make tailscale auth service be defined just once

nixos/boxes/bolty/default.nix

@@ -2,9 +2,7 @@
   imports = [
     ./bolty-boot.nix
     ./real-hardware.nix
-    ./tailscale-bolty.nix
     ../../server-security.nix
-    ../../tailscale.nix
     ../cli.nix
     ./matrix-server.nix
     ./nextcloud.nix

nixos/boxes/bolty/tailscale-bolty.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-kmZDQd4CNTRL-Ezwsqwk6xnVjLyLTGS1N7 
-    '';
-  };
-}

nixos/boxes/foureighty/default.nix

@@ -4,7 +4,6 @@
   imports = [
     inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t480
     ./hardware-configuration.nix
-    ./tailscale-foureighty.nix
     ./thermal.nix
     ../../backups.nix
     ../../boot.nix
@@ -15,7 +14,6 @@
     ../../i3
     ../../libvirt.nix
     ../../mercurial
-    ../../tailscale.nix
   ];
 
   fileSystems."/" = { options = [ "compress=zstd" ]; };

nixos/boxes/foureighty/tailscale-foureighty.nix

@@ -1,32 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux")
-    tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-kaL3of6CNTRL-SkvotNvHLZSzmX3oob7ot
-    '';
-  };
-}

nixos/boxes/skinnyv/default.nix

@@ -3,7 +3,6 @@
 
   imports = [
     ./hardware-configuration.nix
-    ./tailscale-skinnyv.nix
     ../../boot.nix
     ../../common.nix
     ../../backups.nix
@@ -13,7 +12,6 @@
     ../../gui
     ../../i3
     ../../mercurial
-    ../../tailscale.nix
   ];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;

nixos/boxes/skinnyv/tailscale-skinnyv.nix

@@ -1,32 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux")
-    tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-kxGKSM5CNTRL-bMbXerV97q5LrVPUrHWjv
-    '';
-  };
-}

nixos/boxes/thinky/default.nix

@@ -3,7 +3,6 @@
 
   imports = [
     ./hardware-configuration.nix
-    ./tailscale-thinky.nix
     ../../backups.nix
     ../../boot.nix
     ../../common.nix
@@ -13,7 +12,6 @@
     ../../gui
     ../../i3
     ../../mercurial
-    ../../tailscale.nix
   ];
 
   time.timeZone = "Europe/Warsaw";

nixos/boxes/thinky/tailscale-thinky.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-d046113d18dc78d71fd82afb
-    '';
-  };
-}

nixos/boxes/vpsfree1/default.nix

@@ -3,11 +3,9 @@
 
   imports = [
     ./vpsfree1-vpsadminos.nix
-    ./tailscale-vpsfree1.nix
     ../cli.nix
     ../../server-security.nix
     ../../server-common.nix
-    ../../tailscale.nix
     ./foundryvtt.nix
     ./cryptpad.nix
     ./syncthing-relay.nix

nixos/boxes/vpsfree1/tailscale-vpsfree1.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-ketJA57CNTRL-d8cMQZK6jjgtSDgXiarET1
-    '';
-  };
-}

nixos/boxes/vultr1/default.nix

@@ -3,7 +3,6 @@
 
   imports = [
     ./vultr-boot.nix
-    ./tailscale-vultr1.nix
     ./folding.nix
     ./matrix-front.nix
     ./../nginx.nix
@@ -12,7 +11,6 @@
     ../cli.nix
     ../../server-security.nix
     ../../server-common.nix
-    ../../tailscale.nix
   ];
 
   systemd.extraConfig = ''

nixos/boxes/vultr1/tailscale-vultr1.nix

@@ -1,32 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux")
-    tailscale;
-in {
-  systemd.services.tailscale-autoconnect = {
-    description = "Automatic connection to Tailscale";
-
-    # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    # set this service as a oneshot job
-    serviceConfig.Type = "oneshot";
-
-    # have the job run this shell script
-    script = ''
-      # wait for tailscaled to settle
-      sleep 2
-
-      # check if we are already authenticated to tailscale
-      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
-      if [ $status = "Running" ]; then # if so, then do nothing
-        exit 0
-      fi
-
-      # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-kmTDw84CNTRL-WH1VhCX2XkFBZr84FfNm9Y
-    '';
-  };
-}

nixos/common-services.nix

@@ -1,5 +1,6 @@
 { config, pkgs, ... }: {
   console.keyMap = "pl";
+  imports = [ ./tailscale ];
   services = {
     udev.packages = [ pkgs.android-udev-rules ];
     ratbagd.enable = true;

nixos/tailscale.nix

@@ -1,16 +0,0 @@
-{ config, pkgs, inputs, ... }:
-let
-  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") tailscale;
-
-in {
-  environment.systemPackages = [ tailscale ];
-  services.tailscale = {
-    enable = true;
-    package = tailscale;
-  };
-
-  networking.firewall = {
-    trustedInterfaces = [ "tailscale0" ];
-    allowedUDPPorts = [ config.services.tailscale.port ];
-  };
-}

