diff --git a/hosts/m3-ares/services/tailscale.nix b/hosts/m3-ares/services/tailscale.nix index 15f40d6..4748fea 100644 --- a/hosts/m3-ares/services/tailscale.nix +++ b/hosts/m3-ares/services/tailscale.nix @@ -5,36 +5,16 @@ }: { services.tailscale = { enable = true; - useRoutingFeatures = "client"; + authKeyFile = config.age.secrets.tailscale-key.path; + extraUpFlags = [ + "--login-server=https://va.m3tam3re.com" + ]; + extraSetFlags = [ + "--exit-node=m3-atlas" + "--exit-node-allow-lan-access" + ]; }; - - # systemd.services.tailscale-autoconnect = { - # description = "Automatic connection to Tailscale"; - - # # make sure tailscale is running before trying to connect to tailscale - # after = ["network-pre.target" "tailscale.service"]; - # wants = ["network-pre.target" "tailscale.service"]; - # wantedBy = ["multi-user.target"]; - - # # set this service as a oneshot job - # serviceConfig = { - # Type = "oneshot"; - # EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; - # }; - - # # have the job run this shell script - # script = with pkgs; '' - # # wait for tailscaled to settle - # sleep 2 - - # # check if we are already authenticated to tailscale - # status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - # if [ $status = "Running" ]; then # if so, then do nothing - # exit 0 - # fi - - # # otherwise authenticate with tailscale - # ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY - # ''; - # }; + environment.systemPackages = with pkgs; [ + tailscale + ]; } diff --git a/hosts/m3-atlas/services/headscale.nix b/hosts/m3-atlas/services/headscale.nix index 871bfdb..9e9ca13 100644 --- a/hosts/m3-atlas/services/headscale.nix +++ b/hosts/m3-atlas/services/headscale.nix @@ -1,7 +1,7 @@ { - pkgs, config, lib, + pkgs, ... }: { # Define a new option for the admin user @@ -42,14 +42,12 @@ routes = { "0.0.0.0/0" = ["${adminUser}"]; "10.0.0.0/8" = ["${adminUser}"]; - "172.16.0.0/12" = ["${adminUser}"]; "192.168.0.0/16" = ["${adminUser}"]; }; exitNode = ["${adminUser}"]; }; }; - # Convert to HuJSON format with comments aclHuJson = '' // Headscale ACL Policy - Generated by NixOS @@ -57,14 +55,13 @@ ${builtins.toJSON aclConfig} ''; - aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson; in { services = { headscale = { enable = true; - port = 3009; adminUser = "m3tam3re"; + port = 3009; settings = { server_url = "https://va.m3tam3re.com"; dns = { @@ -76,24 +73,6 @@ }; }; - # Traefik configuration - services.traefik.dynamicConfigOptions.http = { - services.headscale.loadBalancer.servers = [ - { - url = "http://localhost:3009/"; - } - ]; - - routers.headscale = { - rule = "Host(`va.m3tam3re.com`)"; - tls = { - certResolver = "godaddy"; - }; - service = "headscale"; - entrypoints = "websecure"; - }; - }; - # Create a systemd service to ensure the admin user exists systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable { description = "Ensure Headscale admin user exists"; @@ -117,5 +96,23 @@ fi ''; }; + + # Traefik configuration for headscale + services.traefik.dynamicConfigOptions.http = { + services.headscale.loadBalancer.servers = [ + { + url = "http://localhost:3009/"; + } + ]; + + routers.headscale = { + rule = "Host(`va.m3tam3re.com`)"; + tls = { + certResolver = "godaddy"; + }; + service = "headscale"; + entrypoints = "websecure"; + }; + }; }; } diff --git a/hosts/m3-atlas/services/tailscale.nix b/hosts/m3-atlas/services/tailscale.nix index a8ef6d0..ae948e9 100644 --- a/hosts/m3-atlas/services/tailscale.nix +++ b/hosts/m3-atlas/services/tailscale.nix @@ -1,45 +1,27 @@ { config, + lib, pkgs, ... }: { services.tailscale = { enable = true; - useRoutingFeatures = "both"; authKeyFile = config.age.secrets.tailscale-key.path; + useRoutingFeatures = "both"; extraUpFlags = [ "--login-server=${config.services.headscale.settings.server_url}" "--advertise-exit-node" "--accept-routes" ]; }; - - services.networkd-dispatcher = { + services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable { enable = true; rules."50-tailscale" = { onState = ["routable"]; script = '' - "${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off + NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") + ${pkgs.ethtool}/bin/ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off ''; }; }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - "net.core.gro_normal_batch" = 8; - "net.core.gro_flush_timeout" = 200000; - }; - - networking.firewall = { - trustedInterfaces = ["tailscale0"]; - allowedUDPPorts = [41641]; - checkReversePath = "loose"; - }; - - environment.systemPackages = with pkgs; [ - ethtool - tailscale - networkd-dispatcher - ]; } diff --git a/hosts/m3-kratos/secrets.nix b/hosts/m3-kratos/secrets.nix index 5f50d47..d57ef4d 100644 --- a/hosts/m3-kratos/secrets.nix +++ b/hosts/m3-kratos/secrets.nix @@ -1,6 +1,9 @@ { age = { secrets = { + tailscale-key = { + file = ../../secrets/tailscale-key.age; + }; wg-DE = { file = ../../secrets/wg-DE.age; path = "/etc/wireguard/DE.conf"; @@ -21,7 +24,6 @@ file = ../../secrets/wg-BR.age; path = "/etc/wireguard/BR.conf"; }; - tailscale-key.file = ../../secrets/tailscale-key.age; m3tam3re-secrets = { file = ../../secrets/m3tam3re-secrets.age; owner = "m3tam3re"; diff --git a/hosts/m3-kratos/services/tailscale.nix b/hosts/m3-kratos/services/tailscale.nix index 49a8bba..50a22a6 100644 --- a/hosts/m3-kratos/services/tailscale.nix +++ b/hosts/m3-kratos/services/tailscale.nix @@ -1,10 +1,11 @@ -{ +{config, ...}: { services.tailscale = { enable = true; - useRoutingFeatures = "client"; + authKeyFile = config.age.secrets.tailscale-key.path; + useRoutingFeatures = "both"; extraUpFlags = [ - "--login-server https://va.m3tam3re.com" - "--exit-node=m3-atlas" + "--login-server=https://va.m3tam3re.com" + "--accept-routes" "--exit-node-allow-lan-access" ]; }; diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age index 0f1b32a..b8a6dfd 100644 Binary files a/secrets/tailscale-key.age and b/secrets/tailscale-key.age differ