myned/nixos
myned/nixos
1
1
Fork 0
Code Activity

tailscale: add tailnet option

Browse source
This commit is contained in:
Myned 2025-04-13 19:50:05 -05:00
parent fba450bf26
commit 8b3d98a8bd
Signed by: myned
GPG key ID: C7224454F7881A34
3 changed files with 20 additions and 52 deletions
options/custom/services
tailscale.nix
secrets
common/tailscale
tailnet
secrets.nix

53
options/custom/services/tailscale.nix
View file

@ -1,15 +1,12 @@
{
config,
inputs,
lib,
pkgs,
...
}:
with lib; let
cat = "${pkgs.coreutils}/bin/cat";
tailscale = "${config.services.tailscale.package}/bin/tailscale";
cfg = config.custom.services.tailscale;
tailscale = getExe config.services.tailscale.package;
in {
# TODO: Enact recommendations
# https://tailscale.com/kb/1320/performance-best-practices
@ -19,6 +16,7 @@ in {
options.custom.services.tailscale = {
enable = mkOption {default = false;};
cert = mkOption {default = false;};
tailnet = mkOption {default = "fenrir-musical.ts.net";};
tray = mkOption {default = false;};
};
@ -26,44 +24,33 @@ in {
# https://github.com/NixOS/nixpkgs/pull/317881
# https://github.com/tailscale/caddy-tailscale
config = mkIf cfg.enable {
age.secrets = let
secret = filename: {
file = "${inputs.self}/secrets/${filename}";
};
in {
"common/tailscale/tailnet" = secret "common/tailscale/tailnet";
};
services.tailscale = {
enable = true;
#// permitCertUid = mkIf cfg.cert "caddy"; # Allow caddy to fetch TLS certificates
permitCertUid = mkIf config.custom.services.caddy.enable "caddy"; # Allow caddy to fetch TLS certificates
useRoutingFeatures = "both"; # Enable server/client exit nodes
};
# Provision Tailscale certificates in the background per machine
systemd = let
hostname = config.custom.hostname;
in
mkIf cfg.cert {
#!! Needs to be run on the machine
# tailscale cert always writes to /var/lib/tailscale/certs/ regardless of flags
services."tailscale-cert-${hostname}".script = concatStringsSep " " [
"${tailscale} cert"
"--cert-file -"
"--key-file -"
"${hostname}.\"$(${cat} ${config.age.secrets."common/tailscale/tailnet".path})\""
"> /dev/null"
];
systemd = mkIf cfg.cert {
#!! Needs to be run on the machine
# tailscale cert always writes to /var/lib/tailscale/certs/ regardless of flags
services."tailscale-cert-${config.custom.hostname}".script = concatStringsSep " " [
"${tailscale} cert"
"--cert-file -"
"--key-file -"
"${config.custom.hostname}.${cfg.tailnet}"
"> /dev/null"
];
timers."tailscale-cert-${hostname}" = {
wantedBy = ["timers.target"];
timers."tailscale-cert-${config.custom.hostname}" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true; # Retry if previous timer missed
};
timerConfig = {
OnCalendar = "daily";
Persistent = true; # Retry if previous timer missed
};
};
};
home-manager.sharedModules = [
{

18
secrets/common/tailscale/tailnet
View file

@ -1,18 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 8E6j8Q GfJZ3IzgdzWhQWN3qy1bnmwrYDFkEQ2sitBa9NKjaHM
G/r932AYgZkgkq9qPTRUGG9lhHh6ljTtYl8oI1Ilpf8
-> ssh-ed25519 sfxzoQ FUvzEv0VmXOTNQLxFjggjntw/fhVLE6w39i4WkP7gTc
DLDw9YB1u7axy3PRP+KgbIy/ogiZ90rTxXnjrZB4uuo
-> ssh-ed25519 BIBw2w npfBaGcw4CT9aAniG9APJM8MN1giLnTutnBKZy4PVyc
clvT0qmB6Z9+gWnH3M3/1QYRV5PCbDbJ/J0Qo3BwzfA
-> ssh-ed25519 g5GcDQ 4O7WOGbv6WMGhA74Fw5ahftupLK17DnJkpw7yCdkFy8
AUoSjRAVW+9GVCR2p4abClgy6psyadFoGxrI7RBsvYA
-> ssh-ed25519 T/dATA ciXz5AyafuRmaLwB7RVpO/rtueh6+RbG6L3bPlhatzE
YfKnnLwUC2qrJeDDABtjd1tSFQgR4P0H46I1rOADX2A
-> ssh-ed25519 kMNckw nXmTsbhoLpF57XobUmjp/UgH+zfEhS690gsqQ+UuWjM
WGx505Thl52F7k+on7aUAGnU0z5w+4Ou1i9t4GkvfkU
-> ssh-ed25519 iw6hqg sATAyzAJz5dQu1bzmnXMl3BgvaBf4mHdCRX9Xxy0OTM
sWbtH1/CTSiHC5r/eOEriUgPx0w0BV8DKATKPQLNXLc
--- HyYpoPUkC+JDyQwGKLplpMkL0FS1IKLq2E49rUXZIMk
xYqo"_»,_]»<>Ða…Å¥}ê®´g\}qn
-ŸŒ·ÈAÒ„ ‰0áp[dýÉÛ}ä¦

1
secrets/secrets.nix
View file

@ -44,7 +44,6 @@ in {
### Common
"common/nix/access-tokens.conf".publicKeys = common;
"common/geoclue2/geolocation".publicKeys = common;
"common/tailscale/tailnet".publicKeys = common;
### Console
"console/users/myned.pass".publicKeys = console;