nix
/
System
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add tailscale

This commit is contained in:
Nathan McCarty 2022-06-14 13:42:32 -04:00
parent afb054815f
commit bb8ce6e9ff
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
4 changed files with 121 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
applications/devel-kotlin.nix
View File

@ -3,6 +3,7 @@
{
environment.systemPackages = with unstable; [
java.packages.${system}.semeru-stable
gradle
kotlin
kotlin-native
kotlin-language-server

2
flake.nix
View File

@ -133,6 +133,7 @@
./modules/printing.nix
./modules/zt.nix
./modules/lxc.nix
./modules/tailscale.nix
./modules/protonmail.nix
./applications/communications.nix
./applications/devel-core.nix
@ -151,6 +152,7 @@
./home-linux.nix
./modules/zt.nix
./modules/autoupdate.nix
./modules/tailscale.nix
./applications/devel-core.nix
./applications/devel-core-linux.nix
];

52
modules/tailscale.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tailscale
];
# Enable the service
services.tailscale = {
enable = true;
};
# Setup sops
sops.secrets."tailscale-auth" = {
format = "yaml";
sopsFile = ../secrets/tailscale.yaml;
};
# Oneshot job to authenticate to tailscale
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets."tailscale-auth".path})
'';
};
# Configure firewall for tailscale
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
};
}

66
secrets/tailscale.yaml Normal file
View File

@ -0,0 +1,66 @@
tailscale-auth: ENC[AES256_GCM,data:Xp3WPLuOkjgXa85Xtx5LqKSn3M4uRtPwVRJco0yctvdftsCh00NFzA==,iv:lVqOkksJha0tw3yZyeWdOhpB3omQ8WDya2OTeDcrP54=,tag:C3JOb7hG++wgJZSN2dFMmA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OWM5NzlFd09POHJKZmVM
MFhqZFNiUUxBU3p1NHBBTERMd0tWak8zL2pBCjFldDdlUzd4TFI5b09PNFhtRHlT
Z1VuRVNnK0xlTFNEMjFxUmFqMWJIQlkKLS0tIExLaDBkdytZbTc0b2d1enlBUGQr
RzZJR3RmQ1haa25hZzNVVGpXdXcxczgK4NoVyME5fmgDV9sWg0GjB8bvlYFJtF+l
NM+gug2ZAxhx8AuRt89oYqhKLxzEDfEtGpX02kbLWZ0RTTDLlqmDKQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL2UzdGM5a2FJbjhFYkdX
NHhzeGFTcXArV05nTmlBWjY4OUtDaldpYWdNCkl5aWZvRXhkTHNJdnBWa0tzY3Vy
eUZjanJybEVJeXBDOHpvRDVWM2NkTVUKLS0tIHB0UHQ4MFZpVVdKM2pYNkJkYTAz
MFlIdHJBN3FEVE5FR3Bud3dvcHhuQm8KiQSQ38odsEfJusja9/ouwxSNFeis3ISB
hvrkz6R0WPU22dcpJyFuVMlnTvtkKakabYhWuLlZLzBB8qwGsB1WRA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUDZ3Zitodll4VXZoazRM
UXZ3N0FUVG9EMlIxVUlpS21UcXg1V3dPRGhRCjg5ekZ1UUErcitDMU5KeWlGK0Np
clhlMHk0WVc2MVBYNnZVN3NLKzV6Zk0KLS0tIFprYWVZbkFMYjQ0dlIwTWNDSzlj
ekdGVGFwL0NZakJzb0hEbDRKMmZkZDQKfxr3gdNKkF0x4WIVQweC3ZoV38YZCqUm
bzpfbkM0zpbL8+uNc4p6kqHhC3MktuV454FiS/UXpeazLa2s4VtM+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQ1BQSnduMmduTDd4S0Zx
WE5sL2wxRk9HQ2JmVTB6Vk9DN2k3MEhBWkdJCjU1b1FHb2lRL2Y2K0J5dE1zQ1Bm
YjE4eDZ1dWNEVXFoWndFNFloK3RiNmcKLS0tIElQNEt5c2tGNHpERHlBUDlrWGJq
K0RySWMyOEsyYUIxM0U0Z2FNNlVsMDgKRPckpbJeAnCJuKb0zaEPQFoQ9ScvPJHN
NEHeVV68iPKmNWrS8DAYaaeyYcADjxA/JuOUmrA6Uigbgl5rmWQR3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWXB5Qm44dDBWNWMrWmNa
aWNOM2tIcVAxU0JqU282KzhGMG5FYWhEYW53CjRXSWxyVGVLVTRKMHJ5ejJ5eWJF
a1k1VTZUUW9ycmV5dEo2TU5FYWNTNTAKLS0tIDlYZ2ROYUtXYkhDTFBmRndzWnZ3
MmtaaEIvd2tlV3hRdGlVcmV3SXZaQ0EK78lpqMOPuyMh8NFdSCpPwQov6j0kVwKX
3pTSG7i9fduwOygCynn/Be6W+5G5iI448lxSCfHLoESACZpiFpc+nA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0R3BzM2p3SUp3R0ZLOG9R
V29ESE8zU1J2Q01vclRRSXUyOXNCeW8zK1JVClBxUDdqZkoybW8ydkpDTnZkY1Bo
OXNjR3NrZVRMbzUrMVBlS2VJTXlxRjAKLS0tIFBsa1NmdjdrT0VFd0ZRV3BIck1x
bnhDdUV4SGh4QXJIUEZDOWptNkxhUTgKGUGoazZzBYWpMqLJcrryJAYWe84ttGoP
6o0hlKQf4XlcouqxYoY754uO4Xrvr51aaNqmUGgToc0zlFcTRvrK5A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-14T17:48:23Z"
mac: ENC[AES256_GCM,data:z2CU/geAuYKDsdoASsxDK4trIVqsPfr2sHw5D92g6uiUoQDOUXf5/ihQxJvgcKWCxYixZnZ4zsNCkd11YU52oNUdY7LZqg9X8C941WGsqKLBzRTI875EYK50MFO22RaBKWSgJYHasWhh6OIgLjyw1VL1HWcKlN8kuTYV33Uo/2g=,iv:NFornFaSHy1aRBOWl0O6kmbvGcDJbZM0JOj3iagFNUM=,tag:V/AlMWy0Jk4V+ZC2XsTaBA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3