From 0f2c8049fd10a3ad0189642f9cfbda188a3872ad Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Fri, 14 Feb 2025 12:38:55 +0100 Subject: [PATCH] tailscale exit node support --- flake.lock | 186 +++++++++---------------- flake.nix | 3 +- hosts/picard/default.nix | 28 ++-- hosts/theseus/default.nix | 5 +- nixos-modules/networking/tailscale.nix | 55 ++++---- 5 files changed, 114 insertions(+), 163 deletions(-) diff --git a/flake.lock b/flake.lock index b3e15ccd..8b595cf6 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1737504076, - "narHash": "sha256-/B4XJnzYU/6K1ZZOBIgsa3K4pqDJrnC2579c44c+4rI=", + "lastModified": 1739229629, + "narHash": "sha256-zUWKsviMuelgB4PJNJuLZi/yvHnaLb1wZ9mOATjj9eM=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "65cc1fa8e36ceff067daf6cfb142331f02f524d3", + "rev": "a36049dac55b6b00536ce8fb601ad3dd1cd8ba8c", "type": "github" }, "original": { @@ -140,24 +140,6 @@ "inputs": { "systems": "systems_4" }, - "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "inputs": { - "systems": "systems_5" - }, "locked": { "lastModified": 1710146030, "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", @@ -195,11 +177,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1737712207, - "narHash": "sha256-giqE4cwl2CohY4bHhxLSRxfZYHSH/9cRM5Vx9Vr1Va0=", + "lastModified": 1738683842, + "narHash": "sha256-Igl76UYv7D/aJ7K7CbZxlBvmvzbfyNK7DOfw+Ub+M5Y=", "owner": "SofusA", "repo": "helix-pull-diagnostics", - "rev": "c13d3225783ffcec56b6bcd63616236eddaefad5", + "rev": "3fb39042d480bb6e24b8473ff1eb31058846f55f", "type": "github" }, "original": { @@ -274,11 +256,11 @@ }, "locked": { "dir": "nix", - "lastModified": 1736194159, - "narHash": "sha256-YGwh6ntcQdE8vE3F5NYM4q1nroJZOtzZed2eWgCqCW0=", + "lastModified": 1737910997, + "narHash": "sha256-Q9g8erFLGov37CdtMcVm5V/u+PMtwQa7lVz4oIz43sQ=", "ref": "feat-tap-overlap", - "rev": "7fc983117bfd39c8e0225fa0ae20293c8248dba5", - "revCount": 901, + "rev": "3b653692891c0231e7cc8844e142008296448217", + "revCount": 912, "type": "git", "url": "https://github.com/jokesper/kmonad" }, @@ -324,23 +306,6 @@ "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz" } }, - "lolpizza": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "pnpm2nix": "pnpm2nix" - }, - "locked": { - "lastModified": 1729255849, - "narHash": "sha256-P9Dw2s1LL0xluiJyRMXz+STza75UYTvS3oegpE3S3zs=", - "path": "/nix/store/v48mn8cw1hgswjifw9nin7v73mdvh3aq-source", - "rev": "6989a9dc030ce99589758d0cea682c3011a6ea31", - "type": "path" - }, - "original": { - "id": "lolpizza", - "type": "indirect" - } - }, "miro": { "flake": false, "locked": { @@ -359,11 +324,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -375,11 +340,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737469691, - "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=", + "lastModified": 1728018373, + "narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab", + "rev": "bc947f541ae55e999ffdb4013441347d83b00feb", "type": "github" }, "original": { @@ -419,11 +384,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1737879851, - "narHash": "sha256-H+FXIKj//kmFHTTW4DFeOjR7F1z2/3eb2iwN6Me4YZk=", + "lastModified": 1739229610, + "narHash": "sha256-se+XO93QNFc9Krf7pf5TvR4lKC6jh+oWV/+EomsMeZ8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5d3221fd57cc442a1a522a15eb5f58230f45a304", + "rev": "ba4ca7f603ef577e16e76900e6be48329339d50e", "type": "github" }, "original": { @@ -435,27 +400,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1718437845, - "narHash": "sha256-ZT7Oc1g4I4pHVGGjQFnewFVDRLH5cIZhEzODLz9YXeY=", + "lastModified": 1739055578, + "narHash": "sha256-2MhC2Bgd06uI1A0vkdNUyDYsMD0SLNGKtD8600mZ69A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "752c634c09ceb50c45e751f8791cb45cb3d46c9e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1737672001, - "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", + "rev": "a45fa362d887f4d4a7157d95c28ca9ce2899b70e", "type": "github" }, "original": { @@ -465,7 +414,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1728538411, "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", @@ -481,6 +430,22 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1735471104, + "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "pandoc-latex-template": { "flake": false, "locked": { @@ -497,28 +462,6 @@ "type": "github" } }, - "pnpm2nix": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixpkgs": [ - "lolpizza", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1685983557, - "narHash": "sha256-zzSsezK3YEvdZ/8+xnJELmimfKo12xxjC7tFdjsgH/0=", - "owner": "nzbr", - "repo": "pnpm2nix-nzbr", - "rev": "50b3587d90ea72640447ec4ed5604dabcfe06606", - "type": "github" - }, - "original": { - "owner": "nzbr", - "repo": "pnpm2nix-nzbr", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", @@ -528,10 +471,9 @@ "impermanence": "impermanence", "kmonad": "kmonad", "lix-module": "lix-module", - "lolpizza": "lolpizza", "miro": "miro", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-master": "nixpkgs-master", "pandoc-latex-template": "pandoc-latex-template", @@ -540,22 +482,23 @@ "utils": "utils", "wired": "wired", "x": "x", - "xynoblog": "xynoblog" + "xynoblog": "xynoblog", + "zen-browser": "zen-browser" } }, "roslyn-language-server": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1737351724, - "narHash": "sha256-CdRXZaEAXurgO6sGl5akhW+LuwhMvY90ToPlk1h+QcA=", + "lastModified": 1739209199, + "narHash": "sha256-IXemY38IgENRcnBw2/0hBkUU8dNwZr+kzrrVQd4EH/o=", "owner": "sofusa", "repo": "roslyn-language-server", - "rev": "8f237c172dbb52ab763fefa757a7350cf074dbec", + "rev": "e1e9831f8fc83121f87516b00401cca409392c29", "type": "github" }, "original": { @@ -587,7 +530,7 @@ }, "rust-overlay_2": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1730341826, @@ -694,24 +637,9 @@ "type": "github" } }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "utils": { "inputs": { - "systems": "systems_6" + "systems": "systems_5" }, "locked": { "lastModified": 1731533236, @@ -788,6 +716,24 @@ "repo": "blog", "type": "github" } + }, + "zen-browser": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1739161281, + "narHash": "sha256-cMM5E5EzEnfQFdBurCVqCi9mhsmRCeaEJB4iskPsQ1o=", + "owner": "0xc000022070", + "repo": "zen-browser-flake", + "rev": "0e962f036e6e2a9dde28f37d80104c7ea477a801", + "type": "github" + }, + "original": { + "owner": "0xc000022070", + "repo": "zen-browser-flake", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index cc8cb0b7..4bb09d0d 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,7 @@ wired.url = "github:Toqozz/wired-notify"; roslyn-language-server.url = "github:sofusa/roslyn-language-server"; roslyn-language-server.inputs.nixpkgs.follows = "nixpkgs"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; kmonad = { @@ -92,7 +93,7 @@ , darwin , utils , xynoblog - , lolpizza + # , lolpizza , lix-module , kmonad , wired diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index f8c2fd41..3dd98b59 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -72,19 +72,19 @@ } ''; virtualHosts."