From ee0beeab98b1a656caf3540f98da3cd215cc022e Mon Sep 17 00:00:00 2001 From: chn Date: Thu, 6 Nov 2025 19:47:56 +0800 Subject: [PATCH] modules.services.tailscale: init --- devices/pc/default.nix | 1 + devices/pc/secrets/default.yaml | 5 +++-- devices/vps6/default.nix | 1 + devices/vps6/secrets.yaml | 5 +++-- modules/services/tailscale.nix | 18 ++++++++++++++++++ 5 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 modules/services/tailscale.nix diff --git a/devices/pc/default.nix b/devices/pc/default.nix index 971dfdb0..3dbb6e6c 100644 --- a/devices/pc/default.nix +++ b/devices/pc/default.nix @@ -87,6 +87,7 @@ inputs: lumericalLicenseManager.macAddress = "10:5f:ad:10:3e:ca"; waydroid = {}; open-webui.ollamaHost = "127.0.0.1"; + tailscale = {}; }; bugs = [ "xmunet" "amdpstate" "iwlwifi" ]; packages = { mathematica = {}; vasp = {}; lumerical = {}; }; diff --git a/devices/pc/secrets/default.yaml b/devices/pc/secrets/default.yaml index b8872c3c..bb2ccd5e 100644 --- a/devices/pc/secrets/default.yaml +++ b/devices/pc/secrets/default.yaml @@ -19,6 +19,7 @@ tinc: ENC[AES256_GCM,data:qI2KAyJiC9m+IOzTQ7SFjWnjzzkxvNe6R2yxyK+C/YnEK4JdYqEETI open-webui: openai: ENC[AES256_GCM,data:8CQLvoDuGtQ7PN+1SOmXF48dV/G6fDOiu6olkhSbWEjYcNO4VVmxtHw=,iv:rKBxOTB7/LXfXWVrBFBJeyn43R82oBYCxup8OzWvzKk=,tag:ByoyMizWc9Lpnt+ciYcszg==,type:str] webui: ENC[AES256_GCM,data:G0fniAii8asP+NNTinHwrScrFVkFacoci6BvA24=,iv:ADQVIuf60eTDMwW7BAsfDhoTtsFKF5QDLsDkPAQxFBU=,tag:5siIJGNEa11EeHlurk1h5w==,type:str] +tailscale: ENC[AES256_GCM,data:IkZaLVFO+UfTA7WIjOjiy7PKbfKzhO52WwVXQthat0PnjvvL2cxdza/ic4NtzpZK,iv:pftLbWBH/skX01wHXbFOJvivf4lnqtzXpioM6kYUiXk=,tag:jHGcCBuLA46D1DSg6me/KA==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -39,7 +40,7 @@ sops: OUlxNjdQaXdXMkZ6bnV1ek4yZ2dpbkEKpKGOAxo5Eef2jtGrg4iSzmGCeg+vTgvu +K8b+O19MIkGMDBm6UbYUPtc/7eqoEZRiTUzNMTmfkLVS4ul5zou9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-12T08:54:46Z" - mac: ENC[AES256_GCM,data:WDImciB99J8YKHGUljCX0ZgaFdKyIm8N5jcItRtF53vOCejsKIRaOUKiqxCdWmDqdLW1V+osmVn0k0b1+GDp6MJ7yB1p8RftwyBoC7CNErld3HNcfc4nElYAvTCxqR9QOHDGmZCEw9e94tTHvs7TYxnFaFXg8iBjDgZwTpz6ZSU=,iv:Z+WT6Dtx9PZjPtYhwm6MbTw87S3aKqJ+LSw6aSN4/K0=,tag:x+tWUCQouFEFtBO1+8TKjQ==,type:str] + lastmodified: "2025-11-06T11:46:32Z" + mac: ENC[AES256_GCM,data:ab9wvm4d1NK95v6nB/G7Hxy6bPmwdIqyUWuSBk/QGvRC2Avw4m5U60AL6iI8nVek4yukdBZm0efu1tVDDlNbVV5rU5EN7VQAChHd3QNDFEVTsDWxugbl8NUEYa/bWEqut16s6kU6lFwyMovO82Kxppy0VwB/7p0SsEc9bv2zJJo=,iv:FckYgIvo9pgFt4mgaArxeDDRx5bHZM88DepqvwM2yH4=,tag:F2A4e19ltYAqd4CAvEC7/A==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index 5c847bde..fcbc0c65 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -62,6 +62,7 @@ inputs: bind = {}; headscale = {}; derp = {}; + tailscale = {}; }; }; networking.nftables.tables.forward = diff --git a/devices/vps6/secrets.yaml b/devices/vps6/secrets.yaml index eff73e5f..8e43884b 100644 --- a/devices/vps6/secrets.yaml +++ b/devices/vps6/secrets.yaml @@ -48,6 +48,7 @@ xray-xmu-client: tinc: ENC[AES256_GCM,data:E3OrPA67R48x5FJUW0ZbERlclz8Z/XokAaGTeBQLPEHSeqEArHYSZkdJRZejFrBruJPlGZMPNBQzlIBXOfXKwMnlBDaGJIIJHIzPDGG9W7QF4IIRK/BjVZHFwfKvZtbUDGsqLcCSe5+ttmyucBaFGquXhnD/Tu09uyWtRvS10KAJLY0Z2/16CFB1+8egJIcYw2TFXObo+KR92Va0qwiDSepKaJtYLimDGRKk04QGj+BYa5y8PjIG6bz8UG82mmCiV7XM3EPlSMA=,iv:kawsklNGFbRhxKuUwvNL2WyBxuYu2T/uks1cJ4i8NhA=,tag:V+jAaxQX7JCiR5+wIVW4Nw==,type:str] postgresql: headscale: ENC[AES256_GCM,data:z2cyyT1TcIhNJCBeGn072aFI2nAioWZQvpyzoky4tWtMymKlw4ilOtSYAsp+kaNOoqvWSmoAQNJLNzeDk1iTCQ==,iv:hZdS/CAVBO0k/AmX3qw3YwTYgK49Aeu5QI3YCAduiZ0=,tag:2l4GPV/T2GHjAAUDX3LaEA==,type:str] +tailscale: ENC[AES256_GCM,data:jRJQmLYwJRjslPNO3VnVGEJxe+kzmSGpHRTpacF4yrp8+lcifAX2YH1109M1xB+z,iv:2NPAxzyhgfPn7H5/yt9Uozzx0ltKnS0mk23U4qOEQpA=,tag:B9kQ8U/aqP/m9bEH0q8Rcg==,type:str] sops: age: - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m @@ -68,7 +69,7 @@ sops: ZXFTU3ZCaW1pTVh0RUJzdDdGdHlPYTgK2mlgcX2kEc8+2UDdBnhUm6IIuh8V6agW ooxH9OEPXUVI/4JcDo4v8ZUhAyU1ehLH0Ef7PJCChOZe2KZmWSNbhA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-06T03:58:47Z" - mac: ENC[AES256_GCM,data:/t09/unE18oWPfoCdyTFdTYCC73C5s3cmB9yLNo1MrLISK8b9DPUzuAOamhW0EXG97/++dNCIAl5VNO/HuU6xT5jH8GFZo3Z7ElFamSmYpKYqDBgTDPlRxGRsc663qeNzpV1VE79hl1ifKk+NrP5cNxG0+FMZ763+dxnde0gdcM=,iv:j1CruHLx3HxV8+joWGKqwU53X9HmvW8LdleSCzACGoM=,tag:rQwSr9W+PDDxhonUDYC49A==,type:str] + lastmodified: "2025-11-06T11:46:54Z" + mac: ENC[AES256_GCM,data:31JLVHnXd9jYXrFmSY9gfhpnq8B+frl8s3j4WhVrl/7cLjmw04agivYAOKORvEnAWS2p7e5PIPqoNX3m2tf394I+TiuDW2bWcdgs/LluvOEnIhV0Ybdrhp0W3esG6i4qRmif2i47G/mHiyKMttyRsH1K7UnaMNPtxlnMkpgDdTw=,iv:Thf+tDU6gYw53ZDN6LINczp/LstsYW1Cfkqa86ULx70=,tag:eFYF1ISvBbGVRUTxxoeILQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix new file mode 100644 index 00000000..2c624eff --- /dev/null +++ b/modules/services/tailscale.nix @@ -0,0 +1,18 @@ +inputs: +{ + options.nixos.services.tailscale = let inherit (inputs.lib) mkOption types; in mkOption + { type = types.nullOr (types.submodule {}); default = null; }; + config = let inherit (inputs.config.nixos.services) tailscale; in inputs.lib.mkIf (tailscale != null) + { + services.tailscale = + { + enable = true; + openFirewall = true; + disableTaildrop = true; + # authKeyParameters should not be set + authKeyFile = inputs.config.nixos.system.sops.secrets."tailscale".path; + extraUpFlags = [ "--login-server=https://headscale.chn.moe" ]; + }; + nixos.system.sops.secrets."tailscale" = {}; + }; +}