peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

architect: Added initial support for Tailscale

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-01-30 09:46:20 +01:00
parent f221f5e2b3
commit 79116ae1a7
6 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/architect/default.nix
View File

@ -38,6 +38,7 @@ in {
./keycloak.nix
./lezzo.nix
./runas.nix
./tailscale.nix
];
time.timeZone = "Europe/Rome";

9
hosts/architect/firewall.nix
View File

@ -15,7 +15,7 @@ let
# UDP services
dns_udp = 53;
wireguard_udp = 1194;
# TCP/UDP services
torrent_a = 51413;
torrent_b = 51414;
@ -35,6 +35,7 @@ let
wireguard_udp
torrent_a
torrent_b
config.services.tailscale.port
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
@ -86,6 +87,7 @@ in {
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
oifname ${wan-if} ip saddr ${tailscale-net} masquerade
}
}
@ -101,6 +103,7 @@ in {
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}"
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop
}
@ -154,11 +157,12 @@ in {
ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept
iifname ${tailscale-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${tailscale-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
@ -189,6 +193,7 @@ in {
}} accept
oifname ${wan-if} ip saddr ${docker-net} accept
oifname ${wan-if} ip saddr ${tailscale-net} accept
jump filter_drop
}

1
hosts/architect/jellyfin.nix
View File

@ -51,6 +51,7 @@ in
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
users.groups.media.members = [ "jellyfin" ];

1
hosts/architect/keycloak.nix
View File

@ -74,5 +74,6 @@ in {
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
}

5
hosts/architect/network.nix
View File

@ -4,6 +4,7 @@ rec {
vpn-if = "wg0";
proxy-if = "proxy";
docker-if = "docker0";
tailscale-if = "ts0";
# nets
lan-net = "10.0.0.0/24";
@ -11,13 +12,13 @@ rec {
proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
tailscale-net = "100.64.0.0/10";
# ips
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
giuliopc-wg = "10.3.0.2";
giuliophone-wg = "10.3.0.3";
@ -54,6 +55,8 @@ rec {
hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202";
architect-ts = "100.67.205.28";
# groups
gdevices-wg =
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;

18
hosts/architect/tailscale.nix Normal file
View File

@ -0,0 +1,18 @@
{ lib, ... }:
let
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
ifname = "ts0";
in rec {
services = {
tailscale = {
enable = true;
interfaceName = ifname;
};
};
networking.extraHosts = ''
${network.architect-ts} architect.devs.giugl.io
'';
}