From 0446221b601f559ce90d2ae6285d11f0689e7f7f Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Fri, 17 Oct 2025 09:56:49 +0530 Subject: feat(cez/tailscale): init --- os/cez/configuration.nix | 1 + os/cez/modules/headscale.nix | 19 +++++++++++++++++++ os/cez/secrets.yaml | 12 ++++-------- 3 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 os/cez/modules/headscale.nix (limited to 'os/cez') diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix index 255c19a..2c5e59e 100644 --- a/os/cez/configuration.nix +++ b/os/cez/configuration.nix @@ -4,6 +4,7 @@ ./hardware-configuration.nix ./modules/wireguard.nix + ./modules/headscale.nix ./modules/tlp.nix ../../global/cez ]; diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix new file mode 100644 index 0000000..1045c24 --- /dev/null +++ b/os/cez/modules/headscale.nix @@ -0,0 +1,19 @@ +{ config, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; +in +{ + sops.secrets."misc/headscale" = { }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + ]; + }; +} diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml index 5cfd108..7b9923c 100644 --- a/os/cez/secrets.yaml +++ b/os/cez/secrets.yaml @@ -1,10 +1,7 @@ misc: wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str] + headscale: ENC[AES256_GCM,data:90xXwi0fPPdF929akAma85UmLkllCUmO1v0nWS8HxRw4gQq8fa9QKoYgGAt84bC6,iv:H0BZN7A21Hzs6p4wdP3ONVfvQyNchVSdc2GJ9BS+wyQ=,tag:fV9XpAOrVMQ5A2Dzo5BcyQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -24,8 +21,7 @@ sops: dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28 fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-04T10:16:20Z" - mac: ENC[AES256_GCM,data:NhVEt9Yg3J3+L1CqaI2IKFtC4VG9FdDkTOuDwc/hbwDvJmdbT7YocyQSX4IxsZ5ZxpaFXcp56C+QE5tDyjdWJs+njcxm8zDLsXaCfu3vLn7JHgzeQ9JeKeCzWV2oAj+PaTiY64QuhDP3LhaFZEZPEPJK5lGYR0XEZQHV2ngtF3U=,iv:LEkUb2cthtT+QG0SryRG17a5VRBli8PtRfhf1gTGBLo=,tag:G1Lo7tGUMWxgvSEQIuIAaw==,type:str] - pgp: [] + lastmodified: "2025-10-17T03:37:38Z" + mac: ENC[AES256_GCM,data:hOs2aCnCs8yF2iLZawyI84olfFe86JTZ8KBgSFLpaE8Kd+HWsQyEa5M0yOMXCts/d0JqJFsMJqxmkcBxBSFT5cBVZM/gSh9TC7xbq14Ja3vRT6KcLZ3O4CI6pZvEvkuJALTSQSXIsxFZG3YoYsKdh67aqKr/uC3Jh5sASYxzIHg=,iv:F4d85Tk920eXa6mVKSBlmJ/dRHncZRiQGh3LHsJCLas=,tag:EO+1OERqvowVUGKe9a77oA==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 -- cgit v1.2.3