diff options
| author | sinanmohd <sinan@sinanmohd.com> | 2025-10-17 10:51:15 +0530 |
|---|---|---|
| committer | sinanmohd <sinan@sinanmohd.com> | 2025-10-17 10:51:15 +0530 |
| commit | aff55f649687ba8c5f25a6064000f865cbf5da8b (patch) | |
| tree | 9a916662ae276db5c93c2dc517b0eb964a3513cc /os | |
| parent | 0446221b601f559ce90d2ae6285d11f0689e7f7f (diff) | |
feat(kay/tailscale): init
Diffstat (limited to 'os')
| -rw-r--r-- | os/cez/modules/headscale.nix | 2 | ||||
| -rw-r--r-- | os/kay/modules/network/headscale.nix | 48 | ||||
| -rw-r--r-- | os/kay/modules/services/matrix/matrix-sliding-sync.nix | 2 | ||||
| -rw-r--r-- | os/kay/secrets.yaml | 5 |
4 files changed, 49 insertions, 8 deletions
diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix index 1045c24..48481f4 100644 --- a/os/cez/modules/headscale.nix +++ b/os/cez/modules/headscale.nix @@ -6,7 +6,7 @@ in sops.secrets."misc/headscale" = { }; networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; - services.tailscale = { + tailscale = { enable = true; interfaceName = "headscale"; openFirewall = true; diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix index 24df170..3e44108 100644 --- a/os/kay/modules/network/headscale.nix +++ b/os/kay/modules/network/headscale.nix @@ -5,7 +5,7 @@ ... }: let - domain = "headscale.${config.global.userdata.domain}"; + url = "https://headscale.${config.global.userdata.domain}"; stunPort = 3478; # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. @@ -32,6 +32,22 @@ let "tag:cusat" = [ "group:owner" ]; "tag:gaijin" = [ "group:owner" ]; }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; acls = [ { action = "accept"; @@ -49,13 +65,19 @@ let in { sops.secrets = { + # server "headplane/cookie_secret".owner = config.services.headscale.user; "headplane/preauth_key".owner = config.services.headscale.user; "headscale/noise_private_key".owner = config.services.headscale.user; "headscale/derp_private_key".owner = config.services.headscale.user; + # client + "headscale/pre_auth_key" = { }; }; - networking.firewall.interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + networking.firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; services = { headscale = { @@ -64,7 +86,7 @@ in settings = { logtail.enabled = false; - server_url = "https://${domain}"; + server_url = url; noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; dns = { base_domain = "tsnet.${config.global.userdata.domain}"; @@ -97,7 +119,7 @@ in cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; }; headscale = { - url = "https://${domain}"; + inherit url; config_path = "${headscaleConfig}"; }; integration.agent = { @@ -106,6 +128,24 @@ in }; }; }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + ]; + }; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; }; environment.systemPackages = [ config.services.headscale.package ]; diff --git a/os/kay/modules/services/matrix/matrix-sliding-sync.nix b/os/kay/modules/services/matrix/matrix-sliding-sync.nix index 63d95ad..253ec4d 100644 --- a/os/kay/modules/services/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/services/matrix/matrix-sliding-sync.nix @@ -7,7 +7,7 @@ let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix { }; + matrix-sliding-sync = pkgs.callPackage ../../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml index 68998c0..e11bbd0 100644 --- a/os/kay/secrets.yaml +++ b/os/kay/secrets.yaml @@ -23,6 +23,7 @@ headplane: headscale: noise_private_key: ENC[AES256_GCM,data:pqh0alokNqQsG9Ghi/qZl3lEi45om8GV4uron4a5JriLrR/QiRKcZQFbMK2u1m4wLwAw57ugN/jXynATlW15vUWw4SAU+PtC,iv:j74JLjGDGbmN65YfARYisSa20ExBXVPUm+QKU4qk4rw=,tag:UUgthumk2/a4xJ14Ucok+A==,type:str] derp_private_key: ENC[AES256_GCM,data:EMt3RtQzqIY4i5S2S1kK0kxu0wMt3/bBcpaEc3YP0Cmj8F4yZECOaDUYk4dM2QsfmoP84plktAqIrM4MSiY94lQpqRoCvTru,iv:NU/nVFQxBQTou0mf5xvLmlda8hzJfoCRiU1vCgJGyyc=,tag:IEDCDy6ifL+ulYzp7qr3vg==,type:str] + pre_auth_key: ENC[AES256_GCM,data:ItKBknycoP9AcUN1OyTK/OQCUQzkpJfho5Rfm2o0u8g6WGo0F/awC07MQ4pL2lfM,iv:hfOj72ZUP4F28+0vuEXucMUzeL3FAx0rF2quyWTACYw=,tag:zGdtJakxXUOolvJMOCevvg==,type:str] misc: wireguard: ENC[AES256_GCM,data:zwctPH+ScqRWUD4Jjcu/dTTGwxGl6rCEsp5D4+EfXPEIhECL2vjyTtcy5cM=,iv:yfv6fV5zxAbsVf+veTJYLmAwhJbaqFt89s3jlU+HO2k=,tag:vZldtANCKvMWW5pXRUv+vA==,type:str] default_password: ENC[AES256_GCM,data:xON6jifcv8k8tKA=,iv:Kk3Ax/GGvCvAbTAhNnlkoNh1BzsrZVptchRuQi+vqhc=,tag:9vYn1Gslr+1pAYdKvwRhnA==,type:str] @@ -48,7 +49,7 @@ sops: bGRaOE1Mc3VqVnYyd0xIVGl5ckpqRFkKpT2gTC4lf9HRQNJDykdGjPdfH+V8og7X XHq1XqIRoRbulZifuZlmzN/RWMPIoBYkXeHfqaMjmTz5HIBcnO/t9g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-17T02:46:27Z" - mac: ENC[AES256_GCM,data:DEFPWr+mjPG7AGmtBLEi1X6JukiMgHCAyp3qxjh9Fn2pgNKGLvsINe+z8eG9oR1wb7It1wFfDd0TN5Z5Jp21DyWt3LNTOCGD2ggfubtePMnctRgLtHcjopJ973ONhJ+UljU7FidbMd6BnGftSrmcx1zRcuZKV5w3yjQ3mlfXBkI=,iv:n6/+FQmQZb10zct997MuwvEhjhBnDbCrvkAvvec01wc=,tag:RA+cPFzbT7VtEkAmNBielQ==,type:str] + lastmodified: "2025-10-17T04:31:52Z" + mac: ENC[AES256_GCM,data:0nN0kAbdMFNgzCa1ocn7EHDNV7SFH/9/P2EgwDQG37AyAxUJtZ5kxyobAPRAbApgtrlnDhCrdsV9ltGqk35TTiNK6qhx8gfdzK0MiMI0wYnhvoAyci1Hsg32Fv/vuZv1AWf1yAMaDMQXmzt0AiG9hJy9FdZO0oU8U2RbmFRMO3k=,iv:P4m/owrYllj+8R2Pm+iLAerbnmOCy3TzBgmGCxS65C4=,tag:mNEHL3kBMuFeSYfY6xnweQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 |