nixos/tailscale/default.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, inputs, ... }:
+let
+  inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux")
+    tailscale;
+
+in {
+  environment.systemPackages = [ tailscale ];
+  services.tailscale = {
+    enable = true;
+    package = tailscale;
+  };
+
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+  sops.secrets."tailscale-key-${config.networking.hostName}" = {
+    mode = "0440";
+    owner = config.users.users.cyryl.name;
+    group = config.users.users.cyryl.group;
+    sopsFile = ./keys.sops.yaml;
+  };
+  systemd.services.tailscale-auth = {
+    description = "Auth with tailscale";
+
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.Type = "oneshot";
+
+    script = ''
+      sleep 2
+
+      status="$(${tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      ${tailscale}/bin/tailscale up -authkey `cat /run/secrets/tailscale-key-${config.networking.hostName}` 
+    '';
+  };
+}

nixos/tailscale/keys.sops.yaml

@@ -0,0 +1,57 @@
+tailscale-key-foureighty: ENC[AES256_GCM,data:9Yc2Bwf+WvFbz0L1UxEvFszXsfzsubDbiRbELMHUkRS8x4FJqZeGTw==,iv:sT5gbrlM3Id/XMD9S5v4tsohoRJpY3gyFVzKNQSYOYg=,tag:26+nM805hVZxYRnCtWisFg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheGtxVUdCb3hyL0J5dktV
+            cytQaEx1SVJ4dlF5WmU0WXBxaERzSHJvRm1NCmxObWJyZ01tdUFCbGVtdUN5ZU9J
+            eUhkNERSZVVGWmlDSkIvelZmQWNKTXMKLS0tIEVldGRTK1A2dnpIN2pnTnhpQjBO
+            SUFFUnV6ZnZsSzE2MHRyWnJuSGtYMk0KkTCNAcfoh3yOHNsB7yEZujWxMvt8jvwW
+            A1x8ne6EDEqAOi9qpC7GqY8g7jQ+wEktdVseKZORs52eEZOLTEAH/Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQdXAwMmRYUFhhQzgwY2pz
+            cmtJNWVIMjJjb3lML2k3NCtPUWlaQTdmYUJvCitFeEUvTmV3UndjMEp2dHY0QXdC
+            S0lKWSswTE1nNU9DSkc1SUNtN2xPZlUKLS0tIGpHdllZdkNJY1lKSWdkaG9PYTI3
+            aVJ3SWhZV0h0WGs5T1ZxNTA1TDVLNm8K1ikCGLZ2ldqGndKSv96N89sP+ZAP6DRS
+            ryfrDLiSAtnP3TkBf4AjYyzSGqoLio24PdCMmrMK1kJB9j1HdWz60g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMTRhQWQ1N2d5emk3bGRW
+            T1ZwbjkvcmtEM0RFSCsyd0hIU2dlUFp3am1nCnQ3dHlydWlWblU0dFV2MlZvS1Vv
+            c2lkNGwrUVdiaXRrZlRpdFMvOWlJbkUKLS0tIGZEUk0wNDhBSkZ2YldoaG1JbmMz
+            bFVxazNlaWVWVW1HeWE0ZFBEbzZwZVEKCMh4J35MS1I1i3MY3ERJz+RnMV7Brc/s
+            tZ4xcV1RmT+eLz61odS0stRPwWZt6z/AT9kFPfuJ7ajnbEG1y+QsBw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTWkdxSFZ5NjdsMDNLdncr
+            cGQ1TnhLSHJNamM4Rm9YZTFrY082NU9hYTNvCnJQc043SUZSYXArcFY5S1lSbDcw
+            TkJSazRHY3lKS1ZXS2lYeFp1bWFPU2cKLS0tIHpzc1F4UTdwbWIwa245TlB4cmpN
+            dXVJZzZBTWdpc0dxbDhHNklZd1o3MWcKk8yHV69/dTAY9KA9f3v8mh542KFODTZH
+            M+g9wvxF+LIPtqsVsO0AwJax2dEZ+qEf3FZr/ZxYFPUCBmaJn/+Zxg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OGkzTGNvRm5MZ0h4aTJz
+            VGVBTWhDQUtIc29sUFJOaytLOStlc2x5bzFjCmQyUTVIc1JYbUd1ZEFlU2ZQU1NI
+            ZEVnSjBaZ2RDVDNNS1FxQzh5Sm9qQm8KLS0tIGVVd1BUZzJuR0MzeW8vMEZSRHNk
+            eFBLY0MybzVvVFB1L0F5eE9CUXBMWXMK5Eqhb43xV4Itt+FIQeGn0iJP/a43Fk+9
+            d8r9mvv7ZKRCWPjJCkJnX+5r1nBKzcLqa/tCPNqT+pXDfAy6gJVtcQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-08-19T17:37:35Z"
+    mac: ENC[AES256_GCM,data:qnyVQpFRiLoAwFt9Ph0PHvUqWhPmqoysHXwWIZXVYUoOX3fgVEQJBk5hdenqZh7hYV7++uW3wl7c5w5XaBvM3fzFhwocy+qP4NpcVv9yP9XMNPbPAehJTSJ6SgYU0pkCl5m675cuCt4Ify+iITN2b4s4Luyn/IwnMNXQTF7FUZs=,iv:w+fr5j4l0T+hKbTTM8KR9HbhuIk3xvfv15O/xrabiAE=,tag:2MFDkmOOkt1h5K/yOXxxAg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3