From ba7f19a5bf28a2c14745b17498f92e4706b27f6e Mon Sep 17 00:00:00 2001 From: Philipp Hochkamp Date: Mon, 11 Jul 2022 15:15:09 +0200 Subject: [PATCH] tailscale stuff --- flake.lock | 66 ++++++------- hm-imports/cli.nix | 2 +- hosts/ds9/default.nix | 122 ++++++++++++------------- nixos-modules/networking/tailscale.nix | 5 +- secrets/tailscaleKey.age | 32 +++---- 5 files changed, 115 insertions(+), 112 deletions(-) diff --git a/flake.lock b/flake.lock index de48db0f..cbd48b79 100644 --- a/flake.lock +++ b/flake.lock @@ -98,11 +98,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1657016837, - "narHash": "sha256-knx83nZ0xax6U1zR3rEOwIz2matk85kntbVEJRQYNuw=", + "lastModified": 1657536849, + "narHash": "sha256-xpKggtyxzs2bbs8NT5lPNv2engBn7v0yPgzHemf8Ga4=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "beec877720e2b09b0b1a96450286459bcd7e6435", + "rev": "4f95fe202c5e2c796adab52afff568b23ffadda2", "type": "github" }, "original": { @@ -165,11 +165,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1656927578, - "narHash": "sha256-ZSFrM/1PlJOqCb3mN88ZUh9dkQvNLU/nkoQ2tu02/FM=", + "lastModified": 1657396086, + "narHash": "sha256-4cQ6hEuewWoFkTBlu211JGxPQQ1Zyli8oEq1cu7cVeA=", "owner": "nix-community", "repo": "home-manager", - "rev": "f2445620d177e295e711c1b2bc6c01ed6df26c16", + "rev": "c645cc9f82c7753450d1fa4d1bc73b64960a9d7a", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1639947939, - "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=", + "lastModified": 1655042882, + "narHash": "sha256-9BX8Fuez5YJlN7cdPO63InoyBy7dm3VlJkkmTt6fS1A=", "owner": "nix-community", "repo": "naersk", - "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653", + "rev": "cddffb5aa211f50c4b8750adbec0bbbdfb26bb9f", "type": "github" }, "original": { @@ -224,11 +224,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1657006790, - "narHash": "sha256-/OAsHWvRJNe591udM69w1KhXm41WYNh25v83UBNWMHY=", + "lastModified": 1657466803, + "narHash": "sha256-9WceMMKppZI/Z0bP0b7a+BzQIuieH8MNAk3wcmZAiVU=", "owner": "neovim", "repo": "neovim", - "rev": "eb814bdca0bad2a68e111d59fae62f79b8dbeef1", + "rev": "95c65a6b221fe6e1cf91e8322e7d7571dc511a71", "type": "github" }, "original": { @@ -247,11 +247,11 @@ ] }, "locked": { - "lastModified": 1657008970, - "narHash": "sha256-c6HhbjGtsZfuD0IHg6Qv8NMajNPV3Tehrw9FU8F3s90=", + "lastModified": 1657527462, + "narHash": "sha256-oK2maGETT52ES+J4bKUDgtq7kYHV4YZwF1tf8BKoNyA=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "4f3fe701f50810929c06cb5cf428a4780b0d37d0", + "rev": "0058638e7ae87b399e7cad52b7734f199c2ffa7f", "type": "github" }, "original": { @@ -278,11 +278,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1656847440, - "narHash": "sha256-9LRlUrdU+TNAAp393hqDaKnwBssLLkxpRQEAzLSC2pM=", + "lastModified": 1657502824, + "narHash": "sha256-q/56TxABu/So0mqrCiOnl9mWHC10XinFtmOHy6UeStM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d63774ae64431366be4d1f2aede50e52204c7d6c", + "rev": "f904e3562aabca382d12f8471ca2330b3f82899a", "type": "github" }, "original": { @@ -292,11 +292,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1657020478, - "narHash": "sha256-sU5hXEGcOcvz2xoPAuNLBQJLXjwvPpTkoddyXE8gw20=", + "lastModified": 1657544714, + "narHash": "sha256-lJu41CQadSbQLmpT5j3kjt2KrY6RTXBVVkdYGyBRrUA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "71a4f0dc3d80ba76f437c888c1c3d59f1df98163", + "rev": "63d729665c2835be0c507ced648ccc024620afb6", "type": "github" }, "original": { @@ -308,11 +308,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1656753965, - "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=", + "lastModified": 1657447684, + "narHash": "sha256-FCP9AuU1q6PE3vOeM5SFf58f/UKPBAsoSGDUGamNBbo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ea7a8f1b939d74e5df8af9a8f7342097cdf69eb", + "rev": "5f43d8b088d3771274bcfb69d3c7435b1121ac88", "type": "github" }, "original": { @@ -363,11 +363,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1655204811, - "narHash": "sha256-XtEycAZBlYVuu78cWI0SCvsGWipXglxcUknLlcF7BiM=", + "lastModified": 1657475948, + "narHash": "sha256-iOMjTTW2hQbBU3u4pFP5i4Hp4l+r1gkU86YzVfBCx6w=", "owner": "nix-community", "repo": "rnix-lsp", - "rev": "2e49c1f31d6ad46d3f2adbfc1863a896835e4dd0", + "rev": "0449f49a0468624128dd4f5e2d27d1a0e6f894f4", "type": "github" }, "original": { @@ -417,11 +417,11 @@ }, "utils_2": { "locked": { - "lastModified": 1638122382, - "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "lastModified": 1656928814, + "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", "owner": "numtide", "repo": "flake-utils", - "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", "type": "github" }, "original": { @@ -468,11 +468,11 @@ "zsh-completions": { "flake": false, "locked": { - "lastModified": 1656752981, - "narHash": "sha256-qSobM4PRXjfsvoXY6ENqJGI9NEAaFFzlij6MPeTfT0o=", + "lastModified": 1657090022, + "narHash": "sha256-RnG8YFTOrX6HSnHq27GfcO49ms/5rnakWbPU0MfaorU=", "owner": "zsh-users", "repo": "zsh-completions", - "rev": "0331b2908f93556453e45fa5a899aa21e0a7f64d", + "rev": "073379d9081da21b9e3aa32ea4ff4d15c2aaa6a9", "type": "github" }, "original": { diff --git a/hm-imports/cli.nix b/hm-imports/cli.nix index fc335aa7..8af83199 100644 --- a/hm-imports/cli.nix +++ b/hm-imports/cli.nix @@ -1,7 +1,7 @@ { inputs, config, lib, pkgs, ... }: { - home.stateVersion = "21.05"; + home.stateVersion = lib.mkDefault "21.05"; home.packages = with pkgs; [ my.scripts diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index ac369df7..e1c9e15d 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -115,68 +115,68 @@ in ''; # Webhook service to trigger scanning the ADF from HomeAssistant - systemd.services.scanhook = { - description = "webhook go server to trigger scanning"; - documentation = [ "https://github.com/adnanh/webhook" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ bash ]; - serviceConfig = { - TemporaryFileSystem = "/:ro"; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/hosts" - "-/etc/localtime" - ]; - BindPaths = [ - "/data/applications/paperless-consumption" - ]; - LockPersonality = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectHome = true; - ProtectControlGroups = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - DynamicUser = true; - ExecStart = - let - scanScript = pkgs.writeScript "plscan.sh" '' - #!/usr/bin/env bash - export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]} - export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script - set -x - date="''$(date --iso-8601=seconds)" - filename="Scan ''$date.pdf" - tmpdir="''$(mktemp -d)" - pushd "''$tmpdir" - scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300 - for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff - convert out*.jpg /data/applications/paperless-consumption/"''$filename" - chmod 666 /data/applications/paperless-consumption/"''$filename" - popd - rm -r "''$tmpdir" - ''; - hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [ - { - id = "scan-webhook"; - execute-command = "${scanScript}"; + #systemd.services.scanhook = { + # description = "webhook go server to trigger scanning"; + # documentation = [ "https://github.com/adnanh/webhook" ]; + # wantedBy = [ "multi-user.target" ]; + # path = with pkgs; [ bash ]; + # serviceConfig = { + # TemporaryFileSystem = "/:ro"; + # BindReadOnlyPaths = [ + # "/nix/store" + # "-/etc/resolv.conf" + # "-/etc/nsswitch.conf" + # "-/etc/hosts" + # "-/etc/localtime" + # ]; + # BindPaths = [ + # "/data/applications/paperless-consumption" + # ]; + # LockPersonality = true; + # NoNewPrivileges = true; + # PrivateMounts = true; + # PrivateTmp = true; + # PrivateUsers = true; + # ProcSubset = "pid"; + # ProtectHome = true; + # ProtectControlGroups = true; + # ProtectKernelLogs = true; + # ProtectKernelModules = true; + # ProtectKernelTunables = true; + # ProtectProc = "invisible"; + # RestrictNamespaces = true; + # RestrictRealtime = true; + # RestrictSUIDSGID = true; + # DynamicUser = true; + # ExecStart = + # let + # scanScript = pkgs.writeScript "plscan.sh" '' + # #!