jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

installed tailscale on all machines

Browse source
This commit is contained in:
Leyla Becker 2025-02-23 11:10:16 -06:00
parent 9bfa5c9e8d
commit 2e0f71a6fa
7 changed files with 133 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -58,8 +58,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- Open GL? - Open GL?
- rotate sops encryption keys periodically (and somehow sync between devices?) - rotate sops encryption keys periodically (and somehow sync between devices?)
- zfs email after scrubbing - zfs email after scrubbing
- common wireguard config
- configure wireguard on all clients
- wake on LAN for updates - wake on LAN for updates
- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix - ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
- Immich - Immich

17
configurations/nixos/defiant/configuration.nix
View file

@ -1,5 +1,16 @@
# server nas # server nas
{pkgs, ...}: { {
inputs,
config,
pkgs,
...
}: {
sops.secrets = {
"wireguard-keys/tailscale-authkey/defiant" = {
sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
};
};
host = { host = {
users = { users = {
leyla = { leyla = {
@ -136,6 +147,10 @@
"deepseek-r1:70b" "deepseek-r1:70b"
]; ];
}; };
tailscale = {
enable = true;
authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/defiant".path;
};
}; };
# disable computer sleeping # disable computer sleeping

46
configurations/nixos/horizon/configuration.nix
View file

@ -1,4 +1,5 @@
{ {
config,
inputs, inputs,
pkgs, pkgs,
... ...
@ -36,6 +37,15 @@
programs.adb.enable = true; programs.adb.enable = true;
sops.secrets = {
"wireguard-keys/tailscale-authkey/horizon" = {
sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
};
# "wireguard-keys/proton/horizon" = {
# sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
# };
};
services = { services = {
# sudo fprintd-enroll # sudo fprintd-enroll
fprintd = { fprintd = {
@ -49,6 +59,42 @@
"deepseek-r1:1.5b" "deepseek-r1:1.5b"
]; ];
}; };
tailscale = {
enable = true;
authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/horizon".path;
};
};
networking = {
# wg-quick.interfaces = {
# proton = {
# # IP address of this machine in the *tunnel network*
# address = ["10.2.0.1/32"];
# listenPort = 51820;
# privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
# peers = [
# {
# publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "84.17.63.8:51820";
# persistentKeepalive = 25;
# }
# {
# publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y=";
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "68.169.42.242:51820";
# persistentKeepalive = 25;
# }
# {
# publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs=";
# allowedIPs = ["0.0.0.0/0"];
# }
# ];
# };
# };
}; };
# networking.extraHosts = '' # networking.extraHosts = ''

37
configurations/nixos/horizon/hardware-configuration.nix
View file

@ -6,19 +6,12 @@
lib, lib,
pkgs, pkgs,
modulesPath, modulesPath,
inputs,
... ...
}: { }: {
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
sops.secrets = {
"wireguard-keys/proton/horizon" = {
sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
};
};
boot = { boot = {
initrd = { initrd = {
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"]; availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
@ -96,36 +89,6 @@
networkmanager.enable = true; networkmanager.enable = true;
useDHCP = lib.mkDefault true; useDHCP = lib.mkDefault true;
hostName = "horizon"; # Define your hostname. hostName = "horizon"; # Define your hostname.
# wg-quick.interfaces = {
# proton = {
# # IP address of this machine in the *tunnel network*
# address = ["10.2.0.1/32"];
# listenPort = 51820;
# privateKeyFile = config.sops.secrets."wireguard-keys/proton/horizon".path;
# peers = [
# {
# publicKey = "Yu2fgynXUAASCkkrXWj76LRriFxKMTQq+zjTzyOKG1Q=";
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "84.17.63.8:51820";
# persistentKeepalive = 25;
# }
# {
# publicKey = "OIPOmEDCJfuvTJ0dugMtY5L14gVpfpDdY3suniY5h3Y=";
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "68.169.42.242:51820";
# persistentKeepalive = 25;
# }
# {
# publicKey = "uvEa3sdmi5d/OxozjecVIGQHgw4H42mNIX/QOulwDhs=";
# allowedIPs = ["0.0.0.0/0"];
# }
# ];
# };
# };
}; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

19
configurations/nixos/twilight/configuration.nix
View file

@ -1,10 +1,19 @@
{...}: { {
inputs,
config,
...
}: {
imports = [ imports = [
./monitors.nix ./monitors.nix
]; ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
sops.secrets = {
"wireguard-keys/tailscale-authkey/twilight" = {
sopsFile = "${inputs.secrets}/wireguard-keys.yaml";
};
};
host = { host = {
users = { users = {
leyla = { leyla = {
@ -22,7 +31,8 @@
}; };
}; };
services.ollama = { services = {
ollama = {
enable = true; enable = true;
loadModels = [ loadModels = [
@ -32,6 +42,11 @@
]; ];
}; };
tailscale = {
enable = true;
authKeyFile = config.sops.secrets."wireguard-keys/tailscale-authkey/twilight".path;
};
};
programs.steam = { programs.steam = {
enable = true; enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play

26
flake.lock
View file

@ -114,11 +114,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1740265252, "lastModified": 1740318342,
"narHash": "sha256-+LFsCsIUF/pJWL9S21m5NLcK5bgwRB4MwfV0Iu7tggY=", "narHash": "sha256-fjr9+3Iru6O5qE+2oERQkabqAUXx4awm0+i2MBcta1U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "fb568d75cf6c81f30d49eeb73787e9b56454ba16", "rev": "b5ab2c7fdaa807cf425066ab7cd34b073946b1ca",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -171,11 +171,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1740188781, "lastModified": 1740275623,
"narHash": "sha256-3FDg6k9kQXq5M6ZHc2f9KsPydvWBtqacU9lWA7nIFYI=", "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "ba52a14c907e0cece9734e0ff59c3c742b6b1075", "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -202,11 +202,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1739866667, "lastModified": 1740126099,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "narHash": "sha256-ozoOtE2hGsqh4XkTJFsrTkNxkRgShxpQxDynaPZUGxk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "rev": "32fb99ba93fea2798be0e997ea331dd78167f814",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -234,11 +234,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1740267388, "lastModified": 1740328351,
"narHash": "sha256-JCgjNQMrlzf8a0YAqRNGliGmgv6afnc0OTOD6Eg0RZ0=", "narHash": "sha256-oX+XYRclxVYgLy5NX9UR7XKixaH5jJQuQhR7Of/ZtTk=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "f5af565aee98df0a78056c49c85cda640ce290fd", "rev": "52bb4eadd620757e6a943d335e31458ffa2ada2b",
"revCount": 10, "revCount": 11,
"type": "git", "type": "git",
"url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git" "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
}, },

34
modules/nixos-modules/tailscale.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
lib,
...
}: let
tailscale_data_directory = "/var/lib/tailscale";
in {
options.host.tailscale = {
enable = lib.mkEnableOption "should tailscale be enabled on this computer";
};
config = lib.mkIf config.services.tailscale.enable (
lib.mkMerge [
{
# any configs we want shared between all machines
}
(lib.mkIf config.host.impermanence.enable {
environment.persistence = {
"/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = tailscale_data_directory;
user = "jellyfin";
group = "jellyfin";
}
];
};
};
})
]
);
}