From 479c661b69abe9af8fe7ca73bdec1571c231816c Mon Sep 17 00:00:00 2001 From: ooks-io Date: Sun, 16 Jun 2024 19:07:13 +1200 Subject: [PATCH] feat(nixos:tailscale): add auto-connect service --- hosts/ooksdesk/default.nix | 1 + hosts/ooksmedia/default.nix | 1 + hosts/ooksmicro/default.nix | 1 + hosts/ookst480s/default.nix | 1 + nixos/modules/base/default.nix | 1 + nixos/modules/base/networking/tailscale.nix | 34 +++++++++++---- nixos/options/host.nix | 31 +++++++++++++- outputs/nixos.nix | 46 ++++++++------------- 8 files changed, 78 insertions(+), 38 deletions(-) diff --git a/hosts/ooksdesk/default.nix b/hosts/ooksdesk/default.nix index 196310d..2e676d5 100644 --- a/hosts/ooksdesk/default.nix +++ b/hosts/ooksdesk/default.nix @@ -20,6 +20,7 @@ tailscale = { enable = true; client = true; + autoconnect = true; }; }; hardware = { diff --git a/hosts/ooksmedia/default.nix b/hosts/ooksmedia/default.nix index 9580255..a39a0ad 100644 --- a/hosts/ooksmedia/default.nix +++ b/hosts/ooksmedia/default.nix @@ -25,6 +25,7 @@ in tailscale = { enable = true; server = true; + autoconnect = true; }; }; hardware = { diff --git a/hosts/ooksmicro/default.nix b/hosts/ooksmicro/default.nix index c91fb84..79cbc38 100644 --- a/hosts/ooksmicro/default.nix +++ b/hosts/ooksmicro/default.nix @@ -26,6 +26,7 @@ in tailscale = { enable = true; client = true; + autoconnect = true; }; }; hardware = { diff --git a/hosts/ookst480s/default.nix b/hosts/ookst480s/default.nix index fd6d255..027f3c3 100644 --- a/hosts/ookst480s/default.nix +++ b/hosts/ookst480s/default.nix @@ -26,6 +26,7 @@ in tailscale = { enable = true; client = true; + autoconnect = true; }; }; hardware = { diff --git a/nixos/modules/base/default.nix b/nixos/modules/base/default.nix index 27f62e3..16ee9d4 100644 --- a/nixos/modules/base/default.nix +++ b/nixos/modules/base/default.nix @@ -7,5 +7,6 @@ ./security ./shell ./locale.nix + ./secrets.nix ]; } diff --git a/nixos/modules/base/networking/tailscale.nix b/nixos/modules/base/networking/tailscale.nix index 96ccc3c..38fcdc6 100644 --- a/nixos/modules/base/networking/tailscale.nix +++ b/nixos/modules/base/networking/tailscale.nix @@ -3,9 +3,7 @@ let cfg = config.ooknet.host.networking.tailscale; inherit (config.services) tailscale; - inherit (lib.lists) optionals; - inherit (lib.strings) concatStringsSep; - inherit (lib) mkIf mkDefault; + inherit (lib) mkIf mkDefault mkBefore; in { @@ -15,10 +13,7 @@ in enable = true; useRoutingFeatures = mkDefault "both"; # permitCertUid = "root"; - extraUpFlags = - [ "--ssh" "--operator=$USER" ] - ++ optionals cfg.server [ "--advertise-exit-node" ] - ++ optionals (cfg.tags != []) ["--advertise-tags" (concatStringsSep "," cfg.tags)]; + extraUpFlags = cfg.flags.final; }; networking.firewall = { @@ -30,5 +25,30 @@ in systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"]; environment.systemPackages = [ pkgs.tailscale ]; + + # disable tailscale logging + systemd.services.tailscaled.serviceConfig.Environment = mkBefore ["TS_NO_LOGS_NO_SUPPORT"]; + + systemd.services.tailscale-autoconnect = mkIf cfg.autoconnect { + description = "Automatic connection to Tailscale"; + + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = /* bash */ '' + sleep 2 + + status="$(${tailscale.package}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" + + if [ $status = "Running" ]; then + exit 0 + fi + + ${tailscale.package}/bin/tailscale up ${toString tailscale.extraUpFlags} + ''; + }; }; } diff --git a/nixos/options/host.nix