flake.lock: Update

Flake lock file updates: • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b4a1c8968a1cb3688c12caddecd99432494df95b' (2024-05-06) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=c2adb575ca3a816287c7d8f3c23cde6dfd316e6f' (2024-05-18)
Specify ip_prefixes for headscale
2024-05-18 08:49:48 +01:00 · 2024-05-18 08:49:48 +01:00 · 2024-05-18 08:49:48 +01:00 · 2024-05-18 08:46:05 +01:00 · 2024-05-18 08:46:05 +01:00
6 changed files with 71 additions and 37 deletions
--- a/flake.lock
+++ b/flake.lock
@ -548,11 +548,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1715007828,
-        "narHash": "sha256-3791/+OWOMFAY3OFOsOwaFmpo2iIv9iHUhEb63oUL2M=",
+        "lastModified": 1716018239,
+        "narHash": "sha256-Ai13Sbj4DzuQSIrX2rjO0PG6PPpmvfwbCpTxX0kB7FI=",
        "ref": "refs/heads/master",
-        "rev": "b4a1c8968a1cb3688c12caddecd99432494df95b",
-        "revCount": 18,
+        "rev": "c2adb575ca3a816287c7d8f3c23cde6dfd316e6f",
+        "revCount": 19,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@ -30,12 +30,6 @@

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

-  security.acme.defaults = {
-    email = "hostmaster@vimium.com";
-    group = "nginx";
-    webroot = "/var/lib/acme/acme-challenge";
-  };
-
  modules = {
    services = {
      borgmatic = {
--- a/hosts/server.nix
+++ b/hosts/server.nix
@ -7,8 +7,17 @@

  documentation.enable = false;

+  fonts.fontconfig.enable = false;
+
  security = {
-    acme.acceptTerms = true;
+    acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "hostmaster@vimium.com";
+        group = "nginx";
+        webroot = "/var/lib/acme/acme-challenge";
+      };
+    };
    auditd.enable = true;
    audit = {
      enable = true;
@ -18,6 +27,20 @@
    };
  };

+  systemd = {
+    enableEmergencyMode = false;
+
+    sleep.extraConfig = ''
+      AllowSuspend=no
+      AllowHibernation=no
+    '';
+
+    watchdog = {
+      runtimeTime = "20s";
+      rebootTime = "30s";
+    };
+  };
+
  modules.networking.tailscale = {
    enable = true;
    restrictSSH = false;
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -40,12 +40,6 @@

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

-  security.acme.defaults = {
-    email = "hostmaster@vimium.com";
-    group = "nginx";
-    webroot = "/var/lib/acme/acme-challenge";
-  };
-
  modules = {
    services = {
      borgmatic = {
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@ -1,6 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:

-let cfg = config.modules.networking.tailscale;
+let
+  cfg = config.modules.networking.tailscale;
+  headscale = "https://headscale.vimium.net";
+  hostname = config.networking.hostName;
 in {
  options.modules.networking.tailscale = {
    enable = lib.mkOption {
@ -14,8 +17,24 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    services.tailscale.enable = true;
+    age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
+      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
+    };
+
+    environment.systemPackages = [ pkgs.tailscale ];
+
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
+
+      extraUpFlags = [
+        "--login-server"
+        headscale
+      ];
+    };
+
    services.openssh.openFirewall = !cfg.restrictSSH;
+
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@ -4,6 +4,7 @@ with lib;

 let
  cfg = config.modules.services.headscale;
+  fqdn = "headscale.vimium.net";
 in {
  options.modules.services.headscale = {
    enable = mkOption {
@ -13,8 +14,27 @@ in {
  };

  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.headscale ];
+
+    services.headscale = {
+      enable = true;
+
+      port = 8080;
+
+      settings = {
+        ip_prefixes = [
+          "100.64.0.0/10"
+        ];
+        server_url = "https://${fqdn}";
+        dns_config = {
+          base_domain = "vimium.net";
+        };
+        logtail.enabled = false;
+      };
+    };
+
    services.nginx.virtualHosts = {
-      "headscale.vimium.net" = {
+      "${fqdn}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
@ -23,21 +43,5 @@ in {
        };
      };
    };
-
-    services.headscale = {
-      enable = true;
-      port = 8080;
-      settings = {
-        server_url = "https://headscale.vimium.net";
-        dns_config = {
-          base_domain = "vimium.net";
-        };
-        logtail.enabled = false;
-      };
-    };
-
-    environment.systemPackages = with pkgs; [
-      config.services.headscale.package
-    ];
  };
 }
Author	SHA1	Message	Date
Jordan Holt	9654a14f37	flake.lock: Update Some checks failed Check flake / build-amd64-linux (push) Failing after 25s Details Flake lock file updates: • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b4a1c8968a1cb3688c12caddecd99432494df95b' (2024-05-06) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=c2adb575ca3a816287c7d8f3c23cde6dfd316e6f' (2024-05-18)	2024-05-18 08:49:48 +01:00
Jordan Holt	641855afbf	Specify ip_prefixes for headscale	2024-05-18 08:49:48 +01:00
Jordan Holt	93c04e83d3	Add authkey to tailscale module	2024-05-18 08:49:48 +01:00
Jordan Holt	92c3bd3a13	Set ACME client defaults in server.nix	2024-05-18 08:46:05 +01:00
Jordan Holt	b16a42732a	Add extra systemd config to server profile	2024-05-18 08:46:05 +01:00