From 4b83cae3ba9d7e13a5b5113d895f574264cabf22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Fri, 19 Aug 2022 18:51:44 +0100 Subject: [PATCH] make tailscale auth service be defined just once --- nixos/boxes/bolty/default.nix | 2 - nixos/boxes/bolty/tailscale-bolty.nix | 31 ---------- nixos/boxes/foureighty/default.nix | 2 - .../boxes/foureighty/tailscale-foureighty.nix | 32 ----------- nixos/boxes/skinnyv/default.nix | 2 - nixos/boxes/skinnyv/tailscale-skinnyv.nix | 32 ----------- nixos/boxes/thinky/default.nix | 2 - nixos/boxes/thinky/tailscale-thinky.nix | 31 ---------- nixos/boxes/vpsfree1/default.nix | 2 - nixos/boxes/vpsfree1/tailscale-vpsfree1.nix | 31 ---------- nixos/boxes/vultr1/default.nix | 2 - nixos/boxes/vultr1/tailscale-vultr1.nix | 32 ----------- nixos/common-services.nix | 1 + nixos/tailscale.nix | 16 ------ nixos/tailscale/default.nix | 43 ++++++++++++++ nixos/tailscale/keys.sops.yaml | 57 +++++++++++++++++++ 16 files changed, 101 insertions(+), 217 deletions(-) delete mode 100644 nixos/boxes/bolty/tailscale-bolty.nix delete mode 100644 nixos/boxes/foureighty/tailscale-foureighty.nix delete mode 100644 nixos/boxes/skinnyv/tailscale-skinnyv.nix delete mode 100644 nixos/boxes/thinky/tailscale-thinky.nix delete mode 100644 nixos/boxes/vpsfree1/tailscale-vpsfree1.nix delete mode 100644 nixos/boxes/vultr1/tailscale-vultr1.nix delete mode 100644 nixos/tailscale.nix create mode 100644 nixos/tailscale/default.nix create mode 100644 nixos/tailscale/keys.sops.yaml diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index e480bae0..7306670b 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -2,9 +2,7 @@ imports = [ ./bolty-boot.nix ./real-hardware.nix - ./tailscale-bolty.nix ../../server-security.nix - ../../tailscale.nix ../cli.nix ./matrix-server.nix ./nextcloud.nix diff --git a/nixos/boxes/bolty/tailscale-bolty.nix b/nixos/boxes/bolty/tailscale-bolty.nix deleted file mode 100644 index 5046079e..00000000 --- a/nixos/boxes/bolty/tailscale-bolty.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-kmZDQd4CNTRL-Ezwsqwk6xnVjLyLTGS1N7 - ''; - }; -} diff --git a/nixos/boxes/foureighty/default.nix b/nixos/boxes/foureighty/default.nix index b743aa1e..2bcb1088 100644 --- a/nixos/boxes/foureighty/default.nix +++ b/nixos/boxes/foureighty/default.nix @@ -4,7 +4,6 @@ imports = [ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480 ./hardware-configuration.nix - ./tailscale-foureighty.nix ./thermal.nix ../../backups.nix ../../boot.nix @@ -15,7 +14,6 @@ ../../i3 ../../libvirt.nix ../../mercurial - ../../tailscale.nix ]; fileSystems."/" = { options = [ "compress=zstd" ]; }; diff --git a/nixos/boxes/foureighty/tailscale-foureighty.nix b/nixos/boxes/foureighty/tailscale-foureighty.nix deleted file mode 100644 index 995ceb17..00000000 --- a/nixos/boxes/foureighty/tailscale-foureighty.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") - tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-kaL3of6CNTRL-SkvotNvHLZSzmX3oob7ot - ''; - }; -} diff --git a/nixos/boxes/skinnyv/default.nix b/nixos/boxes/skinnyv/default.nix index 7d9f3e87..fc7578b5 100644 --- a/nixos/boxes/skinnyv/default.nix +++ b/nixos/boxes/skinnyv/default.nix @@ -3,7 +3,6 @@ imports = [ ./hardware-configuration.nix - ./tailscale-skinnyv.nix ../../boot.nix ../../common.nix ../../backups.nix @@ -13,7 +12,6 @@ ../../gui ../../i3 ../../mercurial - ../../tailscale.