*.ragon.xyz".extraConfig = '' - @8081 host 8081.ragon.xyz - handle @8081 { - reverse_proxy http://[::1]:8081 - } - @files host files.ragon.xyz - handle @files { - encode zstd gzip - root * /srv/www - file_server browse - basicauth * { - {$BAUSER} {$BAPASSWD} - } - } + # @8081 host 8081.ragon.xyz + # handle @8081 { + # reverse_proxy http://[::1]:8081 + # } + # @files host files.ragon.xyz + # handle @files { + # encode zstd gzip + # root * /srv/www + # file_server browse + # basicauth * { + # {$BAUSER} {$BAPASSWD} + # } + # } @bw host bw.ragon.xyz handle @bw { reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort} @@ -257,7 +257,7 @@ all the robots are on catgirl.cloud mew :3 }) ]; services.xynoblog.enable = true; - services.lolpizza2.enable = true; + # services.lolpizza2.enable = true; programs.mosh.enable = true; home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: { diff --git a/hosts/theseus/default.nix b/hosts/theseus/default.nix index 5f7c5467..53973bb5 100644 --- a/hosts/theseus/default.nix +++ b/hosts/theseus/default.nix @@ -63,6 +63,7 @@ programs.sway.enable = true; programs.nix-ld.enable = true; programs.gamescope.enable = true; + programs.wireshark.enable = true; services.gnome.sushi.enable = true; services.gnome.gnome-settings-daemon.enable = true; services.gvfs.enable = true; @@ -107,7 +108,7 @@ services.displayManager.defaultSession = "river"; programs.river.enable = true; services.upower.enable = true; - users.users.ragon.extraGroups = [ "networkmanager" "video" "netdev" "plugdev" "dialout" "tape" "uucp" ]; + users.users.ragon.extraGroups = [ "networkmanager" "video" "netdev" "plugdev" "dialout" "tape" "uucp" "wireshark" ]; fonts.packages = with pkgs; [ nerdfonts cantarell-fonts @@ -224,6 +225,8 @@ ptyxis appimage-run unstable.keepassxc + # unstable.zenbrowser + inputs.zen-browser.packages."${pkgs.system}".default # filezilla diff --git a/nixos-modules/networking/tailscale.nix b/nixos-modules/networking/tailscale.nix index bc1d1167..b58a6c31 100644 --- a/nixos-modules/networking/tailscale.nix +++ b/nixos-modules/networking/tailscale.nix @@ -12,11 +12,12 @@ in "/var/lib/tailscale" ]; services.tailscale.enable = true; - ragon.agenix.secrets.tailscaleKey = { }; - boot.kernel.sysctl = lib.mkIf cfg.exitNode { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; + services.tailscale.useRoutingFeatures = "server"; + # ragon.agenix.secrets.tailscaleKey = { }; + # boot.kernel.sysctl = lib.mkIf cfg.exitNode { + # "net.ipv4.ip_forward" = 1; + # "net.ipv6.conf.all.forwarding" = 1; + # }; networking.firewall = { # always allow traffic from your Tailscale network trustedInterfaces = [ "tailscale0" ]; @@ -26,31 +27,31 @@ in # allow the Tailscale UDP port through the firewall allowedUDPPorts = [ config.services.tailscale.port ]; }; - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; + # systemd.services.tailscale-autoconnect = { + # description = "Automatic connection to Tailscale"; - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; + # # make sure tailscale is running before trying to connect to tailscale + # after = [ "network-pre.target" "tailscale.service" ]; + # wants = [ "network-pre.target" "tailscale.service" ]; + # wantedBy = [ "multi-user.target" ]; - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; + # # set this service as a oneshot job + # serviceConfig.Type = "oneshot"; - # have the job run this shell script - script = with pkgs; '' - # wait for tailscaled to settle - sleep 2 + # # have the job run this shell script + # script = with pkgs; '' + # # wait for tailscaled to settle + # sleep 2 - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - key=$(<${config.age.secrets.tailscaleKey.path}) - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up -authkey $key ${lib.optionalString cfg.exitNode "--advertise-exit-node"} ${cfg.extraUpCommands} - ''; - }; + # # check if we are already authenticated to tailscale + # status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + # if [ $status = "Running" ]; then # if so, then do nothing + # exit 0 + # fi + # key=$(<${config.age.secrets.tailscaleKey.path}) + # # otherwise authenticate with tailscale + # ${tailscale}/bin/tailscale up -authkey $key ${lib.optionalString cfg.exitNode "--advertise-exit-node"} ${cfg.extraUpCommands} + # ''; + # }; }; }