inner/outer tailscale

This commit is contained in:
Peder Bergebakken Sundt 2024-11-15 04:46:33 +01:00
parent 9dec14bc80
commit eac4b42dad
8 changed files with 170 additions and 16 deletions

View File

@ -46,6 +46,23 @@ creation_rules:
- *host_garp
- *host_eple
- *host_brumle
- path_regex: secrets/tailscale-inner.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *user_pbsds_bjarte
- *host_nox
- *host_eple
- path_regex: secrets/tailscale-outer.yaml$
key_groups:
- age:
- *user_pbsds_sopp
- *user_pbsds_nord
- *user_pbsds_bjarte
- *host_brumle
- *host_bolle
- *host_garp
# home-manager
- path_regex: secrets/user-pbsds.yaml$
key_groups:

View File

@ -261,7 +261,8 @@
hidpi = ls [ hw.common-hidpi ./profiles/hidpi.nix ];
p1005 = ./hardware/printer/hp-laserjet-p1005.nix;
au = ./profiles/auto-upgrade.nix;
ts = ./profiles/tailscale.nix;
tsi = ./profiles/tailscale-inner.nix;
tso = ./profiles/tailscale-outer.nix;
tse = ./profiles/tailscale-exit-node.nix;
#rb = ./profiles/known-hosts.nix; # TODO
nixld = ./profiles/nix-ld.nix;
@ -274,15 +275,15 @@
in builtins.mapAttrs (hostname: curried: curried hostname) {
#hostname "domain" "system" inputs "state" [ modules ... ]
asgaut = mk "pbsds.net" "riscv64-linux" inputs-2405 "24.05" [ hw.starfive-visionfive-2 ];
noximilien = mk "pbsds.net" "x86_64-linux" inputs-2405 "23.11" [ au tse intel ];
noximilien = mk "pbsds.net" "x86_64-linux" inputs-2405 "23.11" [ au tsi tse intel ];
brumlebasse = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au amd nspawn ];
nord = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au ts intel-novga hw.common-gpu-intel-sandy-bridge rocm hidpi ];
sopp = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au ts nixld intel cuda p1005 ];
bjarte = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ ts nixld intel hw.lenovo-thinkpad-x1-7th-gen ];
bolle = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au dns64 intel ];
eple = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au tse dns64 intel rocm ];
garp = mk "pbsds.net" "x86_64-linux" inputs-edge "24.05" [ au dns64 intel-novga cuda ];
hasselknippe= mk "pbsds.net" "aarch64-linux" inputs-2405 "24.05" [ ts hw.pine64-pinebook-pro ];
nord = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au tsi intel-novga hw.common-gpu-intel-sandy-bridge rocm hidpi ];
sopp = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au tsi nixld intel cuda p1005 ];
bjarte = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ tsi nixld intel hw.lenovo-thinkpad-x1-7th-gen ];
bolle = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au tso dns64 intel ];
eple = mk "pbsds.net" "x86_64-linux" inputs-2405 "24.05" [ au tsi tse dns64 intel rocm ];
garp = mk "pbsds.net" "x86_64-linux" inputs-edge "24.05" [ au tso dns64 intel-novga cuda ];
hasselknippe= mk "pbsds.net" "aarch64-linux" inputs-2405 "24.05" [ tsi hw.pine64-pinebook-pro ];
#gomperud smattkuken skrytebiffen skalkesnerken balleby bingus skjrlaltatjlstad
#bergjlot snortheimsmoen ditlefsen skrukkerud podebusk zmaragd makrell alfnes blix urke pytte uddu imdorf rosenqvist
};

View File

@ -3,7 +3,7 @@
{
# exit nodes must be approved in admin interface
# https://login.tailscale.com/admin/machines
imports = [ ./tailscale.nix ];
/* imports = [ ./tailscale-inner.nix ]; */
# if host is _upgraded_ to exit node, reload with
# sudo systemctl start tailscaled-autoconnect
@ -11,4 +11,5 @@
# sudo systemctl start tailscaled-set
services.tailscale.useRoutingFeatures = "both";
services.tailscale.extraSetFlags = [ "--advertise-exit-node" ];
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
}

View File

@ -8,6 +8,6 @@
services.tailscale.enable = true;
# https://tailscale.com/kb/1085/auth-keys
services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey.path; # also enables autoconnect
sops.secrets.tailscale-authkey = {};
services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
}

View File

@ -0,0 +1,13 @@
{ config, ... }:
# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
{
# https://login.tailscale.com/admin/machines
services.tailscale.enable = true;
# https://tailscale.com/kb/1085/auth-keys
services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;
}

