From bb8ce6e9ff50e562fb4c53c686a7c175c09c04e9 Mon Sep 17 00:00:00 2001
From: Nathan McCarty <nathan@mccarty.io>
Date: Tue, 14 Jun 2022 13:42:32 -0400
Subject: [PATCH] Add tailscale

---
 applications/devel-kotlin.nix |  1 +
 flake.nix                     |  2 ++
 modules/tailscale.nix         | 52 +++++++++++++++++++++++++++
 secrets/tailscale.yaml        | 66 +++++++++++++++++++++++++++++++++++
 4 files changed, 121 insertions(+)
 create mode 100644 modules/tailscale.nix
 create mode 100644 secrets/tailscale.yaml

diff --git a/applications/devel-kotlin.nix b/applications/devel-kotlin.nix
index 15e7473..ce6afee 100644
--- a/applications/devel-kotlin.nix
+++ b/applications/devel-kotlin.nix
@@ -3,6 +3,7 @@
 {
   environment.systemPackages = with unstable; [
     java.packages.${system}.semeru-stable
+    gradle
     kotlin
     kotlin-native
     kotlin-language-server
diff --git a/flake.nix b/flake.nix
index 541ef61..b0b220f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -133,6 +133,7 @@
         ./modules/printing.nix
         ./modules/zt.nix
         ./modules/lxc.nix
+        ./modules/tailscale.nix
         ./modules/protonmail.nix
         ./applications/communications.nix
         ./applications/devel-core.nix
@@ -151,6 +152,7 @@
         ./home-linux.nix
         ./modules/zt.nix
         ./modules/autoupdate.nix
+        ./modules/tailscale.nix
         ./applications/devel-core.nix
         ./applications/devel-core-linux.nix
       ];
diff --git a/modules/tailscale.nix b/modules/tailscale.nix
new file mode 100644
index 0000000..866f9d4
--- /dev/null
+++ b/modules/tailscale.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    tailscale
+  ];
+
+  # Enable the service
+  services.tailscale = {
+    enable = true;
+  };
+
+  # Setup sops
+  sops.secrets."tailscale-auth" = {
+    format = "yaml";
+    sopsFile = ../secrets/tailscale.yaml;
+  };
+
+  # Oneshot job to authenticate to tailscale
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets."tailscale-auth".path})
+    '';
+  };
+
+  # Configure firewall for tailscale
+  networking.firewall = {
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+  };
+}
diff --git a/secrets/tailscale.yaml b/secrets/tailscale.yaml
new file mode 100644
index 0000000..70f4641
--- /dev/null
+++ b/secrets/tailscale.yaml
@@ -0,0 +1,66 @@
+tailscale-auth: ENC[AES256_GCM,data:Xp3WPLuOkjgXa85Xtx5LqKSn3M4uRtPwVRJco0yctvdftsCh00NFzA==,iv:lVqOkksJha0tw3yZyeWdOhpB3omQ8WDya2OTeDcrP54=,tag:C3JOb7hG++wgJZSN2dFMmA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OWM5NzlFd09POHJKZmVM
