Add tailscale
This commit is contained in:
parent
b738c1451f
commit
25fb72c8ec
88
]
Normal file
88
]
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ # Include the results of the hardware scan.
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./data/secrets/secrets.nix
|
||||||
|
../../common/services/ssh.nix
|
||||||
|
../../common/services/tailscale.nix
|
||||||
|
../../common/users.nix
|
||||||
|
./services/acme.nix
|
||||||
|
./services/coturn.nix
|
||||||
|
./services/nginx.nix
|
||||||
|
./services/restic.nix
|
||||||
|
./services/synapse.nix
|
||||||
|
./services/postgres.nix
|
||||||
|
#./services/mail.nix
|
||||||
|
#./services/containers.nix
|
||||||
|
#./services/redis.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.device = "/dev/vda";
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_5_10;
|
||||||
|
networking = {
|
||||||
|
hostName = "grondahl";
|
||||||
|
useDHCP = false;
|
||||||
|
interfaces = {
|
||||||
|
"ens3" = {
|
||||||
|
ipv4.addresses = [ {
|
||||||
|
address = "107.189.30.157";
|
||||||
|
prefixLength = 24;
|
||||||
|
} ];
|
||||||
|
ipv6.addresses = [ {
|
||||||
|
address = "2605:6400:30:ef32::1";
|
||||||
|
prefixLength = 48;
|
||||||
|
} ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
defaultGateway = "107.189.30.1";
|
||||||
|
defaultGateway6 = {
|
||||||
|
address = "2605:6400:30::1";
|
||||||
|
interface = "ens3";
|
||||||
|
};
|
||||||
|
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
time.timeZone = "Europe/Copenhagen";
|
||||||
|
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
nix.settings = {
|
||||||
|
auto-optimise-store = true;
|
||||||
|
trusted-users = [
|
||||||
|
"root"
|
||||||
|
"@wheel"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
users.groups.acme.members = [ "nginx" "turnserver" ];
|
||||||
|
users.groups.backup.members = [ "matrix-synapse" "postgres" ];
|
||||||
|
|
||||||
|
# List packages installed in system profile. To search, run:
|
||||||
|
# $ nix search wget
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
htop
|
||||||
|
iotop
|
||||||
|
dig
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
checkReversePaths = "loose";
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||||
|
allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
|
||||||
|
allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
}
|
|
@ -29,7 +29,7 @@
|
||||||
add_header 'Referrer-Policy' 'same-origin';
|
add_header 'Referrer-Policy' 'same-origin';
|
||||||
|
|
||||||
# Disable embedding as a frame
|
# Disable embedding as a frame
|
||||||
add_header X-Frame-Options DENY;
|
#add_header X-Frame-Options DENY;
|
||||||
|
|
||||||
# Prevent injection of code in other mime types (XSS Attacks)
|
# Prevent injection of code in other mime types (XSS Attacks)
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
|
37
config/common/services/tailscale.nix
Normal file
37
config/common/services/tailscale.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = [ pkgs.tailscale ];
|
||||||
|
|
||||||
|
services.tailscale.enable = true;
|
||||||
|
|
||||||
|
# ...
|
||||||
|
|
||||||
|
# create a oneshot job to authenticate to Tailscale
|
||||||
|
systemd.services.tailscale-autoconnect = {
|
||||||
|
description = "Automatic connection to Tailscale";
|
||||||
|
|
||||||
|
# make sure tailscale is running before trying to connect to tailscale
|
||||||
|
after = [ "network-pre.target" "tailscale.service" ];
|
||||||
|
wants = [ "network-pre.target" "tailscale.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
|
# set this service as a oneshot job
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
|
||||||
|
# have the job run this shell script
|
||||||
|
script = with pkgs; ''
|
||||||
|
# wait for tailscaled to settle
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# check if we are already authenticated to tailscale
|
||||||
|
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
|
||||||
|
if [ $status = "Running" ]; then # if so, then do nothing
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# otherwise authenticate with tailscale
|
||||||
|
${tailscale}/bin/tailscale up -authkey CHANGEME
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -6,6 +6,7 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
../../common/services/ssh.nix
|
../../common/services/ssh.nix
|
||||||
|
../../common/services/tailscale.nix
|
||||||
../../common/users.nix
|
../../common/users.nix
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/coturn.nix
|
./services/coturn.nix
|
||||||
|
@ -72,9 +73,15 @@
|
||||||
dig
|
dig
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
networking.firewall = {
|
||||||
networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
|
enable = true;