View File

@ -4,7 +4,6 @@ nix-community-builders-ssh-key: ENC[AES256_GCM,data:9QNhqQS/6Cu7VMUoWEWkpDCMPu7d
pbsbot-gh-token: ENC[AES256_GCM,data:iPTIei8KLfHKeGey08CfSsyuTufvxO4WHG9qE1TqmWHv5/vqW8YyGQ==,iv:JOKI1aFsnqPFkkkZuCmcIFZAbXe7kANt3QEuD+3GyWs=,tag:quwvq3FBiXE1GrzzdWVQww==,type:str]
nix-access-tokens: ENC[AES256_GCM,data:WAQNm+cUpH/SOg8xts6HPkEDL2dMbfqlVW9Le1vNqtzFTHDZHtq7obhBdHFGK5kSJBGVfmgf+UHj,iv:RSVCl+QCIpYpveexeOJehDP4nYpN5UK/y8YWEQ4LYUo=,tag:FMDjrXZFA1Z2z8G0Ca5wMw==,type:str]
nix-access-tokens-all: ENC[AES256_GCM,data:/LahnHXSg5Le4OS6DKA/ep1yfj2nvo6Zof28LxlS1JUEBQprJ+buJ0HFh+gYOXJLcWvBTenrirG5FoMrVxH0iSaRvLvwcoSErrG2IUOdojJ0KqRFfiVAUL9ig2PnGyuPjGTMYIhQW3Uv5x46YvEAZF0G+TuNMOgAOttcUFcJycZTu9lga4SW0kWzMHakiA6lqANjEoZA+aIHUlygEBwP4han8FwKrgEG0d3CFYGv3SDxTBvSSGyVvg==,iv:+Q4KL3il21LfkDzOEo5+E4RUy+xOWe4dix4YN1Js6BM=,tag:rRONDVUjUoLP6FvzsvCDjA==,type:str]
tailscale-authkey: ENC[AES256_GCM,data:RieWRv30MUPSnHu2w8QCGgyaccmK/DAnGxLe+Y+F0fpTcnZowyGUFiJnWzlegyam237TOxlNCPiAwalaAgs=,iv:bPYYskc0fsQaPCNcNWwWzFMnGiU6oD58DDEex0wVdTA=,tag:kPqJGuv8uiazscfDQZoVJQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -110,8 +109,8 @@ sops:
SklPV3NUSkxwSk1rWHg5N2tiN0xHeVkKhUqu6rVayVeGi00YMRXF1npO7j9oXySX
rxVQgH6hYlLbeCIW4T6cP2eCbchWDi3Pear1DVknwEDa+DhHey7Bmg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-19T23:56:40Z"
mac: ENC[AES256_GCM,data:OGiBtwuQ278lID1Zn2jFwTHP8l4K1M/ig0ViAFMLKn0q3H6SilMfaVDwpKEwaNdIX7eg1EMcPUmjcKZ38+Vqz2dE7D6EzFq5AAcPEJ6xvlSv5NPgJ/wZezJep15hWfDS/kviC9+IVuXJYGxv76ZkULao9qePOTtNxX6JHbVxdC8=,iv:1aotwerQTCZA2L3t+Mc/TSDoChk1qAnFYnsBtDpiRVY=,tag:/9oAX6VaeEk5tY6UZrRaew==,type:str]
lastmodified: "2024-11-15T03:47:00Z"
mac: ENC[AES256_GCM,data:gPMSsxpXOryqdFM56+QW4SBy901AZyNGxuSxhPrtjVqodj/swtKjjcBJ92afwcf+pcgE3A3nS5pqNyHJNMFAhnXRBH3evBxgi2ZVVeMe2qoxSVvmlykxJCK+bahroOWuUwgqu1o47/7tTFJIUSPBb92B1S6qY1YoptMDwqgqZ5Y=,iv:WcEKsKK98vwtCVKebQQ9APjmaILzN5pE7oUHoTT0XD4=,tag:1YGbRM+XbHjLEA/mO5yEXw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View File

