move to tailscale

This commit is contained in:
Cyryl Płotnicki 2021-06-12 15:46:26 +01:00
parent bcd18530c7
commit c71b538a09
19 changed files with 46 additions and 99 deletions

View file

@ -8,7 +8,7 @@ in
restic.backups.home-to-brix = { restic.backups.home-to-brix = {
passwordFile = "/etc/nixos/secrets/restic-password-brix"; passwordFile = "/etc/nixos/secrets/restic-password-brix";
paths = [ "/home" ]; paths = [ "/home" ];
repository = "rest:http://brix.vpn:8000/"; repository = "rest:http://brix:8000/";
timerConfig = { OnCalendar = "hourly"; }; timerConfig = { OnCalendar = "hourly"; };
extraBackupArgs = extraArgs; extraBackupArgs = extraArgs;
}; };

View file

@ -8,7 +8,6 @@
../../boot.nix ../../boot.nix
../../common.nix ../../common.nix
../../gfx-intel.nix ../../gfx-intel.nix
../../zerotier.nix
../../i3 ../../i3
../../distributed-builds.nix ../../distributed-builds.nix
../../gui ../../gui

View file

@ -5,7 +5,6 @@
./real-hardware.nix ./real-hardware.nix
../../server-security.nix ../../server-security.nix
../cli.nix ../cli.nix
../vpn.nix
../../tailscale.nix ../../tailscale.nix
./tailscale-brix.nix ./tailscale-brix.nix
./restic-server.nix ./restic-server.nix

View file

@ -18,7 +18,7 @@
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
bind_address = "brix.vpn"; bind_address = "brix";
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
networking.firewall.enable = true; networking.firewall.enable = true;
@ -17,6 +17,8 @@
''; '';
}; };
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
];
hardware.printers.ensurePrinters = [{ hardware.printers.ensurePrinters = [{
description = "Epson XP-540"; description = "Epson XP-540";
location = "connected to brix"; location = "connected to brix";
@ -28,7 +30,7 @@
hardware.sane = { hardware.sane = {
enable = true; enable = true;
extraBackends = with pkgs; [ epkowa utsushi sane-airscan gawk ]; extraBackends = with pkgs; [ utsushi sane-airscan gawk ];
snapshot = true; snapshot = true;
}; };

View file

@ -7,7 +7,7 @@
dataDir = "/data/restic"; dataDir = "/data/restic";
appendOnly = true; appendOnly = true;
prometheus = true; prometheus = true;
listenAddress = "brix.vpn:8000"; listenAddress = "brix:8000";
extraFlags = [ "--no-auth" ]; extraFlags = [ "--no-auth" ];
}; };

View file

@ -7,7 +7,6 @@
../../boot.nix ../../boot.nix
../../common.nix ../../common.nix
../../gfx-intel.nix ../../gfx-intel.nix
../../zerotier.nix
../../tailscale.nix ../../tailscale.nix
./tailscale-foureighty.nix ./tailscale-foureighty.nix
../../distributed-builds.nix ../../distributed-builds.nix

View file

@ -7,7 +7,6 @@
../../boot.nix ../../boot.nix
../../common.nix ../../common.nix
../../gfx-intel.nix ../../gfx-intel.nix
../../zerotier.nix
../../i3 ../../i3
../../distributed-builds.nix ../../distributed-builds.nix
../../gui ../../gui

View file

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
{
nixpkgs.config = {
allowUnfree = true;
};
services.zerotierone = {
enable = true;
joinNetworks = [ "d3ecf5726d580b5a" ];
};
networking.hosts = {
"172.23.153.159" = [ "brix.vpn" ];
"172.23.28.139" = [ "vultr1.vpn" ];
};
}

View file

@ -4,11 +4,11 @@
imports = [ imports = [
./vultr-boot.nix ./vultr-boot.nix
../vpn.nix
../../server-security.nix ../../server-security.nix
../../tailscale.nix
./tailscale-vultr1.nix
../cli.nix ../cli.nix
./nginx.nix ./nginx.nix
./search.nix
./folding.nix ./folding.nix
./matrix-front.nix ./matrix-front.nix
]; ];

View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"fahclient"
];
services.foldingathome = { services.foldingathome = {
enable = true; enable = true;
user = "cyplo"; user = "cyplo";

View file

@ -31,7 +31,7 @@
''; '';
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://brix.vpn:8008"; # without a trailing / proxyPass = "http://brix:8008"; # without a trailing /
}; };
}; };
}; };

View file

@ -1,27 +0,0 @@
{ config, pkgs, ... }:
{
services.nginx = {
virtualHosts = {
"search.cyplo.dev" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
access_log /dev/null;
error_log /dev/null;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
'';
locations."/" = {
proxyPass = "http://localhost:8888";
};
};
};
};
services.searx = {
enable = true;
};
}

View file

@ -0,0 +1,29 @@
{ config, pkgs, inputs, lib, ... }:
{
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey tskey-d6d3e4b981980045e18d0e64
'';
};
}

View file

@ -9,12 +9,6 @@
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
nixpkgs.config = {
allowUnfree = true;
};
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
hardware.pulseaudio = { hardware.pulseaudio = {
@ -46,7 +40,7 @@
hardware.printers.ensurePrinters = [{ hardware.printers.ensurePrinters = [{
description = "Epson XP-540 via brix"; description = "Epson XP-540 via brix";
name = "epson_xp540_via_brix"; name = "epson_xp540_via_brix";
deviceUri = "ipp://brix.vpn:631/printers/epson_xp540"; deviceUri = "ipp://brix:631/printers/epson_xp540";
model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd"; model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
ppdOptions = { PageSize = "A4"; Duplex = "DuplexNoTumble"; }; ppdOptions = { PageSize = "A4"; Duplex = "DuplexNoTumble"; };
}]; }];
@ -56,7 +50,7 @@
netConf = '' netConf = ''
10.0.0.232 10.0.0.232
brix.local brix.local
brix.vpn brix
''; '';
snapshot = true; snapshot = true;
extraBackends = with pkgs; [ sane-airscan utsushi ]; extraBackends = with pkgs; [ sane-airscan utsushi ];

View file

@ -6,7 +6,7 @@
nix.buildMachines = [ nix.buildMachines = [
{ {
hostName = "brix.vpn"; hostName = "brix";
sshUser = "nix-builder"; sshUser = "nix-builder";
sshKey = "/home/cyryl/.ssh/id_ed25519"; sshKey = "/home/cyryl/.ssh/id_ed25519";
system = "x86_64-linux"; system = "x86_64-linux";

View file

@ -1,20 +0,0 @@
server:
http_listen_port: 28183
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://vultr1.vpn:3100/loki/api/v1/push
scrape_configs:
- job_name: journal
journal:
max_age: 12h
labels:
job: systemd-journal
host: foureighty
relabel_configs:
- source_labels: ["__journal__systemd_unit"]
target_label: "unit"

View file

@ -1,7 +1,6 @@
{ {
permittedInsecurePackages = [ permittedInsecurePackages = [
]; ];
allowUnfree = true;
packageOverrides = pkgs: { packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };

View file

@ -1,13 +0,0 @@
{ config, pkgs, ... }:
{
services.zerotierone = {
enable = true;
joinNetworks = [ "d3ecf5726d580b5a" ];
};
networking.hosts = {
"172.23.153.159" = [ "brix.vpn" ];
"172.23.28.139" = [ "vultr1.vpn" ];
};
}