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/nixos/boxes/skinnyv/tailscale-skinnyv.nix b/nixos/boxes/skinnyv/tailscale-skinnyv.nix deleted file mode 100644 index 1783f129..00000000 --- a/nixos/boxes/skinnyv/tailscale-skinnyv.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") - tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-kxGKSM5CNTRL-bMbXerV97q5LrVPUrHWjv - ''; - }; -} diff --git a/nixos/boxes/thinky/default.nix b/nixos/boxes/thinky/default.nix index 1b5a065e..d13e74a4 100644 --- a/nixos/boxes/thinky/default.nix +++ b/nixos/boxes/thinky/default.nix @@ -3,7 +3,6 @@ imports = [ ./hardware-configuration.nix - ./tailscale-thinky.nix ../../backups.nix ../../boot.nix ../../common.nix @@ -13,7 +12,6 @@ ../../gui ../../i3 ../../mercurial - ../../tailscale.nix ]; time.timeZone = "Europe/Warsaw"; diff --git a/nixos/boxes/thinky/tailscale-thinky.nix b/nixos/boxes/thinky/tailscale-thinky.nix deleted file mode 100644 index 3193eb5b..00000000 --- a/nixos/boxes/thinky/tailscale-thinky.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-d046113d18dc78d71fd82afb - ''; - }; -} diff --git a/nixos/boxes/vpsfree1/default.nix b/nixos/boxes/vpsfree1/default.nix index 2ab83303..6dfb5e02 100644 --- a/nixos/boxes/vpsfree1/default.nix +++ b/nixos/boxes/vpsfree1/default.nix @@ -3,11 +3,9 @@ imports = [ ./vpsfree1-vpsadminos.nix - ./tailscale-vpsfree1.nix ../cli.nix ../../server-security.nix ../../server-common.nix - ../../tailscale.nix ./foundryvtt.nix ./cryptpad.nix ./syncthing-relay.nix diff --git a/nixos/boxes/vpsfree1/tailscale-vpsfree1.nix b/nixos/boxes/vpsfree1/tailscale-vpsfree1.nix deleted file mode 100644 index 8cd3f48f..00000000 --- a/nixos/boxes/vpsfree1/tailscale-vpsfree1.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-ketJA57CNTRL-d8cMQZK6jjgtSDgXiarET1 - ''; - }; -} diff --git a/nixos/boxes/vultr1/default.nix b/nixos/boxes/vultr1/default.nix index a22e56c6..e5d65578 100644 --- a/nixos/boxes/vultr1/default.nix +++ b/nixos/boxes/vultr1/default.nix @@ -3,7 +3,6 @@ imports = [ ./vultr-boot.nix - ./tailscale-vultr1.nix ./folding.nix ./matrix-front.nix ./../nginx.nix @@ -12,7 +11,6 @@ ../cli.nix ../../server-security.nix ../../server-common.nix - ../../tailscale.nix ]; systemd.extraConfig = '' diff --git a/nixos/boxes/vultr1/tailscale-vultr1.nix b/nixos/boxes/vultr1/tailscale-vultr1.nix deleted file mode 100644 index ef33de2c..00000000 --- a/nixos/boxes/vultr1/tailscale-vultr1.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") - tailscale; -in { - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey tskey-kmTDw84CNTRL-WH1VhCX2XkFBZr84FfNm9Y - ''; - }; -} diff --git a/nixos/common-services.nix b/nixos/common-services.nix index 659b9809..d7ed5248 100644 --- a/nixos/common-services.nix +++ b/nixos/common-services.nix @@ -1,5 +1,6 @@ { config, pkgs, ... }: { console.keyMap = "pl"; + imports = [ ./tailscale ]; services = { udev.packages = [ pkgs.android-udev-rules ]; ratbagd.enable = true; diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix deleted file mode 100644 index 48f5fade..00000000 --- a/nixos/tailscale.