move to tailscale

nixos/backups.nix

@@ -8,7 +8,7 @@ in
       restic.backups.home-to-brix = {
         passwordFile = "/etc/nixos/secrets/restic-password-brix";
         paths = [ "/home" ];
-        repository = "rest:http://brix.vpn:8000/";
+        repository = "rest:http://brix:8000/";
         timerConfig = { OnCalendar = "hourly"; };
         extraBackupArgs = extraArgs;
       };

nixos/boxes/bootstrap/2.nix

@@ -8,7 +8,6 @@
     ../../boot.nix
     ../../common.nix
     ../../gfx-intel.nix
-    ../../zerotier.nix
     ../../i3
     ../../distributed-builds.nix
     ../../gui

nixos/boxes/brix/default.nix

@@ -5,7 +5,6 @@
     ./real-hardware.nix
     ../../server-security.nix
     ../cli.nix
-    ../vpn.nix
     ../../tailscale.nix
     ./tailscale-brix.nix
     ./restic-server.nix

nixos/boxes/brix/matrix-server.nix

@@ -18,7 +18,7 @@
     listeners = [
       {
         port = 8008;
-        bind_address = "brix.vpn";
+        bind_address = "brix";
         type = "http";
         tls = false;
         x_forwarded = true;

nixos/boxes/brix/print-server.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
 
   networking.firewall.enable = true;
@@ -17,6 +17,8 @@
     '';
   };
 
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+  ];
   hardware.printers.ensurePrinters = [{
     description = "Epson XP-540";
     location = "connected to brix";
@@ -28,7 +30,7 @@
 
   hardware.sane = {
     enable = true;
-    extraBackends = with pkgs; [ epkowa utsushi sane-airscan gawk ];
+    extraBackends = with pkgs; [ utsushi sane-airscan gawk ];
     snapshot = true;
   };
 

nixos/boxes/brix/restic-server.nix

@@ -7,7 +7,7 @@
     dataDir = "/data/restic";
     appendOnly = true;
     prometheus = true;
-    listenAddress = "brix.vpn:8000";
+    listenAddress = "brix:8000";
     extraFlags = [ "--no-auth" ];
   };
 

nixos/boxes/foureighty/default.nix

@@ -7,7 +7,6 @@
     ../../boot.nix
     ../../common.nix
     ../../gfx-intel.nix
-    ../../zerotier.nix
     ../../tailscale.nix
     ./tailscale-foureighty.nix
     ../../distributed-builds.nix

nixos/boxes/skinnyv/default.nix

@@ -7,7 +7,6 @@
     ../../boot.nix
     ../../common.nix
     ../../gfx-intel.nix
-    ../../zerotier.nix
     ../../i3
     ../../distributed-builds.nix
     ../../gui

nixos/boxes/vpn.nix

@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-{
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "d3ecf5726d580b5a" ];
-  };
-
-  networking.hosts = {
-    "172.23.153.159" = [ "brix.vpn" ];
-    "172.23.28.139" = [ "vultr1.vpn" ];
-  };
-}

nixos/boxes/vultr1/default.nix

@@ -4,11 +4,11 @@
 
   imports = [
     ./vultr-boot.nix
-    ../vpn.nix
     ../../server-security.nix
+    ../../tailscale.nix
+    ./tailscale-vultr1.nix
     ../cli.nix
     ./nginx.nix
-    ./search.nix
     ./folding.nix
     ./matrix-front.nix
   ];

nixos/boxes/vultr1/folding.nix

@@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "fahclient"
+  ];
   services.foldingathome = {
     enable = true;
     user = "cyplo";

nixos/boxes/vultr1/matrix-front.nix

@@ -31,7 +31,7 @@
             '';
 
             locations."/_matrix" = {
-              proxyPass = "http://brix.vpn:8008"; # without a trailing /
+              proxyPass = "http://brix:8008"; # without a trailing /
             };
           };
         };

nixos/boxes/vultr1/search.nix

@@ -1,27 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.nginx = {
-    virtualHosts = {
-      "search.cyplo.dev" = {
-        forceSSL = true;
-        enableACME = true;
-        extraConfig = ''
-          access_log /dev/null;
-          error_log /dev/null;
-          proxy_connect_timeout 60s;
-          proxy_send_timeout 60s;
-          proxy_read_timeout 60s;
-        '';
-        locations."/" = {
-          proxyPass = "http://localhost:8888";
-        };
-      };
-    };
-  };
-
-  services.searx = {
-    enable = true;
-  };
-}
-

nixos/boxes/vultr1/tailscale-vultr1.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey tskey-d6d3e4b981980045e18d0e64
+    '';
+  };
+}

nixos/common-hardware.nix

@@ -9,12 +9,6 @@
 
   hardware.enableAllFirmware = true;
 
-
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
-
   hardware.enableRedistributableFirmware = true;
   hardware.cpu.intel.updateMicrocode = true;
   hardware.pulseaudio = {
@@ -46,7 +40,7 @@
   hardware.printers.ensurePrinters = [{
     description = "Epson XP-540 via brix";
     name = "epson_xp540_via_brix";
-    deviceUri = "ipp://brix.vpn:631/printers/epson_xp540";
+    deviceUri = "ipp://brix:631/printers/epson_xp540";
     model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
     ppdOptions = { PageSize = "A4"; Duplex = "DuplexNoTumble"; };
   }];
@@ -56,7 +50,7 @@
     netConf = ''
       10.0.0.232
       brix.local
-      brix.vpn
+      brix
     '';
     snapshot = true;
     extraBackends = with pkgs; [ sane-airscan utsushi ];

nixos/distributed-builds.nix

@@ -6,7 +6,7 @@
 
   nix.buildMachines = [
     {
-      hostName = "brix.vpn";
+      hostName = "brix";
       sshUser = "nix-builder";
       sshKey = "/home/cyryl/.ssh/id_ed25519";
       system = "x86_64-linux";

nixos/promtail.yaml

@@ -1,20 +0,0 @@
-server:
-  http_listen_port: 28183
-  grpc_listen_port: 0
-
-positions:
-  filename: /tmp/positions.yaml
-
-clients:
-  - url: http://vultr1.vpn:3100/loki/api/v1/push
-
-scrape_configs:
-  - job_name: journal
-    journal:
-      max_age: 12h
-      labels:
-        job: systemd-journal
-        host: foureighty
-    relabel_configs:
-      - source_labels: ["__journal__systemd_unit"]
-        target_label: "unit"

nixos/shell-config.nix

@@ -1,7 +1,6 @@
 {
   permittedInsecurePackages = [
   ];
-  allowUnfree = true;
   packageOverrides = pkgs: {
     vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
   };

nixos/zerotier.nix

@@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-{
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "d3ecf5726d580b5a" ];
-  };
-
-  networking.hosts = {
-    "172.23.153.159" = [ "brix.vpn" ];
-    "172.23.28.139" = [ "vultr1.vpn" ];
-  };
-
-}