installed tailscale on all machines

2025-02-23 11:10:16 -06:00 · 2025-02-23 11:10:16 -06:00 · 2e0f71a6fa
commit 2e0f71a6fa
parent 9bfa5c9e8d
7 changed files with 133 additions and 62 deletions
--- a/README.md
+++ b/README.md
@ -58,8 +58,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
 - Open GL?
 - rotate sops encryption keys periodically (and somehow sync between devices?)
 - zfs email after scrubbing
- common wireguard config
- configure wireguard on all clients
 - wake on LAN for updates
 - ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
 - Immich
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@ -1,5 +1,16 @@
 # server nas
-{pkgs, ...}: {
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets = {
+    "wireguard-keys/tailscale-authkey/defiant" = {
+      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    };
+  };
+
  host = {
    users = {
      leyla = {
@ -136,6 +147,10 @@
        "deepseek-r1:70b"
      ];
    };
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/defiant".path;
+    };
  };

  # disable computer sleeping
--- a/configurations/nixos/horizon/configuration.nix
+++ b/configurations/nixos/horizon/configuration.nix
@ -1,4 +1,5 @@
 {
+  config,
  inputs,
  pkgs,
  ...
@ -36,6 +37,15 @@

  programs.adb.enable = true;

+  sops.secrets = {
+    "wireguard-keys/tailscale-authkey/horizon" = {
+      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    };
+    # "wireguard-keys/proton/horizon" = {
+    #   sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    # };
+  };
+
  services = {
    # sudo fprintd-enroll
    fprintd = {
@ -49,6 +59,42 @@
        "deepseek-r1:1.5b"
      ];
    };
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/horizon".path;
+    };
+  };
+
+  networking = {
+    # wg-quick.interfaces = {
+    #   proton = {
+    #     # IP address of this machine in the *tunnel network*
+    #     address = ["10.2.0.1/32"];
+
+    #     listenPort = 51820;
+
+    #     privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
+
+    #     peers = [
+    #       {
+    #         publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
+    #         allowedIPs = ["0.0.0.0/0"];
+    #         endpoint = "84.17.63.8:51820";
+    #         persistentKeepalive = 25;
+    #       }
+    #       {
+    #         publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y=";
+    #         allowedIPs = ["0.0.0.0/0"];
+    #         endpoint = "68.169.42.242:51820";
+    #         persistentKeepalive = 25;
+    #       }
+    #       {
+    #         publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs=";
+    #         allowedIPs = ["0.0.0.0/0"];
+    #       }
+    #     ];
+    #   };
+    # };
  };

  # networking.extraHosts = ''
--- a/configurations/nixos/horizon/hardware-configuration.nix
+++ b/configurations/nixos/horizon/hardware-configuration.nix
@ -6,19 +6,12 @@
  lib,
  pkgs,
  modulesPath,
-  inputs,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  sops.secrets = {
-    "wireguard-keys/proton/horizon" = {
-      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
-    };
-  };
-
  boot = {
    initrd = {
      availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
@ -96,36 +89,6 @@
    networkmanager.enable = true;
    useDHCP = lib.mkDefault true;
    hostName = "horizon"; # Define your hostname.
-
-    # wg-quick.interfaces = {
-    #   proton = {
-    #     # IP address of this machine in the *tunnel network*
-    #     address = ["10.2.0.1/32"];
-
-    #     listenPort = 51820;
-
-    #     privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
-
-    #     peers = [
-    #       {
-    #         publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
-    #         allowedIPs = ["0.0.0.0/0"];
-    #         endpoint = "84.17.63.8:51820";
-    #         persistentKeepalive = 25;
-    #       }
-    #       {
-    #         publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y=";
-    #         allowedIPs = ["0.0.0.0/0"];
-    #         endpoint = "68.169.42.242:51820";
-    #         persistentKeepalive = 25;
-    #       }
-    #       {
-    #         publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs=";
-    #         allowedIPs = ["0.0.0.0/0"];
-    #       }
-    #     ];
-    #   };
-    # };
  };

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
--- a/configurations/nixos/twilight/configuration.nix
+++ b/configurations/nixos/twilight/configuration.nix
@ -1,10 +1,19 @@
-{...}: {
+{
+  inputs,
+  config,
+  ...
+}: {
  imports = [
    ./monitors.nix
  ];

  nixpkgs.config.allowUnfree = true;

+  sops.secrets = {
+    "wireguard-keys/tailscale-authkey/twilight" = {
+      sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
+    };
+  };
  host = {
    users = {
      leyla = {
@ -22,16 +31,22 @@
    };
  };

-  services.ollama = {
-    enable = true;
+  services = {
+    ollama = {
+      enable = true;

-    loadModels = [
-      "deepseek-coder:6.7b"
-      "deepseek-r1:8b"
-      "deepseek-r1:32b"
-    ];
+      loadModels = [
+        "deepseek-coder:6.7b"
+        "deepseek-r1:8b"
+        "deepseek-r1:32b"
+      ];
+    };
+
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/twilight".path;
+    };
  };
-
  programs.steam = {
    enable = true;
    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
--- a/flake.lock
+++ b/flake.lock
@ -114,11 +114,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740265252,
-        "narHash": "sha256-+LFsCsIUF/pJWL9S21m5NLcK5bgwRB4MwfV0Iu7tggY=",
+        "lastModified": 1740318342,
+        "narHash": "sha256-fjr9+3Iru6O5qE+2oERQkabqAUXx4awm0+i2MBcta1U=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "fb568d75cf6c81f30d49eeb73787e9b56454ba16",
+        "rev": "b5ab2c7fdaa807cf425066ab7cd34b073946b1ca",
        "type": "github"
      },
      "original": {
@ -171,11 +171,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740188781,
-        "narHash": "sha256-3FDg6k9kQXq5M6ZHc2f9KsPydvWBtqacU9lWA7nIFYI=",
+        "lastModified": 1740275623,
+        "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "ba52a14c907e0cece9734e0ff59c3c742b6b1075",
+        "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3",
        "type": "github"
      },
      "original": {
@ -202,11 +202,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1739866667,
-        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
+        "lastModified": 1740126099,
+        "narHash": "sha256-ozoOtE2hGsqh4XkTJFsrTkNxkRgShxpQxDynaPZUGxk=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
+        "rev": "32fb99ba93fea2798be0e997ea331dd78167f814",
        "type": "github"
      },
      "original": {
@ -234,11 +234,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1740267388,
-        "narHash": "sha256-JCgjNQMrlzf8a0YAqRNGliGmgv6afnc0OTOD6Eg0RZ0=",
+        "lastModified": 1740328351,
+        "narHash": "sha256-oX+XYRclxVYgLy5NX9UR7XKixaH5jJQuQhR7Of/ZtTk=",
        "ref": "refs/heads/main",
-        "rev": "f5af565aee98df0a78056c49c85cda640ce290fd",
-        "revCount": 10,
+        "rev": "52bb4eadd620757e6a943d335e31458ffa2ada2b",
+        "revCount": 11,
        "type": "git",
        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
      },
--- a/modules/nixos-modules/tailscale.nix
+++ b/modules/nixos-modules/tailscale.nix
@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  tailscale_data_directory = "/var/lib/tailscale";
+in {
+  options.host.tailscale = {
+    enable = lib.mkEnableOption "should tailscale be enabled on this computer";
+  };
+
+  config = lib.mkIf config.services.tailscale.enable (
+    lib.mkMerge [
+      {
+        # any configs we want shared between all machines
+      }
+      (lib.mkIf config.host.impermanence.enable {
+        environment.persistence = {
+          "/persist/system/root" = {
+            enable = true;
+            hideMounts = true;
+            directories = [
+              {
+                directory = tailscale_data_directory;
+                user = "jellyfin";
+                group = "jellyfin";
+              }
+            ];
+          };
+        };
+      })
+    ]
+  );
+}