From e461fc494a1500fab2af0320434659858fe1ca13 Mon Sep 17 00:00:00 2001 From: m3tam3re Date: Tue, 29 Apr 2025 13:36:01 +0200 Subject: [PATCH] flake update; msty update; +headscale config --- flake.lock | 60 ++++---- home/m3tam3re/home.nix | 5 + .../services/containers/littlelink.nix | 2 +- hosts/m3-atlas/services/headscale.nix | 136 ++++++++++++++---- hosts/m3-atlas/services/tailscale.nix | 34 ++++- hosts/m3-kratos/services/default.nix | 2 +- hosts/m3-kratos/services/tailscale.nix | 11 ++ hosts/m3-kratos/services/wireguard.nix | 2 +- pkgs/msty/default.nix | 4 +- 9 files changed, 196 insertions(+), 60 deletions(-) create mode 100644 hosts/m3-kratos/services/tailscale.nix diff --git a/flake.lock b/flake.lock index f721ac3..3f94687 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1745630506, + "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "96e078c646b711aee04b82ba01aefbff87004ded", "type": "github" }, "original": { @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -94,11 +94,11 @@ ] }, "locked": { - "lastModified": 1744145203, - "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=", + "lastModified": 1745812220, + "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", "owner": "nix-community", "repo": "disko", - "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989", + "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", "type": "github" }, "original": { @@ -131,11 +131,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -151,11 +151,11 @@ ] }, "locked": { - "lastModified": 1744663884, - "narHash": "sha256-a6QGaZMDM1miK8VWzAITsEPOdmLk+xTPyJSTjVs3WhI=", + "lastModified": 1745894335, + "narHash": "sha256-m47zhftaod/oHOwoVT25jstdcVLhkrVGyvEHKjbnFHI=", "owner": "nix-community", "repo": "home-manager", - "rev": "d5cdf55bd9f19a3debd55b6cb5d38f7831426265", + "rev": "1ad123239957d40e11ef66c203d0a7e272eb48aa", "type": "github" }, "original": { @@ -192,11 +192,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1744513377, - "narHash": "sha256-2ocy+qAVxTBmaK8MpAy7mpKIH+DYEzwf+KzXZX83oZ4=", + "lastModified": 1745885816, + "narHash": "sha256-yuIb6/gGcII+2YgtTLcYdga0pcL63B18xQ/oitOhg7k=", "owner": "Jas-SinghFSU", "repo": "HyprPanel", - "rev": "42943b3def85d8787d703778951944c8e791202b", + "rev": "0c82ce9704c8063be8d8f60443071c91943eb68c", "type": "github" }, "original": { @@ -207,11 +207,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1744703824, - "narHash": "sha256-scv7M9HrjqtE5u7Zf8CUnq0HRi4cdZBaVitZPA/iXGA=", + "lastModified": 1745912738, + "narHash": "sha256-B7XJw9j3ZDB1RS3S43FtEZroGFbEApbI/UUSTK0WUjA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8852da7e72ef9f41684d83925c2f428b06587a29", + "rev": "0dc8551522034a0686417149337304bde2c27e7b", "type": "github" }, "original": { @@ -271,11 +271,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1744440957, - "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "lastModified": 1745742390, + "narHash": "sha256-1rqa/XPSJqJg21BKWjzJZC7yU0l/YTVtjRi0RJmipus=", "owner": "nixos", "repo": "nixpkgs", - "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "rev": "26245db0cb552047418cfcef9a25da91b222d6c7", "type": "github" }, "original": { @@ -303,11 +303,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1744463964, - "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", + "lastModified": 1745794561, + "narHash": "sha256-T36rUZHUART00h3dW4sV5tv4MrXKT7aWjNfHiZz7OHg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", + "rev": "5461b7fa65f3ca74cef60be837fd559a8918eaa0", "type": "github" }, "original": { diff --git