move to tailscale

2021-06-12 15:46:26 +01:00 · 2021-06-12 15:46:26 +01:00 · c71b538a09
commit c71b538a09
parent bcd18530c7
19 changed files with 46 additions and 99 deletions
--- a/nixos/backups.nix
+++ b/nixos/backups.nix
@ -8,7 +8,7 @@ in
      restic.backups.home-to-brix = {
        passwordFile = "/etc/nixos/secrets/restic-password-brix";
        paths = [ "/home" ];
-        repository = "rest:http://brix.vpn:8000/";
+        repository = "rest:http://brix:8000/";
        timerConfig = { OnCalendar = "hourly"; };
        extraBackupArgs = extraArgs;
      };
--- a/nixos/boxes/bootstrap/2.nix
+++ b/nixos/boxes/bootstrap/2.nix
@ -8,7 +8,6 @@
    ../../boot.nix
    ../../common.nix
    ../../gfx-intel.nix
-    ../../zerotier.nix
    ../../i3
    ../../distributed-builds.nix
    ../../gui
--- a/nixos/boxes/brix/default.nix
+++ b/nixos/boxes/brix/default.nix
@ -5,7 +5,6 @@
    ./real-hardware.nix
    ../../server-security.nix
    ../cli.nix
-    ../vpn.nix
    ../../tailscale.nix
    ./tailscale-brix.nix
    ./restic-server.nix
--- a/nixos/boxes/brix/matrix-server.nix
+++ b/nixos/boxes/brix/matrix-server.nix
@ -18,7 +18,7 @@
    listeners = [
      {
        port = 8008;
-        bind_address = "brix.vpn";
+        bind_address = "brix";
        type = "http";
        tls = false;
        x_forwarded = true;
--- a/nixos/boxes/brix/print-server.nix
+++ b/nixos/boxes/brix/print-server.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {

  networking.firewall.enable = true;
@ -17,6 +17,8 @@
    '';
  };

+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+  ];
  hardware.printers.ensurePrinters = [{
    description = "Epson XP-540";
    location = "connected to brix";
@ -28,7 +30,7 @@

  hardware.sane = {
    enable = true;
-    extraBackends = with pkgs; [ epkowa utsushi sane-airscan gawk ];
+    extraBackends = with pkgs; [ utsushi sane-airscan gawk ];
    snapshot = true;
  };

--- a/nixos/boxes/brix/restic-server.nix
+++ b/nixos/boxes/brix/restic-server.nix
@ -7,7 +7,7 @@
    dataDir = "/data/restic";
    appendOnly = true;
    prometheus = true;
-    listenAddress = "brix.vpn:8000";
+    listenAddress = "brix:8000";
    extraFlags = [ "--no-auth" ];
  };

--- a/nixos/boxes/foureighty/default.nix
+++ b/nixos/boxes/foureighty/default.nix
@ -7,7 +7,6 @@
    ../../boot.nix
    ../../common.nix
    ../../gfx-intel.nix
-    ../../zerotier.nix
    ../../tailscale.nix
    ./tailscale-foureighty.nix
    ../../distributed-builds.nix
--- a/nixos/boxes/skinnyv/default.nix
+++ b/nixos/boxes/skinnyv/default.nix
@ -7,7 +7,6 @@
    ../../boot.nix
    ../../common.nix
    ../../gfx-intel.nix
-    ../../zerotier.nix
    ../../i3
    ../../distributed-builds.nix
    ../../gui
--- a/nixos/boxes/vpn.nix
+++ b/nixos/boxes/vpn.nix
@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-{
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "d3ecf5726d580b5a" ];
-  };
-
-  networking.hosts = {
-    "172.23.153.159" = [ "brix.vpn" ];
-    "172.23.28.139" = [ "vultr1.vpn" ];
-  };
-}
--- a/nixos/boxes/vultr1/default.nix
+++ b/nixos/boxes/vultr1/default.nix
@ -4,11 +4,11 @@

