nixos/home/routing-common: Move Tailscale to home routers

2024-07-22 16:22:08 +01:00
parent c9ab90547f
commit 7c05b6158f
3 changed files with 41 additions and 30 deletions
--- a/nixos/boxes/britway/tailscale.nix
+++ b/nixos/boxes/britway/tailscale.nix
@@ -1,6 +1,5 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
-  inherit (lib) concatStringsSep;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.britway) prefixes domain;

@@ -20,10 +19,6 @@ let
    });
  });

-  advRoutes = concatStringsSep "," [
-    lib.my.c.home.prefixes.all.v4
-    lib.my.c.home.prefixes.all.v6
-  ];
  pubNameservers = [
    "1.1.1.1"
    "1.0.0.1"
@@ -92,7 +87,6 @@ in
          "--login-server=https://ts.nul.ie"
          "--netfilter-mode=off"
          "--advertise-exit-node"
-          "--advertise-routes=${advRoutes}"
          "--accept-routes=false"
        ];
      };
--- a/nixos/boxes/home/routing-common/default.nix
+++ b/nixos/boxes/home/routing-common/default.nix
@@ -1,6 +1,7 @@
 index: { lib, allAssignments, ... }:
 let
  inherit (builtins) elemAt;
+  inherit (lib) concatStringsSep;
  inherit (lib.my) net mkVLAN;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.home) domain vlans prefixes vips routers routersPubV4;
@@ -150,6 +151,28 @@ in
            };

            nginx.enable = true;
+
+            tailscale =
+            let
+              advRoutes = concatStringsSep "," [
+                prefixes.all.v4
+                prefixes.all.v6
+              ];
+            in
+            {
+              enable = true;
+              authKeyFile = config.age.secrets."tailscale-auth.key".path;
+              openFirewall = true;
+              interfaceName = "tailscale0";
+              extraUpFlags = [
+                "--operator=${config.my.user.config.name}"
+                "--login-server=https://ts.nul.ie"
+                "--netfilter-mode=off"
+                "--advertise-exit-node"
+                "--advertise-routes=${advRoutes}"
+                "--accept-routes=false"
+              ];
+            };
          };

          networking = { inherit domain; };
@@ -281,15 +304,6 @@ in
                        Destination = lib.my.c.colony.prefixes.all.v4;
                        Gateway = allAssignments.estuary.as211024.ipv4.address;
                      }
-
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v4;
-                        Gateway = allAssignments.britway.as211024.ipv4.address;
-                      }
-                      {
-                        Destination = lib.my.c.tailscale.prefix.v6;
-                        Gateway = allAssignments.britway.as211024.ipv6.address;
-                      }
                    ];
                  }
                ];
@@ -316,6 +330,7 @@ in
            secrets = {
              files = {
                "l2mesh/as211024.key" = {};
+                "tailscale-auth.key" = {};
              };
            };

