Add tailscale

2022-10-24 11:13:11 +02:00 · 2022-10-24 11:13:11 +02:00 · 25fb72c8ec
commit 25fb72c8ec
parent b738c1451f
9 changed files with 166 additions and 24 deletions
--- a/config/hosts/grondahl/configuration.nix
+++ b/config/hosts/grondahl/configuration.nix
@ -6,7 +6,8 @@
    ./hardware-configuration.nix
    ./data/secrets/secrets.nix
    ../../common/services/ssh.nix
-		../../common/users.nix
+    ../../common/services/tailscale.nix
+    ../../common/users.nix
    ./services/acme.nix
    ./services/coturn.nix
    ./services/nginx.nix
@ -72,9 +73,15 @@
    dig
  ];

-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  networking.firewall = {
+    enable = true;
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  };

  system.stateVersion = "21.05";

--- a/config/hosts/rudiger/configuration.nix
+++ b/config/hosts/rudiger/configuration.nix
@ -6,7 +6,8 @@
      ./hardware-configuration.nix
      ./data/secrets/secrets.nix
      ../../common/services/ssh.nix
-			../../common/users.nix
+      ../../common/services/tailscale.nix
+      ../../common/users.nix
      ./services/acme.nix
      ./services/nextcloud.nix
      ./services/nginx.nix
@ -65,6 +66,7 @@
    htop
    iotop
    dig
+    tailscale
  ];
  security.sudo.wheelNeedsPassword = false;

@ -76,7 +78,13 @@
  users.groups.redis.members = [ "nextcloud" ];
  users.groups.backup.members = [ "nextcloud" "postgres" ];

-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    trustedInterfaces = [ "tailscale0" ];
+    enable = true;
+    checkReversePath = "loose";
+  };
  # networking.firewall.allowedUDPPorts = [ ... ];
  system.stateVersion = "21.05";

--- a/config/hosts/wind/configuration.nix
+++ b/config/hosts/wind/configuration.nix
@ -4,6 +4,7 @@
 	imports = [ 
 		./hardware-configuration.nix 
 		../../common/services/ssh.nix
+		../../common/services/tailscale.nix
 		../../common/users.nix
 		./services/acme.nix
 		./services/coturn.nix
@ -51,6 +52,7 @@
 		htop
 		iotop
 		dig
+		tailscale
 	];

 	nix.settings = {
--- a/config/hosts/wind/services/grocy.nix
+++ b/config/hosts/wind/services/grocy.nix
@ -2,9 +2,10 @@
 {
  services.grocy = {
 	enable = true;
-	hostName = grocy.graven.dev;
+	hostName = "grocy.graven.dev";
 	settings = {
 	  currency = "DKK";
-	  calendar.firstDayOfWeek = 1
-	}
-  }
+	  calendar.firstDayOfWeek = 1;
+	};
+  };
+}
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@ -14,7 +14,6 @@
 					add_header Access-Control-Allow-Origin "*";
 					add_header Strict-Transport-Security $hsts_header;
 					add_header Referrer-Policy "same-origin";
-					add_header X-Frame-Options "DENY";
 					add_header X-Content-Type-Options "nosniff";
 					add_header X-XSS-Protection "1; mode=block";
 				'';