4MFlUMFFrdDUx -MjF6b1lDbkVaMElnLzNNCi0+IHNzaC1lZDI1NTE5IE9FcU1zZyByNWNDQkRmMHlD -NFExRVk3MHhjYnREcXh2ZmVDMnNEaE5lWks2azlHTEVnCnNXQm94eTJPVk1mYmxZ -U1RqRTE1bDVHNFY2c0VQS1QyQWx6TGRYL01HRzAKLT4gWDI1NTE5IFMrZnlnNTQ1 -UFdQZ0RnRUdiMkNTaXhjRnVFcUpULzJveFNyd2FGcmVJaDAKU2hzZ0NxYzU4ZEgv -VnRqNlJIRmFHSisyWWlaTGVtbDFITHljWGt2b0V3bwotPiBbNFpCbn0tZ3JlYXNl -IDxDeCBKbiBBP0ImJCBQClJBV2gwUy9ldUU0MUFPczFRTXVEeHR4akZqTEEKLS0t -IFY1Z0V5Z1Z2U0Q4alFmaFV5bnY3QjRxOTlkTWRRL0hVTlRiWWk2MWdXdVkKS8oI -z3Eyu1ZdBwLrTINoorZTBBgx8vp5iIdUevCg4dyH3WnkW/DHXZuuRGSH6xiSAroH -JI5toFkwp3ZHWcodcYNvyP7ECRBsTyuCk7aRPgnZ +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyByYlJn +aERLcEhadS9jVUlyUmgxWEk5K0U2cE9WUlhCc0ZXbzhDRnZLTERvCmo2Vy9XeFhq +NTcwdG5PZjlDb1JIM3BYWEVzMlBFWHFmRWt2dkF2OEQ2TDQKLT4gc3NoLWVkMjU1 +MTkgT0VxTXNnIHROaUlGUExERTZFaU5QL3dBcFpQVWNobGQwSEZ1YTU3NXJkekRi +c0RUMGsKUHg4V0hIdFJ0aGxwOTFhaVB6MUdVWE0wUFgrMjI2am5uZlhWL09ObjhB +VQotPiBYMjU1MTkgTWwyQjZjcUFYQ01KUHpoajRrVkpZd0czSzVrMTZxdjVHaHRh +bERCSjBqSQpYOXJibDZPM2Z6bkNCSGpMRExZT21UTzU0N0RiT2FNM0l3N1pnRkl6 +WUJBCi0+IE0qLWdyZWFzZSB6TDVwIGRiQm0gajFFIEVqUXcKU3pEOFBqRVQ0dDZi +REszS1h0T2FnOFF6cHBrN2xtOHdEQkIrCi0tLSBTM3EwNHhDaEo1eldDOTN5dzQz +Q3Rpeno1K25KRU15L01wU21tczNmdlVJCqHBdFLovtLJGH9IY86pvc3xhpoLnfI/ +OVAF5RdpR9T2oNCr3oAiVURkPocYXLHnbjZhLKoj3uDoSZAE52VN9l05jhyX1wwY +/Vfnp48kP8xfbQ== -----END AGE ENCRYPTED FILE-----