@ -0,0 +1,57 @@
tailscale-authkey-inner: ENC[AES256_GCM,data:B3W8jw4Naeq3rFfcyvLTnlDS/rKv+gi0CxgSRTvxe+uAMPtsctDVQABb/f9jtkK6YSbt79oR3H7DcMArD+c=,iv:tBYdHAviG2qLlQr+C38eOw5gawt3TK7lAycuTqlfa3Y=,tag:7Y/JjX/BJAvPMvZL6GQyvg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmV2RkYVRnRVJuTjNsWk5x
ODkxYjI4ZnhkUDhhajUxZWpObEt4MElsOHo0ClA4VDRCa05uNzVaVGlpdUZBU2NS
amJBRjRCTDNKcC9BZU5DeHBxbjBLQU0KLS0tIDhiU3p3aE1nUHo5SG1FdnMyeHlx
UTdxMXgxdUFpM3FuZ2pXZys4aFVoYjQKfUAI3PUEx9mRoGRiCTk57Kf7wTVYFC2p
1QfppwztKMOrISQiuExj/n369zoPrtOXjhbjWGoQ4xwUY05VVEnL0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzZ0h1bG1xRWtpZVNYT25z
WW94TE5NcmlPL1ZQWldhbkJTcnpHc3Qvb0dVCkZrbTNHUDMwWW52M2lrQ3FoYjNR
K01nU3lyWExlV1N6cUIyR0ovNncybFkKLS0tIC9jd3pDUkoxeVIxR05JZUxoNUJQ
SHJnNmE2cGFZZHl3S3l2dGZDU2NQclkKqi5jR8zAMeTZ3F+ZxLplmrMcPF0naScf
JIVmjb7klyFzNk+1rwSZhzTC5IROhn9u+mt3hey1D+u5R2nWlQ+lug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLV3NIYVprL2VJUWpEYnhx
L0VnbmszRjMxRy94MThZM2lrS2hCQyt1dEVVCm1lL0s4cUhWNDBNRllYdVRSUFJa
STdNM0oxNlUyMU51bVVHaUhBdWhXd1EKLS0tIElYemlkc290OTd0a0cwOWpXb3M4
R3JYb2o5SVZuS1lFVlhyRW1GS1Y5ekUKZT1Eb4d7s/7ejbzpeA5DtYOsMaDwBkUp
zn09tcl8cy+KnHXN7ZBahVDnloxrH/WzQ2iQANMOwAGeTw9MkcUENw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBacVExWE1lTklPd1ZGV3F2
dkZsMStPSGNhUWhla1JjcXVOOHRzeWtSREhnClIyYmpZUmpCc3VHSUpYZE1zQmNL
U3RUZG50aEhHeWJQZEpHRWk0U0VQM1kKLS0tIEFNcmZmYlVIL25NbkF1UlJwNm9j
cS9rYWRucDZ0bGY3MjlvemRuSkZqdVkKY7OnDWZX0Upxnj7O0HZljNqDXkxypYrU
eY9GCsKei/QuceNuF757fCau+nJWZ/NLb8saxyLEP/A6CQ2ya9W6kg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fha09v5edg88ys45a0u3tpjqfyl29fsy9xaz8xxfy60zjhmas5psfdxynp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQ2FIWTlhZ3hIN091dzBF
UXRFWktic3NueU5wUlZLLzVoSVpvREowS0NrCkpFazN0NGR4a1NqUndTTHNNYnk3
N0dwZXFkU25xTjRFb2tGamlZZEM5N3cKLS0tIEo0NkMwbGxORmw2TGhHTjUyckJ0
cHd2U01wVnUyU1ZnbHkxS3I5OHJPMGMK21XgI6nYaEo0sONvbaZqiFiS5hufduGe
ThxL66GALQbiRLCm5OxowIWBmGdh+Rla4lZUrbmYdP0aqKkQppydIg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-15T03:32:22Z"
mac: ENC[AES256_GCM,data:HgVNUsuwZVmZDHF1ml+Js+zfvK/kNP+0n28otHwOJYbRkXeQ9JDZZtJpHnVfWrEv0ILT/S8NkIrxx+A5D/S/6m3yEv+/cW7+/azAGBGvA1vFVIVQdxYx8bi6QY/bPau5AI+VVnSV+kKvxYZFStO5sRK1a923PNzPuq25E8yMjf4=,iv:SMH8jGPYOQJGJ9bIokcmJDjiKO9+lPxkkQNlzu+qg2Q=,tag:6a2YDzSt5nkDd0IMyencXA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

