nixos/home/routing-common: Move Tailscale to home routers

2024-07-22 16:22:08 +01:00
parent c9ab90547f
commit 7c05b6158f
3 changed files with 41 additions and 30 deletions
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -1,6 +1,5 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
-  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

@@ -20,10 +19,6 @@ let
    });
  });

-  advRoutes = concatStringsSep "," [
-    lib.my.c.home.prefixes.all.v4
-    lib.my.c.home.prefixes.all.v6
-  ];
  pubNameservers = [
    "1.1.1.1"
    "1.0.0.1"
@@ -92,7 +87,6 @@ in
          "--login-server=https://ts.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
-          "--advertise-routes=${advRoutes}"
          "--accept-routes=false"
        ];
      };
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -1,6 +1,7 @@
 index: { lib, allAssignments, ... }:
 let
  inherit (builtins) elemAt;
+  inherit (lib) concatStringsSep;
  inherit (lib.my) net mkVLAN;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
@@ -150,6 +151,28 @@ in
            };

            nginx.enable = true;
+
+            tailscale =
+            let
+              advRoutes = concatStringsSep "," [
+                prefixes.all.v4
+                prefixes.all.v6
+              ];
+            in
+            {
+              enable = true;
+              authKeyFile = config.age.secrets."tailscale-auth.key".path;
+              openFirewall = true;
+              interfaceName = "tailscale0";
+              extraUpFlags = [
+                "--operator=${config.my.user.config.name}"
+                "--login-server=https://ts.nul.ie"
+                "--netfilter-mode=off"
+                "--advertise-exit-node"
+                "--advertise-routes=${advRoutes}"
+                "--accept-routes=false"
+              ];
+            };
          };

          networking = { inherit domain; };
@@ -281,15 +304,6 @@ in
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
                      }
-
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v4;
-                        Gateway = allAssignments.britway.as211024.ipv4.address;
-                      }
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v6;
-                        Gateway = allAssignments.britway.as211024.ipv6.address;
-                      }
                    ];
                  }
                ];
@@ -316,6 +330,7 @@ in
            secrets = {
              files = {
                "l2mesh/as211024.key" = {};
+                "tailscale-auth.key" = {};
              };
            };

@@ -325,7 +340,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {