gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: tailscale in tei

Browse source
This commit is contained in:
arcnmx 2024-01-09 14:45:01 -08:00
parent 5a661e8809
commit e4aa541441
4 changed files with 47 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -3,7 +3,7 @@ keys:
- &mew 65BD3044771CB6FB - &mew 65BD3044771CB6FB
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
- &tei_osh age16vcudjuaf3j28vlc44n78ly9eztrwekjss2kstzx9yhhutl9vpdsq58wtv - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
creation_rules: creation_rules:
- path_regex: 'systems/tewi/secrets\.yaml$' - path_regex: 'systems/tewi/secrets\.yaml$'
shamir_threshold: 1 shamir_threshold: 1

18
nixos/tailscale.nix
View file

@ -4,7 +4,12 @@
pkgs, pkgs,
... ...
}: }:
with lib; { with lib; let
cfg = config.services.tailscale;
in {
options.services.tailscale = with types; {
advertiseExitNode = mkEnableOption "exit node";
};
config = { config = {
networking.firewall = { networking.firewall = {
trustedInterfaces = [config.services.tailscale.interfaceName]; trustedInterfaces = [config.services.tailscale.interfaceName];
@ -37,11 +42,16 @@ with lib; {
}; };
# have the job run this shell script # have the job run this shell script
script = with pkgs; '' script = let
fixResolved = optionalString config.services.resolved.enable ''
resolvectl revert ${config.services.tailscale.interfaceName} || false
'';
advertiseExitNode = optionalString cfg.advertiseExitNode " --advertise-exit-node";
in with pkgs; ''
# wait for tailscaled to settle # wait for tailscaled to settle
sleep 5 sleep 5
resolvectl revert ${config.services.tailscale.interfaceName} || false ${fixResolved}
# check if we are already authenticated to tailscale # check if we are already authenticated to tailscale
status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)" status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)"
@ -51,7 +61,7 @@ with lib; {
fi fi
# otherwise authenticate with tailscale # otherwise authenticate with tailscale
${getExe tailscale} up --advertise-exit-node -authkey $(cat ${config.sops.secrets.tailscale-key.path}) ${getExe tailscale} up${advertiseExitNode} -authkey $(cat ${config.sops.secrets.tailscale-key.path})
''; '';
}; };
}; };

62
systems/tei/secrets.yaml
View file

@ -6,51 +6,51 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age16vcudjuaf3j28vlc44n78ly9eztrwekjss2kstzx9yhhutl9vpdsq58wtv - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3UDkvWFdVOHFxSkl2T1dx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeVpaN2g4emhKZ05pMlVY
TE1qRjIrQ2VsaTB1Ym16MkJBTkJQNmFLQlJFCnptS1Q2bzJoV3NCNWZjaHNEc3hH enNWSnpEVDRpbVJlZ1ZYbUdLbjIxNjk2dGk0ClhzMmRsd3JBbFY5aUxHT0VTZUtU
ODlHUjIxY1hTdXdKVUE3UGUvQlRpRlkKLS0tIHJCOEYyMnRCMEVoRUJ3QjhXbE1a OXlMUlQ5Rlh0dVd2MnlFc1FJOW44OWcKLS0tIFF5ZVlMcE1nSjZZbFg5bzJ4KzQ1
Y0xxeFpUeC9iUm9uS0h6anN2UDdHNGcKAUmeJWwD6McZyOQKO8DXygpKlj6QwnLw bGU0VHd0aFhHRC91WHh0Z0Y4TTE5QzgKpHehWfoJT4F1TtMHJ0tZkoJAPFAihQ7T
5w+qGwcOH9WclZf/ENQZHD8b4QxBTkguHz8rWc2Ruy9gkjZG3afuKQ== aunsQeLHJkHv1eWKpraTmo+04GVZofwId/1TtOContveBynfxcuG7Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-06T21:27:28Z" lastmodified: "2024-01-06T21:27:28Z"
mac: ENC[AES256_GCM,data:QVnNJ37mJDOSG0khDHEpez8/sPsh9TqLhXCBXJ9HDZoPiG17LTLp6p0+2NlTuuxF8rHYakDSKnAVamhsuTAdbgKmdG2m1Hm4zRFPLc/GlTr9618fo8/Ob+cIoV9yoTyVFFykQWBS0oNR+dorp9yKpcB8IlyxbtW9WmU1CWEAd2E=,iv:ODW2e+93MKEZ5fsxne2SpLLDyLc6z8X1VCqamoLAPwM=,tag:2uDKu5UEn72z6vL5Y/RT9Q==,type:str] mac: ENC[AES256_GCM,data:QVnNJ37mJDOSG0khDHEpez8/sPsh9TqLhXCBXJ9HDZoPiG17LTLp6p0+2NlTuuxF8rHYakDSKnAVamhsuTAdbgKmdG2m1Hm4zRFPLc/GlTr9618fo8/Ob+cIoV9yoTyVFFykQWBS0oNR+dorp9yKpcB8IlyxbtW9WmU1CWEAd2E=,iv:ODW2e+93MKEZ5fsxne2SpLLDyLc6z8X1VCqamoLAPwM=,tag:2uDKu5UEn72z6vL5Y/RT9Q==,type:str]
pgp: pgp:
- created_at: "2024-01-06T22:38:31Z" - created_at: "2024-01-07T21:18:21Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//fULmaMuT7Bckde6ljCNBi8P3EFATvZ58ZY1Yt0lkerma hQIMA82M54yws73UAQ/+IXBGpe1fGBcKLPN4E3h4znN3FcJIfnHDki4D2qVS8Mtg
Paa00POnyEWyQGSHXiJ+jeYELKG9JoFbsipN18B3JHokvMLQhkb78pPSDf6kaTqR 7rS3UtY3yrr/j8LV6U9gYuMnaFvM8juOoOowU/MqPswwz95s3Hm4SE6yk+MZau3F
7IKDP8DEHqGhfmwg+HrLtSceXccCAvsridyvx5Kq6ljuEy5anPZjL6Sld+EvB35L Y9EKmDxmMANTEI2D3f8p7quhOJUhUAO4X6MLUdKWIV2V8RP8dUsv3iTn3Rifh/CM
wrReuTXYVv+23qi75nlA6hFPNoja0HvrK2mRro/jgirVE4h5u3bgtkdHZ11WXDww At9uvRbUuRJzVbOwdv+HlyxJY4Ql8ewJMtLf9/rMkKb+4zMkQak/zF5sggI8H4SQ
449AweYlxOnbrGBTJnfxgI9SK57dP6zq13BKG3ECeEXgztWp7y98RrjI8HnDqg+u 2T/qoWPjfwnRKT1bgE58Z1fTGr1RnFeEDRVOKIlYEodZatFXcr+eifLt3eEtYxAk
2dPWr7Hy6yv7ZvcXC9kPHYTCO1YJEMzE3jL5Klo9FfV3+ZrbA5/linfhFUKgbROb 4XfZBItb7VT7ISPnAGEcKueYs1hIH8udKXKBw3bh9Y2yXg9o19Z00lZ5aW9WyBWY
eCRp2UaCRdnJQEeMIy4FCEkqtLJK7JQX0F4ZOfVKyh3neBlPHKHPnygA3C0X+uHg OfR1tnAp05DK3GJyevyX6IMcxYwPnzJwmQ8XkMgyE4bmPuEJWTNX62iamM5xia84