|
||||||
networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
|
checkReversePath = "loose";
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||||
|
allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
|
||||||
|
allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
|
||||||
|
};
|
||||||
|
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
../../common/services/ssh.nix
|
../../common/services/ssh.nix
|
||||||
|
../../common/services/tailscale.nix
|
||||||
../../common/users.nix
|
../../common/users.nix
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/nextcloud.nix
|
./services/nextcloud.nix
|
||||||
|
@ -65,6 +66,7 @@
|
||||||
htop
|
htop
|
||||||
iotop
|
iotop
|
||||||
dig
|
dig
|
||||||
|
tailscale
|
||||||
];
|
];
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
|
@ -76,7 +78,13 @@
|
||||||
users.groups.redis.members = [ "nextcloud" ];
|
users.groups.redis.members = [ "nextcloud" ];
|
||||||
users.groups.backup.members = [ "nextcloud" "postgres" ];
|
users.groups.backup.members = [ "nextcloud" "postgres" ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
enable = true;
|
||||||
|
checkReversePath = "loose";
|
||||||
|
};
|
||||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../common/services/ssh.nix
|
../../common/services/ssh.nix
|
||||||
|
../../common/services/tailscale.nix
|
||||||
../../common/users.nix
|
../../common/users.nix
|
||||||
./services/acme.nix
|
./services/acme.nix
|
||||||
./services/coturn.nix
|
./services/coturn.nix
|
||||||
|
@ -51,6 +52,7 @@
|
||||||
htop
|
htop
|
||||||
iotop
|
iotop
|
||||||
dig
|
dig
|
||||||
|
tailscale
|
||||||
];
|
];
|
||||||
|
|
||||||
nix.settings = {
|
nix.settings = {
|
||||||
|
|
|
@ -2,9 +2,10 @@
|
||||||
{
|
{
|
||||||
services.grocy = {
|
services.grocy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = grocy.graven.dev;
|
hostName = "grocy.graven.dev";
|
||||||
settings = {
|
settings = {
|
||||||
currency = "DKK";
|
currency = "DKK";
|
||||||
calendar.firstDayOfWeek = 1
|
calendar.firstDayOfWeek = 1;
|
||||||
}
|
};
|
||||||
}
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
add_header Referrer-Policy "same-origin";
|
add_header Referrer-Policy "same-origin";
|
||||||
add_header X-Frame-Options "DENY";
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -5,10 +5,10 @@
|
||||||
"homepage": "https://github.com/nmattia/niv",
|
"homepage": "https://github.com/nmattia/niv",
|
||||||
"owner": "nmattia",
|
"owner": "nmattia",
|
||||||
"repo": "niv",
|
"repo": "niv",
|
||||||
"rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41",
|
"rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e",
|
||||||
"sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7",
|
"sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz",
|
"url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
|
@ -17,10 +17,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "1fec8fda86dac5701146c77d5f8a414b14ed1ff6",
|
"rev": "0e6593630071440eb89cd97a52921497482b22c6",
|
||||||
"sha256": "18z2v5id3sad22f4nk8yjpablk9c693nwl5vix2n06h6s3kfmr10",
|
"sha256": "01rnzb4qv53q7rf0vw2mxybryl5xgad26ww73fgsg2nihhhmmy9j",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixos-hardware/archive/1fec8fda86dac5701146c77d5f8a414b14ed1ff6.tar.gz",
|
"url": "https://github.com/NixOS/nixos-hardware/archive/0e6593630071440eb89cd97a52921497482b22c6.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
|
@ -29,10 +29,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "ccafeb2aff99ec505d35fcfafd212c424c5359fd",
|
"rev": "6b8ce46f34a9b3db1267f615463cd27548889ec2",
|
||||||
"sha256": "0q9kxp7n7394f8s7nqm8852gmwka0xn973q2vf3qh5qrwkv441qj",
|
"sha256": "1minhg4q7vgbf69lf85blmamjxl1r7c1j26n7f80as9b0dn4aj7a",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/ccafeb2aff99ec505d35fcfafd212c424c5359fd.tar.gz",
|
"url": "https://github.com/NixOS/nixpkgs/archive/6b8ce46f34a9b3db1267f615463cd27548889ec2.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
},
|
},
|
||||||
"nixus": {
|
"nixus": {
|
||||||
|
@ -41,10 +41,10 @@
|
||||||
"homepage": "",
|
"homepage": "",
|
||||||
"owner": "Infinisil",
|
"owner": "Infinisil",
|
||||||
"repo": "nixus",
|
"repo": "nixus",
|
||||||
"rev": "aa276744ba7dcebeac40da37d7bf4d9d5409f17e",
|
"rev": "329bf6bae94f54d5e4cac35253b1359f7b4f997a",
|
||||||
"sha256": "1wfx055h1765zq7s1zzy06im8f715ydvp8qbhfcn6bpg44qr591b",
|
"sha256": "0g6k2r446a8vcqzab76qzvfw5k1kzk6i8m4032jmkdr1w5rhlg4b",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/Infinisil/nixus/archive/aa276744ba7dcebeac40da37d7bf4d9d5409f17e.tar.gz",
|
"url": "https://github.com/Infinisil/nixus/archive/329bf6bae94f54d5e4cac35253b1359f7b4f997a.tar.gz",
|
||||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue