Revert "nixos/home/routing-common: Move Tailscale to home routers"

This reverts commit 7c05b6158f.
2024-11-26 00:04:43 +00:00 · 2024-11-26 00:04:43 +00:00 · 6c98ef8944
commit 6c98ef8944
parent 18981e240b
4 changed files with 29 additions and 47 deletions
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@ -1,5 +1,6 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
+  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

@ -19,6 +20,10 @@ let
    });
  });

+  advRoutes = concatStringsSep "," [
+    lib.my.c.home.prefixes.all.v4
+    lib.my.c.home.prefixes.all.v6
+  ];
  pubNameservers = [
    "1.1.1.1"
    "1.0.0.1"
@ -85,6 +90,7 @@ in
          "--login-server=https://hs.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
+          "--advertise-routes=${advRoutes}"
          "--accept-routes=false"
        ];
      };
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@ -1,7 +1,6 @@
 index: { lib, allAssignments, ... }:
 let
  inherit (builtins) elemAt;
-  inherit (lib) concatStringsSep;
  inherit (lib.my) net mkVLAN;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
@ -151,28 +150,6 @@ in
            };

            nginx.enable = true;
-
-            tailscale =
-            let
-              advRoutes = concatStringsSep "," [
-                prefixes.all.v4
-                prefixes.all.v6
-              ];
-            in
-            {
-              enable = true;
-              authKeyFile = config.age.secrets."tailscale-auth.key".path;
-              openFirewall = true;
-              interfaceName = "tailscale0";
-              extraUpFlags = [
-                "--operator=${config.my.user.config.name}"
-                "--login-server=https://hs.nul.ie"
-                "--netfilter-mode=off"
-                "--advertise-exit-node"
-                "--advertise-routes=${advRoutes}"
-                "--accept-routes=false"
-              ];
-            };
          };

          networking = { inherit domain; };
@ -304,6 +281,15 @@ in
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
                      }
+
+                      {
+                        Destination = lib.my.c.tailscale.prefix.v4;
+                        Gateway = allAssignments.britway.as211024.ipv4.address;
+                      }
+                      {
+                        Destination = lib.my.c.tailscale.prefix.v6;
+                        Gateway = allAssignments.britway.as211024.ipv6.address;
+                      }
                    ];
                  }
                ];
@ -330,7 +316,6 @@ in
            secrets = {
              files = {
                "l2mesh/as211024.key" = {};
-                "tailscale-auth.key" = {};
              };
            };

@ -340,7 +325,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {
--- a/nixos/boxes/home/routing-common/keepalived.nix
+++ b/nixos/boxes/home/routing-common/keepalived.nix
@ -61,12 +61,7 @@ in
        v6Alive = pingScriptFor "v6" [ "2606:4700:4700::1111" "2001:4860:4860::8888" "2600::" ];
      };
      vrrpInstances = {
-        v4 = mkVRRP "v4" 51 // {
-          extraConfig = ''
-            notify_master "${config.systemd.package}/bin/systemctl start tailscaled.service" root
-            notify_backup "${config.systemd.package}/bin/systemctl stop tailscaled.service" root
-          '';
-        };
+        v4 = mkVRRP "v4" 51;
        v6 = (mkVRRP "v6" 52) // {
          extraConfig = ''
            notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
--- a/secrets/tailscale-auth.key.age
+++ b/secrets/tailscale-auth.key.age
@ -1,18 +1,14 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBtay96
-encxaVJmQWhqenRmVjZkdDVFdnNINENTT0RLUGxsUkdoK1pvMjBjCjUycDh3ZTAr
-QnN5MkdaY1ozR1pRNGVVL0pQZWtYMXd0dlo3cnNiQWhjSkUKLT4gc3NoLWVkMjU1
-MTkgWk5xSW9nIDIvNFZURjZQeW4wRkpqZS9YRXhhRFYwMmx3Mks4czJidFo3elht
-ZVhBejQKTXpqUGVHcytSbENoc3hQZ01wcXBQMklMNU1XTnp4TmtvenFoaGphS3Qz
-MAotPiBzc2gtZWQyNTUxOSBzK3FSZmcgV2J4TlhYQXVwdisyWmF1QTkzUXUvNEVt
-ZTRoM0ppQVdFZDFsUCtYbnlUUQpqWmYxYTZ3ZnFVYk5SSWN5QUt4MFlUMFFrdDUx
-MjF6b1lDbkVaMElnLzNNCi0+IHNzaC1lZDI1NTE5IE9FcU1zZyByNWNDQkRmMHlD
-NFExRVk3MHhjYnREcXh2ZmVDMnNEaE5lWks2azlHTEVnCnNXQm94eTJPVk1mYmxZ
-U1RqRTE1bDVHNFY2c0VQS1QyQWx6TGRYL01HRzAKLT4gWDI1NTE5IFMrZnlnNTQ1
-UFdQZ0RnRUdiMkNTaXhjRnVFcUpULzJveFNyd2FGcmVJaDAKU2hzZ0NxYzU4ZEgv
-VnRqNlJIRmFHSisyWWlaTGVtbDFITHljWGt2b0V3bwotPiBbNFpCbn0tZ3JlYXNl
-IDxDeCBKbiBBP0ImJCBQClJBV2gwUy9ldUU0MUFPczFRTXVEeHR4akZqTEEKLS0t
-IFY1Z0V5Z1Z2U0Q4alFmaFV5bnY3QjRxOTlkTWRRL0hVTlRiWWk2MWdXdVkKS8oI
-z3Eyu1ZdBwLrTINoorZTBBgx8vp5iIdUevCg4dyH3WnkW/DHXZuuRGSH6xiSAroH
-JI5toFkwp3ZHWcodcYNvyP7ECRBsTyuCk7aRPgnZ
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyByYlJn
+aERLcEhadS9jVUlyUmgxWEk5K0U2cE9WUlhCc0ZXbzhDRnZLTERvCmo2Vy9XeFhq
+NTcwdG5PZjlDb1JIM3BYWEVzMlBFWHFmRWt2dkF2OEQ2TDQKLT4gc3NoLWVkMjU1
+MTkgT0VxTXNnIHROaUlGUExERTZFaU5QL3dBcFpQVWNobGQwSEZ1YTU3NXJkekRi
+c0RUMGsKUHg4V0hIdFJ0aGxwOTFhaVB6MUdVWE0wUFgrMjI2am5uZlhWL09ObjhB
+VQotPiBYMjU1MTkgTWwyQjZjcUFYQ01KUHpoajRrVkpZd0czSzVrMTZxdjVHaHRh
+bERCSjBqSQpYOXJibDZPM2Z6bkNCSGpMRExZT21UTzU0N0RiT2FNM0l3N1pnRkl6
+WUJBCi0+IE0qLWdyZWFzZSB6TDVwIGRiQm0gajFFIEVqUXcKU3pEOFBqRVQ0dDZi
+REszS1h0T2FnOFF6cHBrN2xtOHdEQkIrCi0tLSBTM3EwNHhDaEo1eldDOTN5dzQz
+Q3Rpeno1K25KRU15L01wU21tczNmdlVJCqHBdFLovtLJGH9IY86pvc3xhpoLnfI/
+OVAF5RdpR9T2oNCr3oAiVURkPocYXLHnbjZhLKoj3uDoSZAE52VN9l05jhyX1wwY
+/Vfnp48kP8xfbQ==
 -----END AGE ENCRYPTED FILE-----