From 6d8c8a8f523430209df53ae055d129669c363672 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Fri, 19 Jul 2024 21:24:42 +0200 Subject: [PATCH] treewide: move tailscale to separate module --- hosts/kazuki/default.nix | 5 ++ hosts/kogata/default.nix | 5 ++ hosts/legion/default.nix | 5 ++ hosts/miyagi/default.nix | 4 ++ hosts/ude/default.nix | 5 ++ modules/system/common/default.nix | 5 +- modules/system/settei/default.nix | 1 + modules/system/settei/sane-defaults.nix | 71 +++++++------------------ modules/system/settei/tailscale.nix | 54 +++++++++++++++++++ 9 files changed, 102 insertions(+), 53 deletions(-) create mode 100644 modules/system/settei/tailscale.nix diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index eabad0a..37df421 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -23,6 +23,11 @@ # Not intended for interactive use settei.user.enable = false; + settei.tailscale = { + ipv4 = "100.88.21.71"; + ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6258:1547"; + }; + boot = { loader.systemd-boot.enable = true; loader.systemd-boot.configurationLimit = 1; diff --git a/hosts/kogata/default.nix b/hosts/kogata/default.nix index 87a0954..c5360d1 100644 --- a/hosts/kogata/default.nix +++ b/hosts/kogata/default.nix @@ -10,6 +10,11 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "teams" ]; environment.systemPackages = with pkgs; [ teams ]; + settei.tailscale = { + ipv4 = "100.102.13.61"; + ipv6 = "fd7a:115c:a1e0::e126:d3d"; + }; + common.hercules.enable = true; common.github-runner = { enable = true; diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix index 36a5aea..fb2bfd9 100644 --- a/hosts/legion/default.nix +++ b/hosts/legion/default.nix @@ -26,6 +26,11 @@ loader.efi.canTouchEfiVariables = true; }; + settei.tailscale = { + ipv4 = "100.84.112.35"; + ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6254:7023"; + }; + networking = { hostName = "legion"; hostId = builtins.substring 0 8 (builtins.readFile ./machine-id); diff --git a/hosts/miyagi/default.nix b/hosts/miyagi/default.nix index d39e028..490a463 100644 --- a/hosts/miyagi/default.nix +++ b/hosts/miyagi/default.nix @@ -40,6 +40,10 @@ ]; }; + settei.tailscale = { + ipv4 = "100.103.204.32"; + ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6267:cc20"; + }; settei.user.config = { common.desktop.enable = true; home.packages = [ pkgs.slack ]; diff --git a/hosts/ude/default.nix b/hosts/ude/default.nix index cef0d5c..8d02ddd 100644 --- a/hosts/ude/default.nix +++ b/hosts/ude/default.nix @@ -20,6 +20,11 @@ loader.efi.canTouchEfiVariables = true; }; + settei.tailscale = { + ipv4 = "100.118.42.139"; + ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6276:2a8b"; + }; + common.hercules.enable = true; services.hercules-ci-agent.settings.concurrentTasks = 6; common.github-runner = { diff --git a/modules/system/common/default.nix b/modules/system/common/default.nix index 1976696..0bf6e29 100644 --- a/modules/system/common/default.nix +++ b/modules/system/common/default.nix @@ -15,9 +15,12 @@ let username = lib.mkDefault "niko"; sane-defaults = { enable = lib.mkDefault true; - tailnet = "discus-macaroni.ts.net"; }; flake-qol.enable = true; + tailscale = { + enable = true; + tailnet = "discus-macaroni.ts.net"; + }; user = { enable = lib.mkDefault true; # TODO: Move to settei or leave here? diff --git a/modules/system/settei/default.nix b/modules/system/settei/default.nix index 7bfc464..479e222 100644 --- a/modules/system/settei/default.nix +++ b/modules/system/settei/default.nix @@ -18,6 +18,7 @@ (import ./flake-qol.nix { inherit perInput; }) ./user.nix (import ./programs { inherit isLinux; }) + (import ./tailscale.nix { inherit isLinux; }) ]; options.settei = with lib; { diff --git a/modules/system/settei/sane-defaults.nix