SXy3wDhI2Ib78ehEfyp4Dk1TDEA6cXZOxkIiWUVreSB3y00H6J9gdNTOUYbn8hLB d1pit1RyI5aS9jigJ29ct3fY/Eiz55m210JS8Z9C8tohsN7lrXShCjXqKry7c3se
0MDD6Tl5ZqgsxiDRiH1Qn/WI+uJpotw0L4bqAhIkI7dCuYOzU6oZVCOLQ8D1TQyo WF+BUEo9WYMJh2ezzdRifhALg/odOG8Y/1wd2ukwsjVQVwNbwV35JdyJG7Noi0Es
8LWG3TQapcT7kvq0CyGGVX8aRxsvJfXWoSOYq9etclda/eT52Em/gHFUVv61fOlQ NW+xJM6ltDsRLx7cHSfe2EXaSfLDoUgqnHunckMCQQkqTNWuBs21TKtOqYv7S8Cf
KDpMbl5VyCcau4ZvbU6nNMivu+j0zccyIAj2MbWjfKUftXGcQaEtbJK00KzaufvS i88WYxz/jpOvrT+ODVlG5Kto+VPlVt4SRbuKQSe8W/BObT11uqnfKq3cHeG2d1/S
XgHtPNsevoJLdK521ypL5I6I0QnMPSidcFLq3V8fMIFn6b4OuIUc8O7/96qnacA3 XAFE3sLzaaJ+KEP3PZZS54oSJLhXNbFtmd9JM5r9zJ7h5ct8HZYtvyDoiJhzYndX
2uVuH6yqwPCaQb3WvutvXYp25sF8DbuYNX7PhdDAlm2rZNlYXtcYGnc5xWwTYVQ= 2U0OPchmONQkA7vK48WofoY1UK21lc8JtoHE2wJSHE/58+1pI/po9mtgIsSw
=lsdN =qYwW
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4 fp: CD8CE78CB0B3BDD4
- created_at: "2024-01-06T22:38:31Z" - created_at: "2024-01-07T21:18:21Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAwzTjn7nYMXWQo1oh11vfogqtPttPrQCgiD1HR+rtC8WZ hQEMA2W9MER3HLb7AQgAreTpyoJdqoECOYW2T7wBVi6IBQF3zELV1jxmbE6Ck0e9
jNy8yk3aFIaG0H03YAj8GjnLFajZ/SPvMA8BzmXDfoNuLtKbcC8B+qCwC4rcOPL9 ipsff5rwWnKI7OqXT7TyEXlYXr3KyjGDdFQaP3yET9HaYI1i+L75ovomqnuGe5up
INeUmF2s7VXhnqMfameT4VFS46nIz+KxNOtp91VKqYY5C1vmTO44zniqchHDmZl/ mbMpkUhClSJhmCF1btYnkGq/YFPA72yo1Rh6++ZQhmSbzhXNT1zKysQaaKrNKWJp
sLn3cAoxzHQVlWWzSLdk7/hxLMA/AUWLwK/aXOXyBIJF5INgB0XiKr54Rae3LjEm m5SHSeM7rhi5P9f2+sHspmAwsUaHVVRDFrLEyGZFzL9VgrBg/eWHeGz7SUPM1roN
Fy91s7RglXSn9Mbu/zO4xTd4AlcySgdR/jPx9yVBha414USIq4/nYsKNWppQbDuR Xm3NiqZmoolVHAyAXphD6q0L3DLmPAEHogOhs0lXOxoRjxZ8fclFD77v959txPgr
GffaUxMgerMspk7rW9mXT8l+erlDtQBmm50q5uvjpdJeAauvOKRwDFA3KMCCWddx 8/u7bCfjBDUGt4JfjAosPfadgMgyT0FqiJUjxHu49dJcAXhq3Ty0SxGQWORhEIrr
Bzjm+rVXGGiSX4owL/y7UOepowGuublGDJ/vnUWZWXvkpQbDiZBCrAdUVlAB/m7a iHg5P1lalPxtk5M3nnx10RnnXSkFeoLaWXure5vIi4JeiE3K46Qd0tqe7pAxvDB8
G+M+9mRFi9ASxt+CKp8XFSR/DBjamQhtZHLgirKu8Q== b4x9Opdw0umj2iiKx89U6SJ/O+u9tT2j36z33+8=
=+YRG =12x0
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 65BD3044771CB6FB fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

1
systems/tewi/nixos.nix
View file

@ -69,6 +69,7 @@ in {
services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}"; services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}";
services.kanidm.serverSettings.db_fs_type = "zfs"; services.kanidm.serverSettings.db_fs_type = "zfs";
services.tailscale.advertiseExitNode = true;
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;