b/nixos/options/host.nix index 500f8a8..551f9a6 100644 --- a/nixos/options/host.nix +++ b/nixos/options/host.nix @@ -3,6 +3,9 @@ let inherit (lib) mkOption mkEnableOption; inherit (lib.types) bool enum listOf int submodule nullOr str; + inherit (lib.lists) optionals concatLists; + inherit (builtins) concatStringsSep; + admin = config.ooknet.host.admin; hardware = config.ooknet.host.hardware; tailscale = config.ooknet.host.networking.tailscale; @@ -54,9 +57,15 @@ in homeManager = mkEnableOption ""; }; + # tailscale options brought to you by github:notashelf/nyx networking = { tailscale = { enable = mkEnableOption "Enable tailscale system module"; + autoconnect = mkEnableOption "Enable auto connect tailscale service"; + authkey = mkOption { + type = str; + default = config.age.secrets.tailscale-auth.path; + }; server = mkOption { type = bool; default = false; @@ -67,7 +76,7 @@ in default = tailscale.enable; description = "Define if the host is a client"; }; - tag = mkOption { + tags = mkOption { type = listOf str; default = if tailscale.client then ["tag:client"] @@ -80,6 +89,24 @@ in default = "${admin.name}"; description = "Name of the tailscale operator"; }; + flags = { + default = mkOption { + type = listOf str; + default = ["--ssh"]; + }; + final = mkOption { + type = listOf str; + internal = true; + readOnly = true; + default = concatLists [ + tailscale.flags.default + (optionals (tailscale.authkey != null) ["--authkey file:${config.age.secrets.tailscale-auth.path}"]) + (optionals (tailscale.operator != null) ["--operator ${tailscale.operator}"]) + (optionals (tailscale.tags != []) ["--advertise-tags" (concatStringsSep "," tailscale.tags)]) + (optionals tailscale.server ["--advertise-exit-node"]) + ]; + }; + }; }; }; @@ -185,7 +212,7 @@ in assertions = [{ assertion = ((lib.length hardware.monitors) != 0) -> ((lib.length (lib.filter (m: m.primary) hardware.monitors)) == 1); - message = "Exactly one monitor must be set to primary."; + message = "At least 1 primary monitor is required"; }]; }; } diff --git a/outputs/nixos.nix b/outputs/nixos.nix index 0fb7a0f..790de0d 100644 --- a/outputs/nixos.nix +++ b/outputs/nixos.nix @@ -4,12 +4,19 @@ let inherit (inputs.nixpkgs.lib) nixosSystem; inherit (self) keys; + hosts = "${self}/hosts"; + hm = inputs.home-manager.nixosModules.home-manager; nixarr = inputs.nixarr.nixosModules.default; agenix = inputs.agenix.nixosModules.default; nixosModules = "${self}/nixos"; - hosts = "${self}/hosts"; + + workstation = [ + hm + agenix + nixosModules + ]; specialArgs = {inherit withSystem keys inputs self;}; in @@ -18,49 +25,30 @@ in ooksdesk = nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ - "${hosts}/ooksdesk" - hm - agenix - - nixosModules - ]; + modules = [ "${hosts}/ooksdesk" ] ++ workstation; }; + ookst480s = nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ - "${hosts}/ookst480s" - hm - nixosModules - ]; + modules = [ "${hosts}/ookst480s" ] ++ workstation; }; + ooksmedia = nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ - "${hosts}/ooksmedia" - hm - nixosModules - nixarr - ]; + modules = [ "${hosts}/ooksmedia" nixarr ] ++ workstation; }; + ooksmicro = nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ - "${hosts}/ooksmicro" - hm - nixosModules - ]; + modules = [ "${hosts}/ooksmicro" ] ++ workstation; }; + ooksx1 = nixosSystem { inherit specialArgs; system = "x86_64-linux"; - modules = [ - "${hosts}/ooksx1" - hm - nixosModules - ]; + modules = [ "${hosts}/ooksx1" ] ++ workstation; }; }