diff options
| author | sinanmohd <sinan@sinanmohd.com> | 2025-10-17 10:51:15 +0530 |
|---|---|---|
| committer | sinanmohd <sinan@sinanmohd.com> | 2025-10-17 10:51:15 +0530 |
| commit | aff55f649687ba8c5f25a6064000f865cbf5da8b (patch) | |
| tree | 9a916662ae276db5c93c2dc517b0eb964a3513cc /os/kay/modules | |
| parent | 0446221b601f559ce90d2ae6285d11f0689e7f7f (diff) | |
feat(kay/tailscale): init
Diffstat (limited to 'os/kay/modules')
| -rw-r--r-- | os/kay/modules/network/headscale.nix | 48 | ||||
| -rw-r--r-- | os/kay/modules/services/matrix/matrix-sliding-sync.nix | 2 |
2 files changed, 45 insertions, 5 deletions
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix index 24df170..3e44108 100644 --- a/os/kay/modules/network/headscale.nix +++ b/os/kay/modules/network/headscale.nix @@ -5,7 +5,7 @@ ... }: let - domain = "headscale.${config.global.userdata.domain}"; + url = "https://headscale.${config.global.userdata.domain}"; stunPort = 3478; # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. @@ -32,6 +32,22 @@ let "tag:cusat" = [ "group:owner" ]; "tag:gaijin" = [ "group:owner" ]; }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; acls = [ { action = "accept"; @@ -49,13 +65,19 @@ let in { sops.secrets = { + # server "headplane/cookie_secret".owner = config.services.headscale.user; "headplane/preauth_key".owner = config.services.headscale.user; "headscale/noise_private_key".owner = config.services.headscale.user; "headscale/derp_private_key".owner = config.services.headscale.user; + # client + "headscale/pre_auth_key" = { }; }; - networking.firewall.interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + networking.firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; services = { headscale = { @@ -64,7 +86,7 @@ in settings = { logtail.enabled = false; - server_url = "https://${domain}"; + server_url = url; noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; dns = { base_domain = "tsnet.${config.global.userdata.domain}"; @@ -97,7 +119,7 @@ in cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; }; headscale = { - url = "https://${domain}"; + inherit url; config_path = "${headscaleConfig}"; }; integration.agent = { @@ -106,6 +128,24 @@ in }; }; }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + ]; + }; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; }; environment.systemPackages = [ config.services.headscale.package ]; diff --git a/os/kay/modules/services/matrix/matrix-sliding-sync.nix b/os/kay/modules/services/matrix/matrix-sliding-sync.nix index 63d95ad..253ec4d 100644 --- a/os/kay/modules/services/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/services/matrix/matrix-sliding-sync.nix @@ -7,7 +7,7 @@ let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix { }; + matrix-sliding-sync = pkgs.callPackage ../../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ |