Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 0e05b5227d335a0d4f647f285118cbccda1ff15a
commit0e05b5227d335a0d4f647f285118cbccda1ff15a[log] [tgz]
authorSkyler Grey <minion@clicks.codes>Tue Jun 11 22:48:00 2024 +0000
committerSamuel Shuert <coded@clicks.codes>Tue Jun 11 22:58:01 2024 +0000
tree25cfb21696ed8178d31015fcd8607d35d2c67efb
parent04ff717979a8b37b0af0574295e234684f86f404 [diff]
fix(teal.headscale): Allow access to the internet

Previously internet access was denied by ACLs, so even if you did set up
an exit node no traffic would flow.

In Tailscale there's a thing called "autogroup:internet", which is a
list of all the IP addresses in the internet. That's awesome, but sadly
it's not yet supported in headscale (it's in the upcoming release)

We can define our own internet. We can't use builtin groups (because
they're IPs not users) and we can't use builtin hosts (because there's
no way I could find to specify multiple prefixes for a host), however
Nix comes to our rescue and gives us the ability to define a list and
map over it.

There's one more cursed hack: the IPv6 address space uses colons (::) to
denote separators. Unfortunately, including the address as-is leaves us
with a mixup where headscale interprets part of the address as a port,
considers the ACLs broken and refuses to start. Luckily, as there's only
one affected address we can pretty easily define a host for it, which
solves the issue as the parsing happens earlier... yay..?

Change-Id: Id4d51cd6b358a6cd150d7221087564882efd4e2c
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/754
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
1 file changed
tree: 25cfb21696ed8178d31015fcd8607d35d2c67efb
  1. .reuse/
  2. .vscode/
  3. lib/
  4. LICENSES/
  5. modules/
  6. shells/
  7. systems/
  8. .editorconfig
  9. .envrc
  10. .gitignore
  11. .gitreview
  12. .gitreview.license
  13. .sops.nix
  14. configure.sh
  15. CONTRIBUTORS.md
  16. flake.lock
  17. flake.lock.license
  18. flake.nix
  19. README.md
README.md

Clicks - Infrastructure

This repository contains system configuration for Clicks's infrastructure.

Config

Config is written using Snowfall lib. It keeps us organized and has some nice features like namespaces.

Systems

Devices are named after colors, areas are named as a letter, with the matching phonetic alphabet word. Areas are generally managed by one member of Clicks, who has full access to all of the servers in that area. If you require help for a specific area you can email admin@clicks.codes and in the subject line include the area you want help for.

SystemDescriptionAddress
tealPrimary Hostteal.alpha.clicks.domains
a1d2Build Serverd2.a1.clicks.domains

Deploying

Deploys are done with deploy-rs, you'll need to be able to ssh into a machine with its hostname (either by a nifty .ssh/config rule or tailscale).

Once you've done that, you'll be able to deploy with

$ deploy .#MACHINE_NAME