View File

@ -0,0 +1,66 @@
tailscale-authkey-outer: ENC[AES256_GCM,data:cnTDTT935/ZLo3E3xL4J+d27900W1WYfJObOtTaSuqRKBcdVied/QuD5NxUhcjtp2R1oK8WUyyCvdAiAa/I=,iv:+bTpR+mQJ3DUc9sNpIghzLjKnO83pZP/y1PiIMuSG88=,tag:TM/FwlYhZMsGk3wxRynUuA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTkd0QmJDOVlCaEdGVXFz
SlpwcEY3ZlVtczlJbXRTdktuK1hvNzR5Y1NzCndGMCs4ZU5KYkJzZitUTFd2MjE5
Q0lLQ3pqOFdBSGF3aEwyZU1Ga3JHbVUKLS0tIENDYU9BM2s0N21rVGhJMGppSkU4
b3FHN2diaXZzSFNxUVhHZUtiWEJtVW8KvsVSTClcOGqs0s2U5UbXa/Zg6QuYACDK
46V+YW4R/Cr+t85/WJ0PXTmocmfryoZo9F5yJEtUGGBWgJ/KyX4+Eg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1SEI2OTlxWmx6cCtwS2RB
ek5oYXZWOGNVWTYwaEh1ai9sWUVYOG01SVVVCnZNT3lIdE5Md00wNkRkTUVhanYr
clF3THk0azFkZytRZFlxT3lINnNnbFEKLS0tIHp2ZFBiYnlDbGVUUXlkUFM4VWNL
MTBSQ28ydGRmUUVJdkJhK0g4aXlyRkEKnAqzD1HNNlHXirT6Wcr386ojWG8TwT4o
nZIW7dVLMa9iWreQ8ERbd2dr6fUG6KgJ4vH1Zr2996k1Je24FICJXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1N29qMzZnODRIdzJ1eXc2
MVlwVk5RbDNROTJYUGIrY1BqMjByNWpCTUY0ClV4eGhIbEFScHBoU2NOM2xGWlRx
SG9sWHN3eWMvWm5paU9LVjJGOWptdFkKLS0tIHE1SzR3T3YwOGFWMWVPV0x1bUU1
WW9aeHpuVFA4TDJoOCtETHlNeXZIV0EKOBLaiKhivSXSjc0K1mb1gMwMUIwDwq+h
JSO5AU93yBOsQ9SGgTOTB2ihqAzRKqsCrkDuyoI9eiM8o0JbybEN/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1czlqpfdvey2hzgr79skxvtg4stnfawq045l5sl59j0cd9hfuqvlq83v647
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkhUaE9DNkxHeEpVNWJH
SXJXRjM3Mm9UejBpekJ4T1NvTDdVY0dLVlVRClRtRVJuU0YvUStVdUlzSTVkZHhp
aUVxN05TdGNXdFVKSVFwOTBwa2VzT0UKLS0tIFdVY3FRcHljMXlxYTI1SVJvTm9q
a3FRZlNFMU83b1FSdlc1bnl3eDM3OTgKbhwzCZ/m0ZuIOGKJGShT7KJiAFE0ToyV
0EBrggjx2yXUybvDiFXNTGW8JBYp4ChC0xEMKoEtnUA8b2kHIonZpQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbHNURkVKSWp0NVQvbkla
TUd3M1dWSFZicHpxS0N2VGQyTExqOUpKbmlZClRwVmkwR3A1TVRhWDV0MGYxbUVL
eVlvMEJLRlBzUXcwMmlRM2prTFBoQ1UKLS0tIEdoSmdTRzVBWjlvQ2RZTjgvcENY
RUFpcUw0R2FWWmxvYmkwOEpsYU5oYzQKTegEFviXk0QRG9YnOarRL22KPDBkmoJH
CnAKKS1FIVydBbsGKi90QI6/BMJj/ih2EYM8n0MA1sA28XcXPGERJw==
-----END AGE ENCRYPTED FILE-----
- recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL3VRN0xySUhFek5ZK3hI
aXZoTjlMVWkrRmtBSVJ1Sm9hY3RjcWx0WHlBCkFKN3pQOTdGVS9hN0czNHdZbGZD
M2tqOHdQc2tzdS8vVDY1WmpKNTBFVlEKLS0tIEQwQW1KczBSQnI4clYxcW5vTE9m
WDJ6WndDMGxPTkZ0ajJKWm9vcFZ5YUkKQawuoXUSKGBfKoMmfY/FevNph2arr0k8
dPXZq9iKEP5pxzt7CaqOI889YHBdxXkRv0+qwBUt7VBCC5+suunikw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-15T03:32:26Z"
mac: ENC[AES256_GCM,data:IYFXYOpANpQjqxlW07Fx+kMj0BQxdrbX0aJEXSFkz4uQGn+pRrwe7GHhThJc8Spo77i4KnIH3RDCW54YIXSGWriHaRe2mpdaBZsVJo+DKJ7BjTMKj8vZftk3iaUFWnbZiSFvVuOFJ5x4leCZ0rmixGnP0iHYqt7remD1m4GijSs=,iv:xWb4DLW26CpaYet1dbb/0oAv9oAMuQ5QVvXmhr8HsxQ=,tag:A2Wv0vTPLVzaiS9OIGudRQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1