flake update; msty update; +headscale config

2025-04-29 13:36:01 +02:00
parent 5a5b434efd
commit e461fc494a
9 changed files with 196 additions and 60 deletions
--- a/hosts/m3-atlas/services/containers/littlelink.nix
+++ b/hosts/m3-atlas/services/containers/littlelink.nix
@ -3,7 +3,7 @@
    image = "ghcr.io/techno-tim/littlelink-server";
    environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
    ports = ["127.0.0.1:3004:3000"];
-    extraOptions = ["--ip=10.89.0.12" "--network=web"];
+    extraOptions = ["--ip=10.89.0.4" "--network=web"];
  };
  # Traefik configuration specific to littlelink
  services.traefik.dynamicConfigOptions.http = {
--- a/hosts/m3-atlas/services/headscale.nix
+++ b/hosts/m3-atlas/services/headscale.nix
@ -1,33 +1,121 @@
 {
-  services = {
-    headscale = {
-      enable = true;
-      port = 3009;
-      settings = {
-        server_url = "https://va.m3tam3re.com";
-        dns = {
-          base_domain = "m3tam3re.loc";
-        };
-        logtail.enabled = false;
-      };
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  # Define a new option for the admin user
+  options.services.headscale = {
+    adminUser = lib.mkOption {
+      type = lib.types.str;
+      default = "m3tam3re";
+      description = "Username for the headscale admin user";
    };
  };

-  # Traefik configuration specific to
-  services.traefik.dynamicConfigOptions.http = {
-    services.headscale.loadBalancer.servers = [
-      {
-        url = "http://localhost:3009/";
-      }
-    ];
+  config = let
+    adminUser = config.services.headscale.adminUser;

-    routers.headscale = {
-      rule = "Host(`va.m3tam3re.com`)";
-      tls = {
-        certResolver = "godaddy";
+    aclConfig = {
+      # Groups definition
+      groups = {
+        "group:admins" = ["${adminUser}"];
      };
-      service = "headscale";
-      entrypoints = "websecure";
+
+      acls = [
+        # Allow all connections within the tailnet
+        {
+          action = "accept";
+          src = ["*"];
+          dst = ["*:*"];
+        }
+        # Allow admin to connect to their own services
+        {
+          action = "accept";
+          src = ["${adminUser}"];
+          dst = ["${adminUser}:*"];
+        }
+      ];
+
+      # Auto-approvers section for routes
+      autoApprovers = {
+        routes = {
+          "0.0.0.0/0" = ["${adminUser}"];
+          "10.0.0.0/8" = ["${adminUser}"];
+          "172.16.0.0/12" = ["${adminUser}"];
+          "192.168.0.0/16" = ["${adminUser}"];
+        };
+
+        exitNode = ["${adminUser}"];
+      };
+    };
+
+    # Convert to HuJSON format with comments
+    aclHuJson = ''
+      // Headscale ACL Policy - Generated by NixOS
+      // Admin user: ${adminUser}
+
+      ${builtins.toJSON aclConfig}
+    '';
+
+    aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
+  in {
+    services = {
+      headscale = {
+        enable = true;
+        port = 3009;
+        adminUser = "m3tam3re";
+        settings = {
+          server_url = "https://va.m3tam3re.com";
+          dns = {
+            base_domain = "m3ta.loc";
+          };
+          logtail.enabled = false;
+          policy.path = "${aclFile}";
+        };
+      };
+    };
+
+    # Traefik configuration
+    services.traefik.dynamicConfigOptions.http = {
+      services.headscale.loadBalancer.servers = [
+        {
+          url = "http://localhost:3009/";
+        }
+      ];
+
+      routers.headscale = {
+        rule = "Host(`va.m3tam3re.com`)";
+        tls = {
+          certResolver = "godaddy";
+        };
+        service = "headscale";
+        entrypoints = "websecure";
+      };
+    };
+
+    # Create a systemd service to ensure the admin user exists
+    systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
+      description = "Ensure Headscale admin user exists";
+      after = ["headscale.service"];
+      requires = ["headscale.service"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        User = "headscale";
+        Group = "headscale";
+      };
+
+      script = ''
+        # Check if user exists and create if needed
+        if ! ${pkgs.headscale}/bin/headscale users list | grep -q "${adminUser}"; then
+          echo "Creating headscale admin user: ${adminUser}"
+          ${pkgs.headscale}/bin/headscale users create "${adminUser}"
+        else
+          echo "Headscale admin user ${adminUser} already exists"
+        fi
+      '';
    };
  };
 }
--- a/hosts/m3-atlas/services/tailscale.nix
+++ b/hosts/m3-atlas/services/tailscale.nix
@ -1,9 +1,41 @@
-{
+{pkgs, ...}: {
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
+    extraUpFlags = [
+      "--login-server https://va.m3tam3re.com"
+      "--advertise-exit-node"
+      "--accept-routes"
+    ];
  };
+
+  # Persistent systemd service for network settings
+  systemd.services.configure-network-offload = {
+    description = "Configure network offload settings";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.ethtool}/bin/ethtool -K ens3 rx-udp-gro-forwarding on rx-gro-list off";
+    };
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+    "net.core.gro_normal_batch" = 8;
+    "net.core.gro_flush_timeout" = 200000;
+  };
+
  networking.firewall = {
    trustedInterfaces = ["tailscale0"];
+    allowedUDPPorts = [41641];
+    checkReversePath = "loose";
  };
+
+  environment.systemPackages = with pkgs; [
+    ethtool
+    tailscale
+  ];
 }
--- a/hosts/m3-kratos/services/default.nix
+++ b/hosts/m3-kratos/services/default.nix
@ -4,6 +4,7 @@
    ./n8n.nix
    ./postgres.nix
    ./sound.nix
+    ./tailscale.nix
    ./udev.nix
    ./wireguard.nix
  ];
@ -11,7 +12,6 @@
    hypridle.enable = true;
    printing.enable = true;
    gvfs.enable = true;
-    tailscale.enable = true;
    trezord.enable = true;
    gnome.gnome-keyring.enable = true;
    qdrant.enable = true;
--- a/hosts/m3-kratos/services/tailscale.nix
+++ b/hosts/m3-kratos/services/tailscale.nix
@ -0,0 +1,11 @@
+{
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+    extraUpFlags = [
+      "--login-server https://va.m3tam3re.com"
+      "--exit-node=m3-atlas"
+      "--exit-node-allow-lan-access"
+    ];
+  };
+}
--- a/hosts/m3-kratos/services/wireguard.nix
+++ b/hosts/m3-kratos/services/wireguard.nix
@ -10,7 +10,7 @@
    };
    NO = {
      configFile = config.age.secrets.wg-NO.path;
-      autostart = true;
+      autostart = false;
    };
    US = {
      configFile = config.age.secrets.wg-US.path;