Revert "nixos/home/routing-common: Move Tailscale to home routers"

This reverts commit 7c05b6158f.
2024-11-26 00:04:43 +00:00
parent 18981e240b
commit 6c98ef8944
4 changed files with 29 additions and 47 deletions
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -1,5 +1,6 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
+  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

@@ -19,6 +20,10 @@ let
    });
  });

+  advRoutes = concatStringsSep "," [
+    lib.my.c.home.prefixes.all.v4
+    lib.my.c.home.prefixes.all.v6
+  ];
  pubNameservers = [
    "1.1.1.1"
    "1.0.0.1"
@@ -85,6 +90,7 @@ in
          "--login-server=https://hs.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
+          "--advertise-routes=${advRoutes}"
          "--accept-routes=false"
        ];
      };
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -1,7 +1,6 @@
 index: { lib, allAssignments, ... }:
 let
  inherit (builtins) elemAt;
-  inherit (lib) concatStringsSep;
  inherit (lib.my) net mkVLAN;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
@@ -151,28 +150,6 @@ in
            };

            nginx.enable = true;
-
-            tailscale =
-            let
-              advRoutes = concatStringsSep "," [
-                prefixes.all.v4
-                prefixes.all.v6
-              ];
-            in
-            {
-              enable = true;
-              authKeyFile = config.age.secrets."tailscale-auth.key".path;
-              openFirewall = true;
-              interfaceName = "tailscale0";
-              extraUpFlags = [
-                "--operator=${config.my.user.config.name}"
-                "--login-server=https://hs.nul.ie"
-                "--netfilter-mode=off"
-                "--advertise-exit-node"
-                "--advertise-routes=${advRoutes}"
-                "--accept-routes=false"
-              ];
-            };
          };

          networking = { inherit domain; };
@@ -304,6 +281,15 @@ in
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
                      }
+
+                      {
+                        Destination = lib.my.c.tailscale.prefix.v4;
+                        Gateway = allAssignments.britway.as211024.ipv4.address;
+                      }
+                      {
+                        Destination = lib.my.c.tailscale.prefix.v6;
+                        Gateway = allAssignments.britway.as211024.ipv6.address;
+                      }
                    ];
                  }
                ];
@@ -330,7 +316,6 @@ in
            secrets = {
              files = {
                "l2mesh/as211024.key" = {};
-                "tailscale-auth.key" = {};
              };
            };

@@ -340,7 +325,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@@ -61,12 +61,7 @@ in
        v6Alive = pingScriptFor "v6" [ "2606:4700:4700::1111" "2001:4860:4860::8888" "2600::" ];
      };
      vrrpInstances = {
-        v4 = mkVRRP "v4" 51 // {
-          extraConfig = ''
-            notify_master "${config.systemd.package}/bin/systemctl start tailscaled.service" root
-            notify_backup "${config.systemd.package}/bin/systemctl stop tailscaled.service" root
-          '';
-        };
+        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root