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, inputs, ... }: -let - inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale; - -in { - environment.systemPackages = [ tailscale ]; - services.tailscale = { - enable = true; - package = tailscale; - }; - - networking.firewall = { - trustedInterfaces = [ "tailscale0" ]; - allowedUDPPorts = [ config.services.tailscale.port ]; - }; -} diff --git a/nixos/tailscale/default.nix b/nixos/tailscale/default.nix new file mode 100644 index 00000000..ad4fb4fe --- /dev/null +++ b/nixos/tailscale/default.nix @@ -0,0 +1,43 @@ +{ config, pkgs, inputs, ... }: +let + inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") + tailscale; + +in { + environment.systemPackages = [ tailscale ]; + services.tailscale = { + enable = true; + package = tailscale; + }; + + networking.firewall = { + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + sops.secrets."tailscale-key-${config.networking.hostName}" = { + mode = "0440"; + owner = config.users.users.cyryl.name; + group = config.users.users.cyryl.group; + sopsFile = ./keys.sops.yaml; + }; + systemd.services.tailscale-auth = { + description = "Auth with tailscale"; + + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = '' + sleep 2 + + status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + ${tailscale}/bin/tailscale up -authkey `cat /run/secrets/tailscale-key-${config.networking.hostName}` + ''; + }; +} diff --git a/nixos/tailscale/keys.sops.yaml b/nixos/tailscale/keys.sops.yaml new file mode 100644 index 00000000..4b50943c --- /dev/null +++ b/nixos/tailscale/keys.sops.yaml @@ -0,0 +1,57 @@ +tailscale-key-foureighty: ENC[AES256_GCM,data:9Yc2Bwf+WvFbz0L1UxEvFszXsfzsubDbiRbELMHUkRS8x4FJqZeGTw==,iv:sT5gbrlM3Id/XMD9S5v4tsohoRJpY3gyFVzKNQSYOYg=,tag:26+nM805hVZxYRnCtWisFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheGtxVUdCb3hyL0J5dktV + cytQaEx1SVJ4dlF5WmU0WXBxaERzSHJvRm1NCmxObWJyZ01tdUFCbGVtdUN5ZU9J + eUhkNERSZVVGWmlDSkIvelZmQWNKTXMKLS0tIEVldGRTK1A2dnpIN2pnTnhpQjBO + SUFFUnV6ZnZsSzE2MHRyWnJuSGtYMk0KkTCNAcfoh3yOHNsB7yEZujWxMvt8jvwW + A1x8ne6EDEqAOi9qpC7GqY8g7jQ+wEktdVseKZORs52eEZOLTEAH/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdXAwMmRYUFhhQzgwY2pz + cmtJNWVIMjJjb3lML2k3NCtPUWlaQTdmYUJvCitFeEUvTmV3UndjMEp2dHY0QXdC + S0lKWSswTE1nNU9DSkc1SUNtN2xPZlUKLS0tIGpHdllZdkNJY1lKSWdkaG9PYTI3 + aVJ3SWhZV0h0WGs5T1ZxNTA1TDVLNm8K1ikCGLZ2ldqGndKSv96N89sP+ZAP6DRS + ryfrDLiSAtnP3TkBf4AjYyzSGqoLio24PdCMmrMK1kJB9j1HdWz60g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMTRhQWQ1N2d5emk3bGRW + T1ZwbjkvcmtEM0RFSCsyd0hIU2dlUFp3am1nCnQ3dHlydWlWblU0dFV2MlZvS1Vv + c2lkNGwrUVdiaXRrZlRpdFMvOWlJbkUKLS0tIGZEUk0wNDhBSkZ2YldoaG1JbmMz + bFVxazNlaWVWVW1HeWE0ZFBEbzZwZVEKCMh4J35MS1I1i3MY3ERJz+RnMV7Brc/s + tZ4xcV1RmT+eLz61odS0stRPwWZt6z/AT9kFPfuJ7ajnbEG1y+QsBw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWkdxSFZ5NjdsMDNLdncr + cGQ1TnhLSHJNamM4Rm9YZTFrY082NU9hYTNvCnJQc043SUZSYXArcFY5S1lSbDcw + TkJSazRHY3lKS1ZXS2lYeFp1bWFPU2cKLS0tIHpzc1F4UTdwbWIwa245TlB4cmpN + dXVJZzZBTWdpc0dxbDhHNklZd1o3MWcKk8yHV69/dTAY9KA9f3v8mh542KFODTZH + M+g9wvxF+LIPtqsVsO0AwJax2dEZ+qEf3FZr/ZxYFPUCBmaJn/+Zxg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OGkzTGNvRm5MZ0h4aTJz + VGVBTWhDQUtIc29sUFJOaytLOStlc2x5bzFjCmQyUTVIc1JYbUd1ZEFlU2ZQU1NI + ZEVnSjBaZ2RDVDNNS1FxQzh5Sm9qQm8KLS0tIGVVd1BUZzJuR0MzeW8vMEZSRHNk + eFBLY0MybzVvVFB1L0F5eE9CUXBMWXMK5Eqhb43xV4Itt+FIQeGn0iJP/a43Fk+9 + d8r9mvv7ZKRCWPjJCkJnX+5r1nBKzcLqa/tCPNqT+pXDfAy6gJVtcQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-08-19T17:37:35Z" + mac: ENC[AES256_GCM,data:qnyVQpFRiLoAwFt9Ph0PHvUqWhPmqoysHXwWIZXVYUoOX3fgVEQJBk5hdenqZh7hYV7++uW3wl7c5w5XaBvM3fzFhwocy+qP4NpcVv9yP9XMNPbPAehJTSJ6SgYU0pkCl5m675cuCt4Ify+iITN2b4s4Luyn/IwnMNXQTF7FUZs=,iv:w+fr5j4l0T+hKbTTM8KR9HbhuIk3xvfv15O/xrabiAE=,tag:2MFDkmOOkt1h5K/yOXxxAg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3