ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(nixos:tailscale): add auto-connect service

Browse source
This commit is contained in:
ooks-io 2024-06-16 19:07:13 +12:00
parent ec30191464
commit 479c661b69
8 changed files with 78 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/ooksdesk/default.nix
View file

@ -20,6 +20,7 @@
tailscale = { tailscale = {
enable = true; enable = true;
client = true; client = true;
autoconnect = true;
}; };
}; };
hardware = { hardware = {

1
hosts/ooksmedia/default.nix
View file

@ -25,6 +25,7 @@ in
tailscale = { tailscale = {
enable = true; enable = true;
server = true; server = true;
autoconnect = true;
}; };
}; };
hardware = { hardware = {

1
hosts/ooksmicro/default.nix
View file

@ -26,6 +26,7 @@ in
tailscale = { tailscale = {
enable = true; enable = true;
client = true; client = true;
autoconnect = true;
}; };
}; };
hardware = { hardware = {

1
hosts/ookst480s/default.nix
View file

@ -26,6 +26,7 @@ in
tailscale = { tailscale = {
enable = true; enable = true;
client = true; client = true;
autoconnect = true;
}; };
}; };
hardware = { hardware = {

1
nixos/modules/base/default.nix
View file

@ -7,5 +7,6 @@
./security ./security
./shell ./shell
./locale.nix ./locale.nix
./secrets.nix
]; ];
} }

34
nixos/modules/base/networking/tailscale.nix
View file

@ -3,9 +3,7 @@
let let
cfg = config.ooknet.host.networking.tailscale; cfg = config.ooknet.host.networking.tailscale;
inherit (config.services) tailscale; inherit (config.services) tailscale;
inherit (lib.lists) optionals; inherit (lib) mkIf mkDefault mkBefore;
inherit (lib.strings) concatStringsSep;
inherit (lib) mkIf mkDefault;
in in
{ {
@ -15,10 +13,7 @@ in
enable = true; enable = true;
useRoutingFeatures = mkDefault "both"; useRoutingFeatures = mkDefault "both";
# permitCertUid = "root"; # permitCertUid = "root";
extraUpFlags = extraUpFlags = cfg.flags.final;
[ "--ssh" "--operator=$USER" ]
++ optionals cfg.server [ "--advertise-exit-node" ]
++ optionals (cfg.tags != []) ["--advertise-tags" (concatStringsSep "," cfg.tags)];
}; };
networking.firewall = { networking.firewall = {
@ -30,5 +25,30 @@ in
systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"]; systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
environment.systemPackages = [ pkgs.tailscale ]; environment.systemPackages = [ pkgs.tailscale ];
# disable tailscale logging
systemd.services.tailscaled.serviceConfig.Environment = mkBefore ["TS_NO_LOGS_NO_SUPPORT"];
systemd.services.tailscale-autoconnect = mkIf cfg.autoconnect {
description = "Automatic connection to Tailscale";
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = /* bash */ ''
sleep 2
status="$(${tailscale.package}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then
exit 0
fi
${tailscale.package}/bin/tailscale up ${toString tailscale.extraUpFlags}
'';
};
}; };
} }