  imports = [
    ./vultr-boot.nix
-    ../vpn.nix
    ../../server-security.nix
+    ../../tailscale.nix
+    ./tailscale-vultr1.nix
    ../cli.nix
    ./nginx.nix
-    ./search.nix
    ./folding.nix
    ./matrix-front.nix
  ];
--- a/nixos/boxes/vultr1/folding.nix
+++ b/nixos/boxes/vultr1/folding.nix
@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "fahclient"
+  ];
  services.foldingathome = {
    enable = true;
    user = "cyplo";
--- a/nixos/boxes/vultr1/matrix-front.nix
+++ b/nixos/boxes/vultr1/matrix-front.nix
@ -31,7 +31,7 @@
            '';

            locations."/_matrix" = {
-              proxyPass = "http://brix.vpn:8008"; # without a trailing /
+              proxyPass = "http://brix:8008"; # without a trailing /
            };
          };
        };
--- a/nixos/boxes/vultr1/search.nix
+++ b/nixos/boxes/vultr1/search.nix
@ -1,27 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  services.nginx = {
-    virtualHosts = {
-      "search.cyplo.dev" = {
-        forceSSL = true;
-        enableACME = true;
-        extraConfig = ''
-          access_log /dev/null;
-          error_log /dev/null;
-          proxy_connect_timeout 60s;
-          proxy_send_timeout 60s;
-          proxy_read_timeout 60s;
-        '';
-        locations."/" = {
-          proxyPass = "http://localhost:8888";
-        };
-      };
-    };
-  };
-
-  services.searx = {
-    enable = true;
-  };
-}
-
--- a/nixos/boxes/vultr1/tailscale-vultr1.nix
+++ b/nixos/boxes/vultr1/tailscale-vultr1.nix
@ -0,0 +1,29 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey tskey-d6d3e4b981980045e18d0e64
+    '';
+  };
+}
--- a/nixos/common-hardware.nix
+++ b/nixos/common-hardware.nix
@ -9,12 +9,6 @@

  hardware.enableAllFirmware = true;

-
-  nixpkgs.config = {
-    allowUnfree = true;
-  };
-
-
  hardware.enableRedistributableFirmware = true;
  hardware.cpu.intel.updateMicrocode = true;
  hardware.pulseaudio = {
@ -46,7 +40,7 @@
  hardware.printers.ensurePrinters = [{
    description = "Epson XP-540 via brix";
    name = "epson_xp540_via_brix";
-    deviceUri = "ipp://brix.vpn:631/printers/epson_xp540";
+    deviceUri = "ipp://brix:631/printers/epson_xp540";
    model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
    ppdOptions = { PageSize = "A4"; Duplex = "DuplexNoTumble"; };
  }];
@ -56,7 +50,7 @@
    netConf = ''
      10.0.0.232
      brix.local
-      brix.vpn
+      brix
    '';
    snapshot = true;
    extraBackends = with pkgs; [ sane-airscan utsushi ];
--- a/nixos/distributed-builds.nix
+++ b/nixos/distributed-builds.nix
@ -6,7 +6,7 @@

  nix.buildMachines = [
    {
-      hostName = "brix.vpn";
+      hostName = "brix";
      sshUser = "nix-builder";
      sshKey = "/home/cyryl/.ssh/id_ed25519";
      system = "x86_64-linux";
--- a/nixos/promtail.yaml
+++ b/nixos/promtail.yaml
@ -1,20 +0,0 @@
-server:
-  http_listen_port: 28183
-  grpc_listen_port: 0
-
-positions:
-  filename: /tmp/positions.yaml
-
-clients:
-  - url: http://vultr1.vpn:3100/loki/api/v1/push
-
-scrape_configs:
-  - job_name: journal
-    journal:
-      max_age: 12h
-      labels:
-        job: systemd-journal
-        host: foureighty
-    relabel_configs:
-      - source_labels: ["__journal__systemd_unit"]
-        target_label: "unit"
--- a/nixos/shell-config.nix
+++ b/nixos/shell-config.nix
@ -1,7 +1,6 @@
 {
  permittedInsecurePackages = [
  ];
-  allowUnfree = true;
  packageOverrides = pkgs: {
    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
  };
--- a/nixos/zerotier.nix
+++ b/nixos/zerotier.nix
@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-{
-  services.zerotierone = {
-    enable = true;
-    joinNetworks = [ "d3ecf5726d580b5a" ];
-  };
-
-  networking.hosts = {
-    "172.23.153.159" = [ "brix.vpn" ];
-    "172.23.28.139" = [ "vultr1.vpn" ];
-  };
-
-}