feat: add tailscale
Tailscale is a VPN which allows easily connecting lots of different
devices together and accessing them via easy-to-remember names. We want
to use it to make development and server management easier
Change-Id: I76a95258664410ba0e10a08853c646aa54689714
Reviewed-on: https://git.clicks.codes/c/Chimera/NixFiles/+/738
Reviewed-by: Samuel Shuert <coded@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/modules/nixos/tailscale/default.nix b/modules/nixos/tailscale/default.nix
new file mode 100644
index 0000000..4ae39d9
--- /dev/null
+++ b/modules/nixos/tailscale/default.nix
@@ -0,0 +1,43 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}: let
+ cfg = config.chimera.networking.tailscale;
+in {
+ options.chimera.networking.tailscale = {
+ enable = lib.mkOption {
+ description = "Enable tailscale for this system";
+ default = true;
+ type = lib.types.bool;
+ };
+ runExitNode.enable = lib.mkEnableOption "Enable this system as an exit node on the tailnet";
+ server = lib.mkOption {
+ description = "Set where your control plane server is";
+ default = "https://clicks.domains";
+ example = "https://controlplane.tailscale.com";
+ };
+ authKeyFile = lib.mkOption {
+ type = lib.types.nullOr lib.types.str;
+ description = "Path to key file for tailscale";
+ default = null;
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ services.tailscale = {
+ enable = true;
+ useRoutingFeatures = if cfg.runExitNode.enable then "server" else "client";
+ extraUpFlags = [
+ "--login-server=${cfg.server}"
+ "--accept-routes"
+ "--ssh"
+ ] ++ (if cfg.runExitNode.enable then [
+ "--advertise-exit-node"
+ "--exit-node-allow-lan-access"
+ ] else []);
+ authKeyFile = lib.mkIf (cfg.authKeyFile != null) cfg.authKeyFile;
+ };
+ };
+}
diff --git a/systems/x86_64-linux/greylag/networking/default.nix b/systems/x86_64-linux/greylag/networking/default.nix
index e757b94..b0bdd4d 100644
--- a/systems/x86_64-linux/greylag/networking/default.nix
+++ b/systems/x86_64-linux/greylag/networking/default.nix
@@ -1,4 +1,15 @@
-{
+{ config, ... }: {
networking.hostName = "greylag";
networking.useDHCP = true;
+
+ chimera.networking.tailscale.authKeyFile = config.sops.secrets."systems/x86_64-linux/greylag/networking/tailscale.sops.minion.json:authkey".path;
+
+ sops.secrets."systems/x86_64-linux/greylag/networking/tailscale.sops.minion.json:authkey" = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ./tailscale.sops.minion.json;
+ format = "json";
+ key = "authkey";
+ };
}
diff --git a/systems/x86_64-linux/greylag/networking/tailscale.sops.minion.json b/systems/x86_64-linux/greylag/networking/tailscale.sops.minion.json
new file mode 100644
index 0000000..2268a83
--- /dev/null
+++ b/systems/x86_64-linux/greylag/networking/tailscale.sops.minion.json
@@ -0,0 +1,26 @@
+{
+ "authkey": "ENC[AES256_GCM,data:8GSAz+2pFCBA983yRxjXZs95cjMHDJef5M5CdoabgriXV50apGv2Rsrdq0zze+Rg,iv:pn3dNYdE5wfHAaWXGqWrF+4ZufAYYOANR2MArwbOMIg=,tag:DS+1sX1PwpEqXwTpBcnk+w==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2024-06-09T13:15:18Z",
+ "mac": "ENC[AES256_GCM,data:zMznJPJSKRqnmHcR5sEpiT/MlAyQD+TMD6bDu16pXKuJ+ohBD3hh2V/6Xd+8f/XOlhc8/5Xbn09nfIv5bFrMWTeV847HwASqfgpgqcHHUhqm6n7CViTWcUvte0/7hbPkVX9lSnzxDF+MTNGRW99WblSV1dUrYKvrvZ5VCjyez6Y=,iv:fI59mOUF2Dd9fVG46+nekKTKPpQLxQykejn/9962ras=,tag:tEtAS/n1btHRyeR19A/bjA==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2024-06-09T13:14:59Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DxpBiwsu2o5wSAQdAWRG42ZYzL+dKmhakA9vSsvV4WclL1hHCPVBLMYzg02cw\nd+93XvutM6Cb+/haZol+WTdLEYxdpWh5fc/4iG5ZfNVUc7MnfBacXG71kZrqXizD\n0l4Blk8CUY4X9f4zP7Dw0PRMirq4At/swSt6vWPt9cC8NlwggC4NPLWbWvjBwTYm\noCHktEmc5+/EDbDAqLTaDecXQCMd3iAxe+ow8xMXbvRfTdwThw1YAp5iu+az4ns1\n=4cLq\n-----END PGP MESSAGE-----",
+ "fp": "76E0B09A741C4089522111E5F27E3E5922772E7A"
+ },
+ {
+ "created_at": "2024-06-09T13:14:59Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA1IsbSgNVFwAARAAhOmI/MohydBpVpEG25tRZE4nx0xOa+jvowB3L+NcJT5r\n0+znSRzM8bcLpw4hP48RjLlA4ijVdX7u9MOd3VLFzplHN0sjpwuBrbrcll/o5RyN\nE64Yb5Wvn0EgDO3O2VnsDSjsRhjyOXchHUdEZcUwrfiSukx/ThMu/f2u9m9ClKDi\nczpl5HyEyk3iw/C3klPYZhwQV7jbNC2NQdjoLrFAi5uXenqeVkN0qvnBq1cmFcYO\n5iuVDIBVrJXrpg3EIJZjt7GmQWsSUFLdRqHr+bkjLMhmxaRBip83oPWEyrDK9D5k\nAmQGlgfCTJzREdmh9j5SlDLmwv0YHM45nO2vdtD5S7lLb8kY6sywoLEciOHmIOlH\nEPBeMKvS4mZwbwsjnZ5iSxVaIPQMmaTLBYPyUiDark1Nfd4RXKIFXbVwoKWUh93w\nZybs2y8Lc0lJ/9H9vgY97YZStuOGl+3arHRlJwQ+FGjEAzxOnaC33bjYXAvWWaV9\nZCPqLHsrCplRfdzW1Y0ngWnTPAgSjewG0QJ3wV1J91kzrhPDBwpuf8JukFzzgmAI\nt+0jiPKzn35fu5m8aPsYGG+wnXjn1f/1zjs4izjNGlL+DKfXz4DuyHr7ymodUWBP\nHckv3g3uMpjwotlYJXAKgWEgpZyWNnrsYGRC1wwhLqS4tWPyaDAoTaMmQcHY/fLS\nWAGYDhKv08RQiMPyh919pmZswJBBstDZkaf5yYAM3ikInT2Ayn5RVKaDMjg39Z7A\nAuFI7NHbuYqLYRnWjsG0TMsptSIhpKUPchFHVUuLZ+wqpcRUGzopHh8=\n=pTtn\n-----END PGP MESSAGE-----",
+ "fp": "047bf8897df877fe86133e98522c6d280d545c00"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.8.1"
+ }
+}
\ No newline at end of file