+            MFhqZFNiUUxBU3p1NHBBTERMd0tWak8zL2pBCjFldDdlUzd4TFI5b09PNFhtRHlT
+            Z1VuRVNnK0xlTFNEMjFxUmFqMWJIQlkKLS0tIExLaDBkdytZbTc0b2d1enlBUGQr
+            RzZJR3RmQ1haa25hZzNVVGpXdXcxczgK4NoVyME5fmgDV9sWg0GjB8bvlYFJtF+l
+            NM+gug2ZAxhx8AuRt89oYqhKLxzEDfEtGpX02kbLWZ0RTTDLlqmDKQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL2UzdGM5a2FJbjhFYkdX
+            NHhzeGFTcXArV05nTmlBWjY4OUtDaldpYWdNCkl5aWZvRXhkTHNJdnBWa0tzY3Vy
+            eUZjanJybEVJeXBDOHpvRDVWM2NkTVUKLS0tIHB0UHQ4MFZpVVdKM2pYNkJkYTAz
+            MFlIdHJBN3FEVE5FR3Bud3dvcHhuQm8KiQSQ38odsEfJusja9/ouwxSNFeis3ISB
+            hvrkz6R0WPU22dcpJyFuVMlnTvtkKakabYhWuLlZLzBB8qwGsB1WRA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUDZ3Zitodll4VXZoazRM
+            UXZ3N0FUVG9EMlIxVUlpS21UcXg1V3dPRGhRCjg5ekZ1UUErcitDMU5KeWlGK0Np
+            clhlMHk0WVc2MVBYNnZVN3NLKzV6Zk0KLS0tIFprYWVZbkFMYjQ0dlIwTWNDSzlj
+            ekdGVGFwL0NZakJzb0hEbDRKMmZkZDQKfxr3gdNKkF0x4WIVQweC3ZoV38YZCqUm
+            bzpfbkM0zpbL8+uNc4p6kqHhC3MktuV454FiS/UXpeazLa2s4VtM+Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQ1BQSnduMmduTDd4S0Zx
+            WE5sL2wxRk9HQ2JmVTB6Vk9DN2k3MEhBWkdJCjU1b1FHb2lRL2Y2K0J5dE1zQ1Bm
+            YjE4eDZ1dWNEVXFoWndFNFloK3RiNmcKLS0tIElQNEt5c2tGNHpERHlBUDlrWGJq
+            K0RySWMyOEsyYUIxM0U0Z2FNNlVsMDgKRPckpbJeAnCJuKb0zaEPQFoQ9ScvPJHN
+            NEHeVV68iPKmNWrS8DAYaaeyYcADjxA/JuOUmrA6Uigbgl5rmWQR3A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWXB5Qm44dDBWNWMrWmNa
+            aWNOM2tIcVAxU0JqU282KzhGMG5FYWhEYW53CjRXSWxyVGVLVTRKMHJ5ejJ5eWJF
+            a1k1VTZUUW9ycmV5dEo2TU5FYWNTNTAKLS0tIDlYZ2ROYUtXYkhDTFBmRndzWnZ3
+            MmtaaEIvd2tlV3hRdGlVcmV3SXZaQ0EK78lpqMOPuyMh8NFdSCpPwQov6j0kVwKX
+            3pTSG7i9fduwOygCynn/Be6W+5G5iI448lxSCfHLoESACZpiFpc+nA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0R3BzM2p3SUp3R0ZLOG9R
+            V29ESE8zU1J2Q01vclRRSXUyOXNCeW8zK1JVClBxUDdqZkoybW8ydkpDTnZkY1Bo
+            OXNjR3NrZVRMbzUrMVBlS2VJTXlxRjAKLS0tIFBsa1NmdjdrT0VFd0ZRV3BIck1x
+            bnhDdUV4SGh4QXJIUEZDOWptNkxhUTgKGUGoazZzBYWpMqLJcrryJAYWe84ttGoP
+            6o0hlKQf4XlcouqxYoY754uO4Xrvr51aaNqmUGgToc0zlFcTRvrK5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-14T17:48:23Z"
+    mac: ENC[AES256_GCM,data:z2CU/geAuYKDsdoASsxDK4trIVqsPfr2sHw5D92g6uiUoQDOUXf5/ihQxJvgcKWCxYixZnZ4zsNCkd11YU52oNUdY7LZqg9X8C941WGsqKLBzRTI875EYK50MFO22RaBKWSgJYHasWhh6OIgLjyw1VL1HWcKlN8kuTYV33Uo/2g=,iv:NFornFaSHy1aRBOWl0O6kmbvGcDJbZM0JOj3iagFNUM=,tag:V/AlMWy0Jk4V+ZC2XsTaBA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3