@@ -325,7 +340,7 @@ in
              };
            };
            firewall = {
-              trustedInterfaces = [ "lan-hi" "lan-lo" ];
+              trustedInterfaces = [ "lan-hi" "lan-lo" "tailscale0" ];
              udp.allowed = [ 5353 ];
              tcp.allowed = [ 5353 ];
              nat = {
--- a/secrets/tailscale-auth.key.age
+++ b/secrets/tailscale-auth.key.age
@@ -1,16 +1,18 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyB4Y2th
-ZnZhNE42ZjJSWGx2OWQyY3lxeGc4eDdReHl1bDFXSGVnR2Q4TFhFCnRGLzJpWDVT
-NmN3bElxZmpYMEhPQnBtODYyTHJPTmFpaVppL1JkODFRVVEKLT4gc3NoLWVkMjU1
-MTkgT0VxTXNnIGlyMmlTV1Fvd3lXNFI1ZHdGNnk0R0RCN2ZOV3ExZHFLd2k3QnUr
-T2hyUTgKMzhlZEZ2alVnM1RHWW1xUE1FQXJlQjc0S0EyYmxscURKQWtybEFWdTA4
-TQotPiBYMjU1MTkgVDVkYmwzQTg0TDNnNVloeEtuS2R6OW42MFBNSys3bzVuSHY3
-OHpIMi9UNAplbmE3MTZCQ3U2VHVLL1ZQSkd4YnM4a0xnSmpuRnFxcUlnT1lESDMr
-MDU0Ci0+ICZUZShrPi1ncmVhc2UgSjIxRCA/U34Kd1ZFb1ZPTFJVeWs2bk1Tbktn
-aW1mUXRIWkthb0JFcnlCdHRmRFZ6Zm9CbnNtWmNZUytoR2w5M28xMUViamNtQQpO
-b2poelZ6cjY5ZUZjSnBJem1zeGlSQmUrQ1dUNyt6Mm5aZzNiSkt4S2tuT0JTdWRx
-ZGJvQ1gwR0h5QWtpRUlPClRCSQotLS0gT1BLSmFaRS84V1BKNVMrSG9rMUZMZWZY
-SlUvWnozb21JZmtPQkJVc1VTQQpuOl0YXqAckAY7DmUrZGjzFg1m6zmNKE2KBcin
-sd/Dn+pZpkPk/OID6XwCRTDJB6saD5mLMPooKAYYz0oEy1UA9z+S/Xn1E4X1yktV
-FQDy0wQ=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IERMTWVGZyBtay96
+encxaVJmQWhqenRmVjZkdDVFdnNINENTT0RLUGxsUkdoK1pvMjBjCjUycDh3ZTAr
+QnN5MkdaY1ozR1pRNGVVL0pQZWtYMXd0dlo3cnNiQWhjSkUKLT4gc3NoLWVkMjU1
+MTkgWk5xSW9nIDIvNFZURjZQeW4wRkpqZS9YRXhhRFYwMmx3Mks4czJidFo3elht
+ZVhBejQKTXpqUGVHcytSbENoc3hQZ01wcXBQMklMNU1XTnp4TmtvenFoaGphS3Qz
+MAotPiBzc2gtZWQyNTUxOSBzK3FSZmcgV2J4TlhYQXVwdisyWmF1QTkzUXUvNEVt
+ZTRoM0ppQVdFZDFsUCtYbnlUUQpqWmYxYTZ3ZnFVYk5SSWN5QUt4MFlUMFFrdDUx
+MjF6b1lDbkVaMElnLzNNCi0+IHNzaC1lZDI1NTE5IE9FcU1zZyByNWNDQkRmMHlD
+NFExRVk3MHhjYnREcXh2ZmVDMnNEaE5lWks2azlHTEVnCnNXQm94eTJPVk1mYmxZ
+U1RqRTE1bDVHNFY2c0VQS1QyQWx6TGRYL01HRzAKLT4gWDI1NTE5IFMrZnlnNTQ1
+UFdQZ0RnRUdiMkNTaXhjRnVFcUpULzJveFNyd2FGcmVJaDAKU2hzZ0NxYzU4ZEgv
+VnRqNlJIRmFHSisyWWlaTGVtbDFITHljWGt2b0V3bwotPiBbNFpCbn0tZ3JlYXNl
+IDxDeCBKbiBBP0ImJCBQClJBV2gwUy9ldUU0MUFPczFRTXVEeHR4akZqTEEKLS0t
+IFY1Z0V5Z1Z2U0Q4alFmaFV5bnY3QjRxOTlkTWRRL0hVTlRiWWk2MWdXdVkKS8oI
+z3Eyu1ZdBwLrTINoorZTBBgx8vp5iIdUevCg4dyH3WnkW/DHXZuuRGSH6xiSAroH
+JI5toFkwp3ZHWcodcYNvyP7ECRBsTyuCk7aRPgnZ
 -----END AGE ENCRYPTED FILE-----