From 2e0f71a6fa2da47fae321660bd86919ef052cec9 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Sun, 23 Feb 2025 11:10:16 -0600 Subject: [PATCH] installed tailscale on all machines --- README.md | 2 - .../nixos/defiant/configuration.nix | 17 ++++++- .../nixos/horizon/configuration.nix | 46 +++++++++++++++++++ .../nixos/horizon/hardware-configuration.nix | 37 --------------- .../nixos/twilight/configuration.nix | 33 +++++++++---- flake.lock | 26 +++++------ modules/nixos-modules/tailscale.nix | 34 ++++++++++++++ 7 files changed, 133 insertions(+), 62 deletions(-) create mode 100644 modules/nixos-modules/tailscale.nix diff --git a/README.md b/README.md index 69f4e26..0e8ff07 100644 --- a/README.md +++ b/README.md @@ -58,8 +58,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home - Open GL? - rotate sops encryption keys periodically (and somehow sync between devices?) - zfs email after scrubbing -- common wireguard config -- configure wireguard on all clients - wake on LAN for updates - ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix - Immich diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 155b35b..19b8f65 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -1,5 +1,16 @@ # server nas -{pkgs, ...}: { +{ + inputs, + config, + pkgs, + ... +}: { + sops.secrets = { + "wireguard-keys/tailscale-authkey/defiant" = { + sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; + }; + }; + host = { users = { leyla = { @@ -136,6 +147,10 @@ "deepseek-r1:70b" ]; }; + tailscale = { + enable = true; + authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/defiant".path; + }; }; # disable computer sleeping diff --git a/configurations/nixos/horizon/configuration.nix b/configurations/nixos/horizon/configuration.nix index 75657d2..a4f4f77 100644 --- a/configurations/nixos/horizon/configuration.nix +++ b/configurations/nixos/horizon/configuration.nix @@ -1,4 +1,5 @@ { + config, inputs, pkgs, ... @@ -36,6 +37,15 @@ programs.adb.enable = true; + sops.secrets = { + "wireguard-keys/tailscale-authkey/horizon" = { + sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; + }; + # "wireguard-keys/proton/horizon" = { + # sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; + # }; + }; + services = { # sudo fprintd-enroll fprintd = { @@ -49,6 +59,42 @@ "deepseek-r1:1.5b" ]; }; + tailscale = { + enable = true; + authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/horizon".path; + }; + }; + + networking = { + # wg-quick.interfaces = { + # proton = { + # # IP address of this machine in the *tunnel network* + # address = ["10.2.0.1/32"]; + + # listenPort = 51820; + + # privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path; + + # peers = [ + # { + # publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q="; + # allowedIPs = ["0.0.0.0/0"]; + # endpoint = "84.17.63.8:51820"; + # persistentKeepalive = 25; + # } + # { + # publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y="; + # allowedIPs = ["0.0.0.0/0"]; + # endpoint = "68.169.42.242:51820"; + # persistentKeepalive = 25; + # } + # { + # publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs="; + # allowedIPs = ["0.0.0.0/0"]; + # } + # ]; + # }; + # }; }; # networking.extraHosts = '' diff --git a/configurations/nixos/horizon/hardware-configuration.nix b/configurations/nixos/horizon/hardware-configuration.nix index 1c84e97..48a4680 100644 --- a/configurations/nixos/horizon/hardware-configuration.nix +++ b/configurations/nixos/horizon/hardware-configuration.nix @@ -6,19 +6,12 @@ lib, pkgs, modulesPath, - inputs, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - sops.secrets = { - "wireguard-keys/proton/horizon" = { - sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; - }; - }; - boot = { initrd = { availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"]; @@ -96,36 +89,6 @@ networkmanager.enable = true; useDHCP = lib.mkDefault true; hostName = "horizon"; # Define your hostname. - - # wg-quick.interfaces = { - # proton = { - # # IP address of this machine in the *tunnel network* - # address = ["10.2.0.1/32"]; - - # listenPort = 51820; - - # privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path; - - # peers = [ - # { - # publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q="; - # allowedIPs = ["0.0.0.0/0"]; - # endpoint = "84.17.63.8:51820"; - # persistentKeepalive = 25; - # } - # { - # publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y="; - # allowedIPs = ["0.0.0.0/0"]; - # endpoint = "68.169.42.242:51820"; - # persistentKeepalive = 25; - # } - # { - # publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs="; - # allowedIPs = ["0.0.0.0/0"]; - # } - # ]; - # }; - # }; }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/configurations/nixos/twilight/configuration.nix b/configurations/nixos/twilight/configuration.nix index 2735f20..4f4b355 100644 --- a/configurations/nixos/twilight/configuration.nix +++ b/configurations/nixos/twilight/configuration.nix @@ -1,10 +1,19 @@ -{...}: { +{ + inputs, + config, + ... +}: { imports = [ ./monitors.nix ]; nixpkgs.config.allowUnfree = true; + sops.secrets = { + "wireguard-keys/tailscale-authkey/twilight" = { + sopsFile = "${inputs.secrets}/wireguard-keys.yaml"; + }; + }; host = { users = { leyla = { @@ -22,16 +31,22 @@ }; }; - services.ollama = { - enable = true; + services = { + ollama = { + enable = true; - loadModels = [ - "deepseek-coder:6.7b" - "deepseek-r1:8b" - "deepseek-r1:32b" - ]; + loadModels = [ + "deepseek-coder:6.7b" + "deepseek-r1:8b" + "deepseek-r1:32b" + ]; + }; + + tailscale = { + enable = true; + authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/twilight".path; + }; }; - programs.steam = { enable = true; remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play diff --git a/flake.lock b/flake.lock index 73eac0e..ffdbb04 100644 --- a/flake.lock +++ b/flake.lock @@ -114,11 +114,11 @@ ] }, "locked": { - "lastModified": 1740265252, - "narHash": "sha256-+LFsCsIUF/pJWL9S21m5NLcK5bgwRB4MwfV0Iu7tggY=", + "lastModified": 1740318342, + "narHash": "sha256-fjr9+3Iru6O5qE+2oERQkabqAUXx4awm0+i2MBcta1U=", "owner": "nix-community", "repo": "home-manager", - "rev": "fb568d75cf6c81f30d49eeb73787e9b56454ba16", + "rev": "b5ab2c7fdaa807cf425066ab7cd34b073946b1ca", "type": "github" }, "original": { @@ -171,11 +171,11 @@ ] }, "locked": { - "lastModified": 1740188781, - "narHash": "sha256-3FDg6k9kQXq5M6ZHc2f9KsPydvWBtqacU9lWA7nIFYI=", + "lastModified": 1740275623, + "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "ba52a14c907e0cece9734e0ff59c3c742b6b1075", + "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3", "type": "github" }, "original": { @@ -202,11 +202,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1739866667, - "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", + "lastModified": 1740126099, + "narHash": "sha256-ozoOtE2hGsqh4XkTJFsrTkNxkRgShxpQxDynaPZUGxk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", + "rev": "32fb99ba93fea2798be0e997ea331dd78167f814", "type": "github" }, "original": { @@ -234,11 +234,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1740267388, - "narHash": "sha256-JCgjNQMrlzf8a0YAqRNGliGmgv6afnc0OTOD6Eg0RZ0=", + "lastModified": 1740328351, + "narHash": "sha256-oX+XYRclxVYgLy5NX9UR7XKixaH5jJQuQhR7Of/ZtTk=", "ref": "refs/heads/main", - "rev": "f5af565aee98df0a78056c49c85cda640ce290fd", - "revCount": 10, + "rev": "52bb4eadd620757e6a943d335e31458ffa2ada2b", + "revCount": 11, "type": "git", "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git" }, diff --git a/modules/nixos-modules/tailscale.nix b/modules/nixos-modules/tailscale.nix new file mode 100644 index 0000000..a998f49 --- /dev/null +++ b/modules/nixos-modules/tailscale.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: let + tailscale_data_directory = "/var/lib/tailscale"; +in { + options.host.tailscale = { + enable = lib.mkEnableOption "should tailscale be enabled on this computer"; + }; + + config = lib.mkIf config.services.tailscale.enable ( + lib.mkMerge [ + { + # any configs we want shared between all machines + } + (lib.mkIf config.host.impermanence.enable { + environment.persistence = { + "/persist/system/root" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = tailscale_data_directory; + user = "jellyfin"; + group = "jellyfin"; + } + ]; + }; + }; + }) + ] + ); +}