diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index 24bf38d..e8c4179 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -1,6 +1,5 @@ { lib, pkgs, config, assignments, allAssignments, ... }: let - inherit (lib) concatStringsSep; inherit (lib.my.c) pubDomain; inherit (lib.my.c.britway) prefixes domain; @@ -20,10 +19,6 @@ let }); }); - advRoutes = concatStringsSep "," [ - lib.my.c.home.prefixes.all.v4 - lib.my.c.home.prefixes.all.v6 - ]; pubNameservers = [ "1.1.1.1" "1.0.0.1" @@ -92,7 +87,6 @@ in "--login-server=https://ts.nul.ie" "--netfilter-mode=off" "--advertise-exit-node" - "--advertise-routes=${advRoutes}" "--accept-routes=false" ]; }; diff --git a/nixos/boxes/home/routing-common/default.nix b/nixos/boxes/home/routing-common/default.nix index 5f177fd..cc0ce2a 100644 --- a/nixos/boxes/home/routing-common/default.nix +++ b/nixos/boxes/home/routing-common/default.nix @@ -1,6 +1,7 @@ index: { lib, allAssignments, ... }: let inherit (builtins) elemAt; + inherit (lib) concatStringsSep; inherit (lib.my) net mkVLAN; inherit (lib.my.c) pubDomain; inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4; @@ -150,6 +151,28 @@ in }; nginx.enable = true; + + tailscale = + let + advRoutes = concatStringsSep "," [ + prefixes.all.v4 + prefixes.all.v6 + ]; + in + { + enable = true; + authKeyFile = config.age.secrets."tailscale-auth.key".path; + openFirewall = true; + interfaceName = "tailscale0"; + extraUpFlags = [ + "--operator=${config.my.user.config.name}" + "--login-server=https://ts.nul.ie" + "--netfilter-mode=off" + "--advertise-exit-node" + "--advertise-routes=${advRoutes}" + "--accept-routes=false" + ]; + }; }; networking = { inherit domain; }; @@ -281,15 +304,6 @@ in Destination = lib.my.c.colony.prefixes.all.v4; Gateway = allAssignments.estuary.as211024.ipv4.address; } - - { - Destination = lib.my.c.tailscale.prefix.v4; - Gateway = allAssignments.britway.as211024.ipv4.address; - } - { - Destination = lib.my.c.tailscale.prefix.v6; - Gateway = allAssignments.britway.as211024.ipv6.address; - } ]; } ]; @@ -316,6 +330,7 @@ in secrets = { files = { "l2mesh/as211024.key" = {}; + "tailscale-auth.key" = {}; }; }; @@ -325,7 +340,7 @@ in }; }; firewall = { - trustedInterfaces = [ "lan-hi" "lan-lo" ]; + trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ]; udp.allowed = [ 5353 ]; tcp.allowed = [ 5353 ]; nat = { diff --git a/secrets/tailscale-auth.key.age b/secrets/tailscale-auth.key.age index d96cb96..001f2bd 100644 --- a/secrets/tailscale-auth.key.age +++ b/secrets/tailscale-auth.key.age @@ -1,16 +1,18 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyB4Y2th -ZnZhNE42ZjJSWGx2OWQyY3lxeGc4eDdReHl1bDFXSGVnR2Q4TFhFCnRGLzJpWDVT -NmN3bElxZmpYMEhPQnBtODYyTHJPTmFpaVppL1JkODFRVVEKLT4gc3NoLWVkMjU1 -MTkgT0VxTXNnIGlyMmlTV1Fvd3lXNFI1ZHdGNnk0R0RCN2ZOV3ExZHFLd2k3QnUr -T2hyUTgKMzhlZEZ2alVnM1RHWW1xUE1FQXJlQjc0S0EyYmxscURKQWtybEFWdTA4 -TQotPiBYMjU1MTkgVDVkYmwzQTg0TDNnNVloeEtuS2R6OW42MFBNSys3bzVuSHY3 -OHpIMi9UNAplbmE3MTZCQ3U2VHVLL1ZQSkd4YnM4a0xnSmpuRnFxcUlnT1lESDMr -MDU0Ci0+ICZUZShrPi1ncmVhc2UgSjIxRCA/U34Kd1ZFb1ZPTFJVeWs2bk1Tbktn -aW1mUXRIWkthb0JFcnlCdHRmRFZ6Zm9CbnNtWmNZUytoR2w5M28xMUViamNtQQpO -b2poelZ6cjY5ZUZjSnBJem1zeGlSQmUrQ1dUNyt6Mm5aZzNiSkt4S2tuT0JTdWRx -ZGJvQ1gwR0h5QWtpRUlPClRCSQotLS0gT1BLSmFaRS84V1BKNVMrSG9rMUZMZWZY -SlUvWnozb21JZmtPQkJVc1VTQQpuOl0YXqAckAY7DmUrZGjzFg1m6zmNKE2KBcin -sd/Dn+pZpkPk/OID6XwCRTDJB6saD5mLMPooKAYYz0oEy1UA9z+S/Xn1E4X1yktV -FQDy0wQ= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBtay96 +encxaVJmQWhqenRmVjZkdDVFdnNINENTT0RLUGxsUkdoK1pvMjBjCjUycDh3ZTAr +QnN5MkdaY1ozR1pRNGVVL0pQZWtYMXd0dlo3cnNiQWhjSkUKLT4gc3NoLWVkMjU1 +MTkgWk5xSW9nIDIvNFZURjZQeW4wRkpqZS9YRXhhRFYwMmx3Mks4czJidFo3elht +ZVhBejQKTXpqUGVHcytSbENoc3hQZ01wcXBQMklMNU1XTnp4TmtvenFoaGphS3Qz +MAotPiBzc2gtZWQyNTUxOSBzK3FSZmcgV2J4TlhYQXVwdisyWmF1QTkzUXUvNEVt +ZTRoM0ppQVdFZDFsUCtYbnlUUQpqWmYxYTZ3ZnFVYk5SSWN5QUt4MFlUMFFrdDUx +MjF6b1lDbkVaMElnLzNNCi0+IHNzaC1lZDI1NTE5IE9FcU1zZyByNWNDQkRmMHlD +NFExRVk3MHhjYnREcXh2ZmVDMnNEaE5lWks2azlHTEVnCnNXQm94eTJPVk1mYmxZ +U1RqRTE1bDVHNFY2c0VQS1QyQWx6TGRYL01HRzAKLT4gWDI1NTE5IFMrZnlnNTQ1 +UFdQZ0RnRUdiMkNTaXhjRnVFcUpULzJveFNyd2FGcmVJaDAKU2hzZ0NxYzU4ZEgv +VnRqNlJIRmFHSisyWWlaTGVtbDFITHljWGt2b0V3bwotPiBbNFpCbn0tZ3JlYXNl +IDxDeCBKbiBBP0ImJCBQClJBV2gwUy9ldUU0MUFPczFRTXVEeHR4akZqTEEKLS0t +IFY1Z0V5Z1Z2U0Q4alFmaFV5bnY3QjRxOTlkTWRRL0hVTlRiWWk2MWdXdVkKS8oI +z3Eyu1ZdBwLrTINoorZTBBgx8vp5iIdUevCg4dyH3WnkW/DHXZuuRGSH6xiSAroH +JI5toFkwp3ZHWcodcYNvyP7ECRBsTyuCk7aRPgnZ -----END AGE ENCRYPTED FILE-----