/usr/bin/env bash + # export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]} + # export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script + # set -x + # date="''$(date --iso-8601=seconds)" + # filename="Scan ''$date.pdf" + # tmpdir="''$(mktemp -d)" + # pushd "''$tmpdir" + # scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300 + # for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff + # convert out*.jpg /data/applications/paperless-consumption/"''$filename" + # chmod 666 /data/applications/paperless-consumption/"''$filename" + # popd + # rm -r "''$tmpdir" + # ''; + # hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [ + # { + # id = "scan-webhook"; + # execute-command = "${scanScript}"; - } - ]); - in - "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose"; - }; - }; + # } + # ]); + # in + # "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose"; + # }; + #}; networking.firewall.allowedTCPPorts = [ 9000 ]; # Immutable users due to tmpfs diff --git a/nixos-modules/networking/tailscale.nix b/nixos-modules/networking/tailscale.nix index 9bbd96aa..52047305 100644 --- a/nixos-modules/networking/tailscale.nix +++ b/nixos-modules/networking/tailscale.nix @@ -6,8 +6,11 @@ in options.ragon.services.tailscale.enable = lib.mkEnableOption "Enables tailscale"; config = lib.mkIf cfg.enable { # enable the tailscale service + ragon.persist.extraDirectories = [ + "/var/lib/tailscale" + ]; services.tailscale.enable = true; - ragon.agenix.secrets.tailscaleKey = {}; + ragon.agenix.secrets.tailscaleKey = { }; networking.firewall = { # always allow traffic from your Tailscale network trustedInterfaces = [ "tailscale0" ]; diff --git a/secrets/tailscaleKey.age b/secrets/tailscaleKey.age index 66ba3ca4..06b168d9 100644 --- a/secrets/tailscaleKey.age +++ b/secrets/tailscaleKey.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 ugHWWw mindsoOw/VEfQHrlsm0Z4Kh1vGzY+QF007lWs6YHz3A -iRDoyR5RUYp0erHWn5qKCJHcMaoonDvL4u0Y1YGCEYI --> ssh-ed25519 UU9RSA /eq9/iIM2aPqXQeU7P4avvzM0etAz9TrC38lWs82zxA -SqY5FhrrfxB6gbsGuK/wynKx6iKhHRfjHmhGI/kg46s --> ssh-ed25519 yqm35A QzpAv2ifUBh1gPBz5Qx91a2qP5umD/fgj0sV3cnVcQI -o9UFRn5DIw3yAg0ovONNvjI2CZ+i6LQ/vcQV0pXbjIQ --> ssh-ed25519 kKx7Qw JdNXOcNT3t/G7fQFM6kBcUaecZjayLXc3IbfSTAkFn4 -mNbFfDRKF6hti5oE5RIvhMjCf0SdevNbxuIs6zGp7IQ --> ssh-ed25519 IbXxfw o90RhqE0NHzyLBMeSTNUvqzJoRvA4ul8aALaiRCSaH8 -V/npCtbZnIO16ZVeXMnwMxRd8z10WM1nc1fPfMerdLc --> ssh-ed25519 WceKOQ TmAMWSWQGi9mYJtDiv/jZNlY6J++qlsUfxN1OdeYVTc -UMmvWY3SErUzMPseiboLpcohy+fK9B6BM2fPWXWjX7k --> 'oy1,Nx-grease )r)tqH(" -t05KVbenog5B/4agytm7yw ---- WWamvx+v3DW/uSWPXGXd9qlDSYo7tA8tUhYpADmU/YM -2Ǐ3[&GpҊz:FpSxU/w V^ވIXk61CU4] \ No newline at end of file +-> ssh-ed25519 ugHWWw lEYsog3suDaEm29deawF+QJ5ecGoAnULSyZ9Zx7rCWw +qvbMdlTATvEQ4XHBAqK9BecI30gS4t+E8i4LWUeg9Ns +-> ssh-ed25519 UU9RSA HA4dGg9YiDesbVsWu5A310ZTNpmBN1oxmtDGzG76lBY +iIfu/jwLWRpdi8+LsqKDYB3xLkiSUfmnoZlTqY2Lb1s +-> ssh-ed25519 yqm35A U4eHydfPgYXbjlknk08AQFacp9DlqBWWs2LGBbY+qFo +Ho/oYBpwzQPLXPLFH+Z3dcNI3KzetQPnlPLq4XeI1xM +-> ssh-ed25519 kKx7Qw gxgiXQF97nvLzNUHYab655qoDEKoddmw4Dp2JuJK0Wg +okYkX46Wuy7AJXW6vDXrU6ZJn9XMSwNLZi/Qj+kzeJo +-> ssh-ed25519 IbXxfw 9uAGCMt6sfJQ79WApL2u17xeqytYsDMqrb6AktYz1F8 +26194ECFzQkvdecym7qCaLsDfC0fyDWn44NtTjlUuqU +-> ssh-ed25519 WceKOQ Tm776jVswnnmIqaD7v7V47ik2uADBEW5eg35mzi+r2M +skXChK2fmc3+13Wm3nLhQX9VU8OAQbZxLWWjPKcpGek +-> K:lG-grease sjZ |3 kvquB:; +twd+UxT3/s9GQrFPXQRfmRj9+Eg +--- tuqN03osNyBnWR6Ck2pR6Kzd7lIJWfEumht/IG+9Dp8 +?t~HrEπaH'BSe@&źOcQ)e WAPGAjEī§wt Mha1 \ No newline at end of file