Add tailscale

This commit is contained in:
Emelie Graven 2022-10-24 11:13:11 +02:00
parent b738c1451f
commit 25fb72c8ec
No known key found for this signature in database
GPG key ID: 1098DC5C94CB1C87
9 changed files with 166 additions and 24 deletions

88
] Normal file
View file

@ -0,0 +1,88 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./data/secrets/secrets.nix
../../common/services/ssh.nix
../../common/services/tailscale.nix
../../common/users.nix
./services/acme.nix
./services/coturn.nix
./services/nginx.nix
./services/restic.nix
./services/synapse.nix
./services/postgres.nix
#./services/mail.nix
#./services/containers.nix
#./services/redis.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
boot.kernelPackages = pkgs.linuxPackages_5_10;
networking = {
hostName = "grondahl";
useDHCP = false;
interfaces = {
"ens3" = {
ipv4.addresses = [ {
address = "107.189.30.157";
prefixLength = 24;
} ];
ipv6.addresses = [ {
address = "2605:6400:30:ef32::1";
prefixLength = 48;
} ];
};
};
defaultGateway = "107.189.30.1";
defaultGateway6 = {
address = "2605:6400:30::1";
interface = "ens3";
};
nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
};
time.timeZone = "Europe/Copenhagen";
security.sudo.wheelNeedsPassword = false;
nix.settings = {
auto-optimise-store = true;
trusted-users = [
"root"
"@wheel"
];
};
users.groups.acme.members = [ "nginx" "turnserver" ];
users.groups.backup.members = [ "matrix-synapse" "postgres" ];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
htop
iotop
dig
];
networking.firewall = {
enable = true;
checkReversePaths = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
allowedTCPPorts = [ 22 80 443 ];
allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
};
system.stateVersion = "21.05";
}

View file

@ -29,7 +29,7 @@
add_header 'Referrer-Policy' 'same-origin'; add_header 'Referrer-Policy' 'same-origin';
# Disable embedding as a frame # Disable embedding as a frame
add_header X-Frame-Options DENY; #add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks) # Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

View file

@ -0,0 +1,37 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.tailscale ];
services.tailscale.enable = true;
# ...
# create a oneshot job to authenticate to Tailscale
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey CHANGEME
'';
};
}

View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/services/tailscale.nix
../../common/users.nix ../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/coturn.nix ./services/coturn.nix
@ -72,9 +73,15 @@
dig dig
]; ];
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall = {
networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ]; enable = true;
networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ]; checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
allowedTCPPorts = [ 22 80 443 ];
allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
};
system.stateVersion = "21.05"; system.stateVersion = "21.05";

View file

@ -6,6 +6,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/services/tailscale.nix
../../common/users.nix ../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/nextcloud.nix ./services/nextcloud.nix
@ -65,6 +66,7 @@
htop htop
iotop iotop
dig dig
tailscale
]; ];
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
@ -76,7 +78,13 @@
users.groups.redis.members = [ "nextcloud" ]; users.groups.redis.members = [ "nextcloud" ];
users.groups.backup.members = [ "nextcloud" "postgres" ]; users.groups.backup.members = [ "nextcloud" "postgres" ];
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; networking.firewall = {
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ config.services.tailscale.port ];
trustedInterfaces = [ "tailscale0" ];
enable = true;
checkReversePath = "loose";
};
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
system.stateVersion = "21.05"; system.stateVersion = "21.05";

View file

@ -4,6 +4,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/services/tailscale.nix
../../common/users.nix ../../common/users.nix
./services/acme.nix ./services/acme.nix
./services/coturn.nix ./services/coturn.nix
@ -51,6 +52,7 @@
htop htop
iotop iotop
dig dig
tailscale
]; ];
nix.settings = { nix.settings = {

View file

@ -2,9 +2,10 @@
{ {
services.grocy = { services.grocy = {
enable = true; enable = true;
hostName = grocy.graven.dev; hostName = "grocy.graven.dev";
settings = { settings = {
currency = "DKK"; currency = "DKK";
calendar.firstDayOfWeek = 1 calendar.firstDayOfWeek = 1;
} };
} };
}

View file

@ -14,7 +14,6 @@
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy "same-origin"; add_header Referrer-Policy "same-origin";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
''; '';

View file

@ -5,10 +5,10 @@
"homepage": "https://github.com/nmattia/niv", "homepage": "https://github.com/nmattia/niv",
"owner": "nmattia", "owner": "nmattia",
"repo": "niv", "repo": "niv",
"rev": "82e5cd1ad3c387863f0545d7591512e76ab0fc41", "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e",
"sha256": "090l219mzc0gi33i3psgph6s2pwsc8qy4lyrqjdj4qzkvmaj65a7", "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz", "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixos-hardware": { "nixos-hardware": {
@ -17,10 +17,10 @@
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "1fec8fda86dac5701146c77d5f8a414b14ed1ff6", "rev": "0e6593630071440eb89cd97a52921497482b22c6",
"sha256": "18z2v5id3sad22f4nk8yjpablk9c693nwl5vix2n06h6s3kfmr10", "sha256": "01rnzb4qv53q7rf0vw2mxybryl5xgad26ww73fgsg2nihhhmmy9j",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixos-hardware/archive/1fec8fda86dac5701146c77d5f8a414b14ed1ff6.tar.gz", "url": "https://github.com/NixOS/nixos-hardware/archive/0e6593630071440eb89cd97a52921497482b22c6.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixpkgs": { "nixpkgs": {
@ -29,10 +29,10 @@
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ccafeb2aff99ec505d35fcfafd212c424c5359fd", "rev": "6b8ce46f34a9b3db1267f615463cd27548889ec2",
"sha256": "0q9kxp7n7394f8s7nqm8852gmwka0xn973q2vf3qh5qrwkv441qj", "sha256": "1minhg4q7vgbf69lf85blmamjxl1r7c1j26n7f80as9b0dn4aj7a",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/ccafeb2aff99ec505d35fcfafd212c424c5359fd.tar.gz", "url": "https://github.com/NixOS/nixpkgs/archive/6b8ce46f34a9b3db1267f615463cd27548889ec2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixus": { "nixus": {
@ -41,10 +41,10 @@
"homepage": "", "homepage": "",
"owner": "Infinisil", "owner": "Infinisil",
"repo": "nixus", "repo": "nixus",
"rev": "aa276744ba7dcebeac40da37d7bf4d9d5409f17e", "rev": "329bf6bae94f54d5e4cac35253b1359f7b4f997a",
"sha256": "1wfx055h1765zq7s1zzy06im8f715ydvp8qbhfcn6bpg44qr591b", "sha256": "0g6k2r446a8vcqzab76qzvfw5k1kzk6i8m4032jmkdr1w5rhlg4b",
"type": "tarball", "type": "tarball",
"url": "https://github.com/Infinisil/nixus/archive/aa276744ba7dcebeac40da37d7bf4d9d5409f17e.tar.gz", "url": "https://github.com/Infinisil/nixus/archive/329bf6bae94f54d5e4cac35253b1359f7b4f997a.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
} }
} }