a/home/m3tam3re/home.nix b/home/m3tam3re/home.nix index ce9b86a..d8a1cb1 100644 --- a/home/m3tam3re/home.nix +++ b/home/m3tam3re/home.nix @@ -174,6 +174,11 @@ user = "m3tam3re"; identityFile = "~/.ssh/m3tam3re"; }; + "m3-skynet" = { + hostname = "m3-skynet"; + user = "admin"; + identityFile = "~/.ssh/m3tam3re"; + }; "shp-old" = { hostname = "95.217.3.250"; port = 2222; diff --git a/hosts/m3-atlas/services/containers/littlelink.nix b/hosts/m3-atlas/services/containers/littlelink.nix index c7c6794..8a11991 100644 --- a/hosts/m3-atlas/services/containers/littlelink.nix +++ b/hosts/m3-atlas/services/containers/littlelink.nix @@ -3,7 +3,7 @@ image = "ghcr.io/techno-tim/littlelink-server"; environmentFiles = [config.age.secrets.littlelink-m3tam3re.path]; ports = ["127.0.0.1:3004:3000"]; - extraOptions = ["--ip=10.89.0.12" "--network=web"]; + extraOptions = ["--ip=10.89.0.4" "--network=web"]; }; # Traefik configuration specific to littlelink services.traefik.dynamicConfigOptions.http = { diff --git a/hosts/m3-atlas/services/headscale.nix b/hosts/m3-atlas/services/headscale.nix index 8dcb453..871bfdb 100644 --- a/hosts/m3-atlas/services/headscale.nix +++ b/hosts/m3-atlas/services/headscale.nix @@ -1,33 +1,121 @@ { - services = { - headscale = { - enable = true; - port = 3009; - settings = { - server_url = "https://va.m3tam3re.com"; - dns = { - base_domain = "m3tam3re.loc"; - }; - logtail.enabled = false; - }; + pkgs, + config, + lib, + ... +}: { + # Define a new option for the admin user + options.services.headscale = { + adminUser = lib.mkOption { + type = lib.types.str; + default = "m3tam3re"; + description = "Username for the headscale admin user"; }; }; - # Traefik configuration specific to - services.traefik.dynamicConfigOptions.http = { - services.headscale.loadBalancer.servers = [ - { - url = "http://localhost:3009/"; - } - ]; + config = let + adminUser = config.services.headscale.adminUser; - routers.headscale = { - rule = "Host(`va.m3tam3re.com`)"; - tls = { - certResolver = "godaddy"; + aclConfig = { + # Groups definition + groups = { + "group:admins" = ["${adminUser}"]; }; - service = "headscale"; - entrypoints = "websecure"; + + acls = [ + # Allow all connections within the tailnet + { + action = "accept"; + src = ["*"]; + dst = ["*:*"]; + } + # Allow admin to connect to their own services + { + action = "accept"; + src = ["${adminUser}"]; + dst = ["${adminUser}:*"]; + } + ]; + + # Auto-approvers section for routes + autoApprovers = { + routes = { + "0.0.0.0/0" = ["${adminUser}"]; + "10.0.0.0/8" = ["${adminUser}"]; + "172.16.0.0/12" = ["${adminUser}"]; + "192.168.0.0/16" = ["${adminUser}"]; + }; + + exitNode = ["${adminUser}"]; + }; + }; + + # Convert to HuJSON format with comments + aclHuJson = '' + // Headscale ACL Policy - Generated by NixOS + // Admin user: ${adminUser} + + ${builtins.toJSON aclConfig} + ''; + + aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson; + in { + services = { + headscale = { + enable = true; + port = 3009; + adminUser = "m3tam3re"; + settings = { + server_url = "https://va.m3tam3re.com"; + dns = { + base_domain = "m3ta.loc"; + }; + logtail.enabled = false; + policy.path = "${aclFile}"; + }; + }; + }; + + # Traefik configuration + services.traefik.dynamicConfigOptions.http = { + services.headscale.loadBalancer.servers = [ + { + url = "http://localhost:3009/"; + } + ]; + + routers.headscale = { + rule = "Host(`va.m3tam3re.com`)"; + tls = { + certResolver = "godaddy"; + }; + service = "headscale"; + entrypoints = "websecure"; + }; + }; + + # Create a systemd service to ensure the admin user exists + systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable { + description = "Ensure Headscale admin user exists"; + after = ["headscale.service"]; + requires = ["headscale.service"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + User = "headscale"; + Group = "headscale"; + }; + + script = '' + # Check if user exists and create if needed + if ! ${pkgs.headscale}/bin/headscale users list | grep -q "${adminUser}"; then + echo "Creating headscale admin user: ${adminUser}" + ${pkgs.headscale}/bin/headscale users create "${adminUser}" + else + echo "Headscale admin user ${adminUser} already exists" + fi + ''; }; }; } diff --git a/hosts/m3-atlas/services/tailscale.nix b/hosts/m3-atlas/services/tailscale.nix index 7a14f28..c170f1d 100644 --- a/hosts/m3-atlas/services/tailscale.nix +++ b/hosts/m3-atlas/services/tailscale.nix @@ -1,9 +1,41 @@ -{ +{pkgs, ...}: { services.tailscale = { enable = true; useRoutingFeatures = "both"; + extraUpFlags = [ + "--login-server https://va.m3tam3re.com" + "--advertise-exit-node" + "--accept-routes" + ]; }; + + # Persistent systemd service for network settings + systemd.services.configure-network-offload = { + description = "Configure network offload settings"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = "${pkgs.ethtool}/bin/ethtool -K ens3 rx-udp-gro-forwarding on rx-gro-list off"; + }; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + "net.core.gro_normal_batch" = 8; + "net.core.gro_flush_timeout" = 200000; + }; + networking.firewall = { trustedInterfaces = ["tailscale0"]; + allowedUDPPorts = [41641]; + checkReversePath = "loose"; }; + + environment.systemPackages = with pkgs; [ + ethtool + tailscale + ]; } diff --git a/hosts/m3-kratos/services/default.nix b/hosts/m3-kratos/services/default.nix index 2674a00..ae95963 100644 --- a/hosts/m3-kratos/services/default.nix +++ b/hosts/m3-kratos/services/default.nix @@ -4,6 +4,7 @@ ./n8n.nix ./postgres.nix ./sound.nix + ./tailscale.nix ./udev.nix ./wireguard.nix ]; @@ -11,7 +12,6 @@ hypridle.enable = true; printing.enable = true; gvfs.enable = true; - tailscale.enable = true; trezord.enable = true; gnome.gnome-keyring.enable = true; qdrant.enable = true; diff --git a/hosts/m3-kratos/services/tailscale.nix b/hosts/m3-kratos/services/tailscale.nix new file mode 100644 index 0000000..49a8bba --- /dev/null +++ b/hosts/m3-kratos/services/tailscale.nix @@ -0,0 +1,11 @@ +{ + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + extraUpFlags = [ + "--login-server https://va.m3tam3re.com" + "--exit-node=m3-atlas" + "--exit-node-allow-lan-access" + ]; + }; +} diff --git a/hosts/m3-kratos/services/wireguard.nix b/hosts/m3-kratos/services/wireguard.nix index b52b822..b98e312 100644 --- a/hosts/m3-kratos/services/wireguard.nix +++ b/hosts/m3-kratos/services/wireguard.nix @@ -10,7 +10,7 @@ }; NO = { configFile = config.age.secrets.wg-NO.path; - autostart = true; + autostart = false; }; US = { configFile = config.age.secrets.wg-US.path; diff --git a/pkgs/msty/default.nix b/pkgs/msty/default.nix index 363ae73..d190699 100644 --- a/pkgs/msty/default.nix +++ b/pkgs/msty/default.nix @@ -4,10 +4,10 @@ makeWrapper, }: let pname = "msty"; - version = "1.8.4"; + version = "1.9.2"; src = fetchurl { url = "https://assets.msty.app/prod/latest/linux/amd64/Msty_x86_64_amd64.AppImage"; - sha256 = "sha256-4NjS9/ZlzFWyVHA054DmpHeTl35PgkPiHwgRjHeB4is="; + sha256 = "sha256-Z4t0EcV9X4g5X0lBwipiMdP8lgPuBkhykAIKjHSUpnI="; }; appimageContents = appimageTools.extractType2 {inherit pname version src;}; in