31
nixos/options/host.nix
View file

@ -3,6 +3,9 @@
let let
inherit (lib) mkOption mkEnableOption; inherit (lib) mkOption mkEnableOption;
inherit (lib.types) bool enum listOf int submodule nullOr str; inherit (lib.types) bool enum listOf int submodule nullOr str;
inherit (lib.lists) optionals concatLists;
inherit (builtins) concatStringsSep;
admin = config.ooknet.host.admin; admin = config.ooknet.host.admin;
hardware = config.ooknet.host.hardware; hardware = config.ooknet.host.hardware;
tailscale = config.ooknet.host.networking.tailscale; tailscale = config.ooknet.host.networking.tailscale;
@ -54,9 +57,15 @@ in
homeManager = mkEnableOption ""; homeManager = mkEnableOption "";
}; };
# tailscale options brought to you by github:notashelf/nyx
networking = { networking = {
tailscale = { tailscale = {
enable = mkEnableOption "Enable tailscale system module"; enable = mkEnableOption "Enable tailscale system module";
autoconnect = mkEnableOption "Enable auto connect tailscale service";
authkey = mkOption {
type = str;
default = config.age.secrets.tailscale-auth.path;
};
server = mkOption { server = mkOption {
type = bool; type = bool;
default = false; default = false;
@ -67,7 +76,7 @@ in
default = tailscale.enable; default = tailscale.enable;
description = "Define if the host is a client"; description = "Define if the host is a client";
}; };
tag = mkOption { tags = mkOption {
type = listOf str; type = listOf str;
default = default =
if tailscale.client then ["tag:client"] if tailscale.client then ["tag:client"]
@ -80,6 +89,24 @@ in
default = "${admin.name}"; default = "${admin.name}";
description = "Name of the tailscale operator"; description = "Name of the tailscale operator";
}; };
flags = {
default = mkOption {
type = listOf str;
default = ["--ssh"];
};
final = mkOption {
type = listOf str;
internal = true;
readOnly = true;
default = concatLists [
tailscale.flags.default
(optionals (tailscale.authkey != null) ["--authkey file:${config.age.secrets.tailscale-auth.path}"])
(optionals (tailscale.operator != null) ["--operator ${tailscale.operator}"])
(optionals (tailscale.tags != []) ["--advertise-tags" (concatStringsSep "," tailscale.tags)])
(optionals tailscale.server ["--advertise-exit-node"])
];
};
};
}; };
}; };
@ -185,7 +212,7 @@ in
assertions = [{ assertions = [{
assertion = ((lib.length hardware.monitors) != 0) -> assertion = ((lib.length hardware.monitors) != 0) ->
((lib.length (lib.filter (m: m.primary) hardware.monitors)) == 1); ((lib.length (lib.filter (m: m.primary) hardware.monitors)) == 1);
message = "Exactly one monitor must be set to primary."; message = "At least 1 primary monitor is required";
}]; }];
}; };
} }

46
outputs/nixos.nix
View file

@ -4,12 +4,19 @@ let
inherit (inputs.nixpkgs.lib) nixosSystem; inherit (inputs.nixpkgs.lib) nixosSystem;
inherit (self) keys; inherit (self) keys;
hosts = "${self}/hosts";
hm = inputs.home-manager.nixosModules.home-manager; hm = inputs.home-manager.nixosModules.home-manager;
nixarr = inputs.nixarr.nixosModules.default; nixarr = inputs.nixarr.nixosModules.default;
agenix = inputs.agenix.nixosModules.default; agenix = inputs.agenix.nixosModules.default;
nixosModules = "${self}/nixos"; nixosModules = "${self}/nixos";
hosts = "${self}/hosts";
workstation = [
hm
agenix
nixosModules
];
specialArgs = {inherit withSystem keys inputs self;}; specialArgs = {inherit withSystem keys inputs self;};
in in
@ -18,49 +25,30 @@ in
ooksdesk = nixosSystem { ooksdesk = nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [ "${hosts}/ooksdesk" ] ++ workstation;
"${hosts}/ooksdesk"
hm
agenix
nixosModules
];
}; };
ookst480s = nixosSystem { ookst480s = nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [ "${hosts}/ookst480s" ] ++ workstation;
"${hosts}/ookst480s"
hm
nixosModules
];
}; };
ooksmedia = nixosSystem { ooksmedia = nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [ "${hosts}/ooksmedia" nixarr ] ++ workstation;
"${hosts}/ooksmedia"
hm
nixosModules
nixarr
];
}; };
ooksmicro = nixosSystem { ooksmicro = nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [ "${hosts}/ooksmicro" ] ++ workstation;
"${hosts}/ooksmicro"
hm
nixosModules
];
}; };
ooksx1 = nixosSystem { ooksx1 = nixosSystem {
inherit specialArgs; inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [ "${hosts}/ooksx1" ] ++ workstation;
"${hosts}/ooksx1"
hm
nixosModules
];
}; };
} }