b/modules/system/settei/sane-defaults.nix index 9e54dd3..7746c4f 100644 --- a/modules/system/settei/sane-defaults.nix +++ b/modules/system/settei/sane-defaults.nix @@ -11,10 +11,6 @@ let type = types.attrsOf types.singleLineStr; default = { }; }; - tailnet = mkOption { - type = types.nullOr types.str; - default = null; - }; }; }; @@ -27,9 +23,6 @@ let username = lib.mkDefault username; }; - # FIXME: Move to common - services.tailscale.enable = true; - networking.hostName = lib.mkDefault ( args.configurationName or (throw "pass configurationName to module arguments or set networking.hostName yourself") @@ -79,54 +72,28 @@ let }; }; - linuxConfig = lib.optionalAttrs isLinux ( - let - nmEnabled = config.networking.networkmanager.enable; - tlEnabled = config.services.tailscale.enable; - in - lib.mkMerge [ - { - hardware.enableRedistributableFirmware = true; + linuxConfig = lib.optionalAttrs isLinux { + hardware.enableRedistributableFirmware = true; - # FIXME: Move to common - networking.firewall.trustedInterfaces = lib.mkIf tlEnabled [ "tailscale0" ]; + services.openssh.enable = true; + programs.mosh.enable = lib.mkDefault true; + programs.git.enable = lib.mkDefault true; - services.openssh.enable = true; - programs.mosh.enable = lib.mkDefault true; - programs.git.enable = lib.mkDefault true; + users = { + mutableUsers = false; + users.${username} = { + isNormalUser = true; + home = "/home/${username}"; + group = username; + extraGroups = [ "wheel" ]; + }; + groups.${username} = { }; + }; - users = { - mutableUsers = false; - users.${username} = { - isNormalUser = true; - home = "/home/${username}"; - group = username; - extraGroups = [ "wheel" ]; - }; - groups.${username} = { }; - }; - - # TODO: Actually this should be extraRules which makes wheel users without any password set - # be able to use sudo with no password - security.sudo.wheelNeedsPassword = false; - } - { - # When NetworkManager isn't in use, add tailscale DNS address manually - # FIXME: Move to common - networking = lib.mkIf (!nmEnabled && tlEnabled && cfg.tailnet != null) { - nameservers = [ - "100.100.100.100" - "1.1.1.1" - "1.0.0.1" - ]; - search = [ cfg.tailnet ]; - }; - - # NetworkManager probably means desktop system so we don't want to slow down boot times - systemd.services = lib.mkIf nmEnabled { NetworkManager-wait-online.enable = false; }; - } - ] - ); + # TODO: Actually this should be extraRules which makes wheel users without any password set + # be able to use sudo with no password + security.sudo.wheelNeedsPassword = false; + }; darwinConfig = lib.optionalAttrs (!isLinux) { services.nix-daemon.enable = true; diff --git a/modules/system/settei/tailscale.nix b/modules/system/settei/tailscale.nix new file mode 100644 index 0000000..ded880a --- /dev/null +++ b/modules/system/settei/tailscale.nix @@ -0,0 +1,54 @@ +{ isLinux }: +{ config, lib, ... }: +let + inherit (lib) + types + mkEnableOption + mkIf + mkOption + ; + + cfg = config.settei.tailscale; + + options.settei.tailscale = { + enable = mkEnableOption "Tailscale configuration"; + tailnet = mkOption { type = types.str; }; + ipv4 = mkOption { type = types.str; }; + ipv6 = mkOption { type = types.str; }; + }; + + sharedConfig = { + services.tailscale.enable = true; + }; + + nmEnabled = config.networking.networkmanager.enable; + linuxConfig = lib.optionalAttrs isLinux ( + lib.mkMerge [ + { + networking.firewall.trustedInterfaces = [ "tailscale0" ]; + + } + (mkIf (!nmEnabled) { + # When NetworkManager isn't in use, add tailscale DNS address manually + networking.nameservers = [ + "100.100.100.100" + "1.1.1.1" + "1.0.0.1" + ]; + networking.search = [ cfg.tailnet ]; + }) + ] + ); +in +{ + _file = ./tailscale.nix; + + inherit options; + + config = mkIf cfg.enable ( + lib.mkMerge [ + sharedConfig + linuxConfig + ] + ); +}