flake update; msty update; +headscale config

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1736955230,
+        "lastModified": 1745630506,
-        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
+        "lastModified": 1744478979,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744145203,
+        "lastModified": 1745812220,
-        "narHash": "sha256-I2oILRiJ6G+BOSjY+0dGrTPe080L3pbKpc+gCV3Nmyk=",
+        "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "76c0a6dba345490508f36c1aa3c7ba5b6b460989",
+        "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703113217,
+        "lastModified": 1745494811,
-        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
         "type": "github"
       },
       "original": {
@@ -151,11 +151,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744663884,
+        "lastModified": 1745894335,
-        "narHash": "sha256-a6QGaZMDM1miK8VWzAITsEPOdmLk+xTPyJSTjVs3WhI=",
+        "narHash": "sha256-m47zhftaod/oHOwoVT25jstdcVLhkrVGyvEHKjbnFHI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d5cdf55bd9f19a3debd55b6cb5d38f7831426265",
+        "rev": "1ad123239957d40e11ef66c203d0a7e272eb48aa",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1744513377,
+        "lastModified": 1745885816,
-        "narHash": "sha256-2ocy+qAVxTBmaK8MpAy7mpKIH+DYEzwf+KzXZX83oZ4=",
+        "narHash": "sha256-yuIb6/gGcII+2YgtTLcYdga0pcL63B18xQ/oitOhg7k=",
         "owner": "Jas-SinghFSU",
         "repo": "HyprPanel",
-        "rev": "42943b3def85d8787d703778951944c8e791202b",
+        "rev": "0c82ce9704c8063be8d8f60443071c91943eb68c",
         "type": "github"
       },
       "original": {
@@ -207,11 +207,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703013332,
+        "lastModified": 1745391562,
-        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
+        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
         "type": "github"
       },
       "original": {
@@ -255,11 +255,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1744703824,
+        "lastModified": 1745912738,
-        "narHash": "sha256-scv7M9HrjqtE5u7Zf8CUnq0HRi4cdZBaVitZPA/iXGA=",
+        "narHash": "sha256-B7XJw9j3ZDB1RS3S43FtEZroGFbEApbI/UUSTK0WUjA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8852da7e72ef9f41684d83925c2f428b06587a29",
+        "rev": "0dc8551522034a0686417149337304bde2c27e7b",
         "type": "github"
       },
       "original": {
@@ -271,11 +271,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1744440957,
+        "lastModified": 1745742390,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "narHash": "sha256-1rqa/XPSJqJg21BKWjzJZC7yU0l/YTVtjRi0RJmipus=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "26245db0cb552047418cfcef9a25da91b222d6c7",
         "type": "github"
       },
       "original": {
@@ -303,11 +303,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1744463964,
+        "lastModified": 1745794561,
-        "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
+        "narHash": "sha256-T36rUZHUART00h3dW4sV5tv4MrXKT7aWjNfHiZz7OHg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
+        "rev": "5461b7fa65f3ca74cef60be837fd559a8918eaa0",
         "type": "github"
       },
       "original": {

home/m3tam3re/home.nix

@@ -174,6 +174,11 @@
         user = "m3tam3re";
         identityFile = "~/.ssh/m3tam3re";
       };
+      "m3-skynet" = {
+        hostname = "m3-skynet";
+        user = "admin";
+        identityFile = "~/.ssh/m3tam3re";
+      };
       "shp-old" = {
         hostname = "95.217.3.250";
         port = 2222;

hosts/m3-atlas/services/containers/littlelink.nix

@@ -3,7 +3,7 @@
     image = "ghcr.io/techno-tim/littlelink-server";
     environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
     ports = ["127.0.0.1:3004:3000"];
-    extraOptions = ["--ip=10.89.0.12" "--network=web"];
+    extraOptions = ["--ip=10.89.0.4" "--network=web"];
   };
   # Traefik configuration specific to littlelink
   services.traefik.dynamicConfigOptions.http = {

hosts/m3-atlas/services/headscale.nix

@@ -1,19 +1,82 @@
 {
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  # Define a new option for the admin user
+  options.services.headscale = {
+    adminUser = lib.mkOption {
+      type = lib.types.str;
+      default = "m3tam3re";
+      description = "Username for the headscale admin user";
+    };
+  };
+
+  config = let
+    adminUser = config.services.headscale.adminUser;
+
+    aclConfig = {
+      # Groups definition
+      groups = {
+        "group:admins" = ["${adminUser}"];
+      };
+
+      acls = [
+        # Allow all connections within the tailnet
+        {
+          action = "accept";
+          src = ["*"];
+          dst = ["*:*"];
+        }
+        # Allow admin to connect to their own services
+        {
+          action = "accept";
+          src = ["${adminUser}"];
+          dst = ["${adminUser}:*"];
+        }
+      ];
+
+      # Auto-approvers section for routes
+      autoApprovers = {
+        routes = {
+          "0.0.0.0/0" = ["${adminUser}"];
+          "10.0.0.0/8" = ["${adminUser}"];
+          "172.16.0.0/12" = ["${adminUser}"];
+          "192.168.0.0/16" = ["${adminUser}"];
+        };
+
+        exitNode = ["${adminUser}"];
+      };
+    };
+
+    # Convert to HuJSON format with comments
+    aclHuJson = ''
+      // Headscale ACL Policy - Generated by NixOS
+      // Admin user: ${adminUser}
+
+      ${builtins.toJSON aclConfig}
+    '';
+
+    aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
+  in {
     services = {
       headscale = {
         enable = true;
         port = 3009;
+        adminUser = "m3tam3re";
         settings = {
           server_url = "https://va.m3tam3re.com";
           dns = {
-          base_domain = "m3tam3re.loc";
+            base_domain = "m3ta.loc";
           };
           logtail.enabled = false;
+          policy.path = "${aclFile}";
         };
       };
     };
 
-  # Traefik configuration specific to
+    # Traefik configuration
     services.traefik.dynamicConfigOptions.http = {
       services.headscale.loadBalancer.servers = [
         {
@@ -30,4 +93,29 @@
         entrypoints = "websecure";
       };
     };
+
+    # Create a systemd service to ensure the admin user exists
+    systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
+      description = "Ensure Headscale admin user exists";
+      after = ["headscale.service"];
+      requires = ["headscale.service"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        User = "headscale";
+        Group = "headscale";
+      };
+
+      script = ''
+        # Check if user exists and create if needed
+        if ! ${pkgs.headscale}/bin/headscale users list | grep -q "${adminUser}"; then
+          echo "Creating headscale admin user: ${adminUser}"
+          ${pkgs.headscale}/bin/headscale users create "${adminUser}"
+        else
+          echo "Headscale admin user ${adminUser} already exists"
+        fi
+      '';
+    };
+  };
 }

hosts/m3-atlas/services/tailscale.nix

@@ -1,9 +1,41 @@
-{
+{pkgs, ...}: {
   services.tailscale = {
     enable = true;
     useRoutingFeatures = "both";
+    extraUpFlags = [
+      "--login-server https://va.m3tam3re.com"
+      "--advertise-exit-node"
+      "--accept-routes"
+    ];
   };
+
+  # Persistent systemd service for network settings
+  systemd.services.configure-network-offload = {
+    description = "Configure network offload settings";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.ethtool}/bin/ethtool -K ens3 rx-udp-gro-forwarding on rx-gro-list off";
+    };
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+    "net.core.gro_normal_batch" = 8;
+    "net.core.gro_flush_timeout" = 200000;
+  };
+
   networking.firewall = {
     trustedInterfaces = ["tailscale0"];
+    allowedUDPPorts = [41641];
+    checkReversePath = "loose";
   };
+
+  environment.systemPackages = with pkgs; [
+    ethtool
+    tailscale
+  ];
 }

hosts/m3-kratos/services/default.nix

@@ -4,6 +4,7 @@
     ./n8n.nix
     ./postgres.nix
     ./sound.nix
+    ./tailscale.nix
     ./udev.nix
     ./wireguard.nix
   ];
@@ -11,7 +12,6 @@
     hypridle.enable = true;
     printing.enable = true;
     gvfs.enable = true;
-    tailscale.enable = true;
     trezord.enable = true;
     gnome.gnome-keyring.enable = true;
     qdrant.enable = true;

hosts/m3-kratos/services/tailscale.nix

@@ -0,0 +1,11 @@
+{
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+    extraUpFlags = [
+      "--login-server https://va.m3tam3re.com"
+      "--exit-node=m3-atlas"
+      "--exit-node-allow-lan-access"
+    ];
+  };
+}

hosts/m3-kratos/services/wireguard.nix

@@ -10,7 +10,7 @@
     };
     NO = {
       configFile = config.age.secrets.wg-NO.path;
-      autostart = true;
+      autostart = false;
     };
     US = {
       configFile = config.age.secrets.wg-US.path;

pkgs/msty/default.nix

@@ -4,10 +4,10 @@
   makeWrapper,
 }: let
   pname = "msty";
-  version = "1.8.4";
+  version = "1.9.2";
   src = fetchurl {
     url = "https://assets.msty.app/prod/latest/linux/amd64/Msty_x86_64_amd64.AppImage";
-    sha256 = "sha256-4NjS9/ZlzFWyVHA054DmpHeTl35PgkPiHwgRjHeB4is=";
+    sha256 = "sha256-Z4t0EcV9X4g5X0lBwipiMdP8lgPuBkhykAIKjHSUpnI=";
   };
   appimageContents = appimageTools.extractType2 {inherit pname version src;};
 in