flake.lock: Update

Flake lock file updates: • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b4a1c8968a1cb3688c12caddecd99432494df95b' (2024-05-06) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=c2adb575ca3a816287c7d8f3c23cde6dfd316e6f' (2024-05-18)
Specify ip_prefixes for headscale
2024-05-18 08:49:48 +01:00 · 2024-05-18 08:49:48 +01:00 · 2024-05-18 08:49:48 +01:00 · 2024-05-18 08:46:05 +01:00 · 2024-05-18 08:46:05 +01:00
6 changed files with 71 additions and 37 deletions
--- a/flake.lock
+++ b/flake.lock
@ -548,11 +548,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1715007828,
+        "lastModified": 1716018239,
-        "narHash": "sha256-3791/+OWOMFAY3OFOsOwaFmpo2iIv9iHUhEb63oUL2M=",
+        "narHash": "sha256-Ai13Sbj4DzuQSIrX2rjO0PG6PPpmvfwbCpTxX0kB7FI=",
        "ref": "refs/heads/master",
-        "rev": "b4a1c8968a1cb3688c12caddecd99432494df95b",
+        "rev": "c2adb575ca3a816287c7d8f3c23cde6dfd316e6f",
-        "revCount": 18,
+        "revCount": 19,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@ -30,12 +30,6 @@
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
  security.acme.defaults = {
    email = "hostmaster@vimium.com";
    group = "nginx";
    webroot = "/var/lib/acme/acme-challenge";
  };
  modules = {
    services = {
      borgmatic = {
--- a/hosts/server.nix
+++ b/hosts/server.nix
@ -7,8 +7,17 @@
  documentation.enable = false;
  fonts.fontconfig.enable = false;
  security = {
-    acme.acceptTerms = true;
+    acme = {
      acceptTerms = true;
      defaults = {
        email = "hostmaster@vimium.com";
        group = "nginx";
        webroot = "/var/lib/acme/acme-challenge";
      };
    };
    auditd.enable = true;
    audit = {
      enable = true;
@ -18,6 +27,20 @@
    };
  };
  systemd = {
    enableEmergencyMode = false;
    sleep.extraConfig = ''
      AllowSuspend=no
      AllowHibernation=no
    '';
    watchdog = {
      runtimeTime = "20s";
      rebootTime = "30s";
    };
  };
  modules.networking.tailscale = {
    enable = true;
    restrictSSH = false;
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@ -40,12 +40,6 @@
  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
  security.acme.defaults = {
    email = "hostmaster@vimium.com";
    group = "nginx";
    webroot = "/var/lib/acme/acme-challenge";
  };
  modules = {
    services = {
      borgmatic = {
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@ -1,6 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:
-let cfg = config.modules.networking.tailscale;
+let
  cfg = config.modules.networking.tailscale;
  headscale = "https://headscale.vimium.net";
  hostname = config.networking.hostName;
 in {
  options.modules.networking.tailscale = {
    enable = lib.mkOption {
@ -14,8 +17,24 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    services.tailscale.enable = true;
+    age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
    };
    environment.systemPackages = [ pkgs.tailscale ];
    services.tailscale = {
      enable = true;
      authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
      extraUpFlags = [
        "--login-server"
        headscale
      ];
    };
    services.openssh.openFirewall = !cfg.restrictSSH;
    networking.firewall = {
      checkReversePath = "loose";
      trustedInterfaces = [ "tailscale0" ];
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@ -4,6 +4,7 @@ with lib;
 let
  cfg = config.modules.services.headscale;
  fqdn = "headscale.vimium.net";
 in {
  options.modules.services.headscale = {
    enable = mkOption {
@ -13,8 +14,27 @@ in {
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.headscale ];
    services.headscale = {
      enable = true;
      port = 8080;
      settings = {
        ip_prefixes = [
          "100.64.0.0/10"
        ];
        server_url = "https://${fqdn}";
        dns_config = {
          base_domain = "vimium.net";
        };
        logtail.enabled = false;
      };
    };
    services.nginx.virtualHosts = {
-      "headscale.vimium.net" = {
+      "${fqdn}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
@ -23,21 +43,5 @@ in {
        };
      };
    };
    services.headscale = {
      enable = true;
      port = 8080;
      settings = {
        server_url = "https://headscale.vimium.net";
        dns_config = {
          base_domain = "vimium.net";
        };
        logtail.enabled = false;
      };
    };
    environment.systemPackages = with pkgs; [
      config.services.headscale.package
    ];
  };
 }
Author	SHA1	Message	Date
Jordan Holt	9654a14f37	flake.lock: Update Some checks failed Check flake / build-amd64-linux (push) Failing after 25s Details Flake lock file updates: • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=b4a1c8968a1cb3688c12caddecd99432494df95b' (2024-05-06) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=c2adb575ca3a816287c7d8f3c23cde6dfd316e6f' (2024-05-18)	2024-05-18 08:49:48 +01:00
Jordan Holt	641855afbf	Specify ip_prefixes for headscale	2024-05-18 08:49:48 +01:00
Jordan Holt	93c04e83d3	Add authkey to tailscale module	2024-05-18 08:49:48 +01:00
Jordan Holt	92c3bd3a13	Set ACME client defaults in server.nix	2024-05-18 08:46:05 +01:00
Jordan Holt	b16a42732a	Add extra systemd config to server profile	2024-05-18 08:46:05 +01:00