services/tailscale: init

hosts/bernie/overrides.nix

@@ -9,12 +9,6 @@
     boot = {
       growPartition = !config.boot.initrd.systemd.enable;
       kernelParams = ["net.ifnames=0"];
-      kernel = {
-        sysctl = {
-          "net.ipv4.ip_forward" = true;
-          "net.ipv6.conf.all.forwarding" = true;
-        };
-      };
 
       loader.grub = {
         enable = true;

hosts/bernie/services.nix

@@ -7,14 +7,22 @@ _: {
     forgejo.enable = true;
     vaultwarden.enable = true;
     isabelroses-web.enable = true;
-    nginx.enable = true;
-    cloudflared.enable = false;
 
     mailserver = {
       enable = true;
       rspamd-web.enable = false;
     };
 
+    networking = {
+      nginx.enable = true;
+      cloudflared.enable = false;
+
+      tailscale = {
+        enable = true;
+        runMode = "server";
+      };
+    };
+
     monitoring = {
       grafana.enable = true;
       prometheus.enable = true;

hosts/hydra/default.nix

@@ -9,7 +9,7 @@ _: {
         type = "laptop";
         cpu = "intel";
         gpu = null;
-        monitors = ["eDP-1"];
+        monitors = ["eDP-1" "HDMI-A-1"];
         hasTPM = true;
         hasBluetooth = true;
         hasSound = true;
@@ -84,16 +84,13 @@ _: {
       };
 
       services = {
-        smb = {
-          enable = false;
-          recive = {
-            media = false;
-            general = false;
-          };
-        };
         vscode-server.enable = true;
-        cloudflared.enable = false;
-        jellyfin.enable = false;
+        # networking.cloudflared.enable = false;
+        # jellyfin.enable = false;
+        networking.tailscale = {
+          enable = true;
+          runMode = "client";
+        };
       };
     };
 

modules/base/common/secrets/default.nix

@@ -23,7 +23,7 @@ in {
       sshDir = homeDir + "/.ssh";
     in {
       # server
-      cloudflared-hydra = mkIf services.cloudflared.enable {
+      cloudflared-hydra = mkIf services.networking.cloudflared.enable {
         owner = "cloudflared";
         group = "cloudflared";
       };

modules/base/common/services/default.nix

@@ -1,18 +1,16 @@
 _: {
   imports = [
-    ./cloudflared
     ./containers
     ./cyberchef
     ./databases
-    ./dns
     ./forgejo
     ./jellyfin
     ./mailserver
     ./matrix
     ./miniflux
     ./monitoring
+    ./networking
     ./nextcloud
-    ./nginx
     ./photoprism
     ./vaultwarden
     ./wakatime

modules/base/common/services/cloudflared/default.nix → modules/base/common/services/networking/cloudflared/default.nix

@@ -6,7 +6,7 @@
   inherit (lib) mkIf;
   inherit (config.networking) domain;
 in {
-  services.cloudflared = mkIf (config.modules.services.cloudflared.enable) {
+  services.cloudflared = mkIf config.modules.services.networking.cloudflared.enable {
     enable = true;
     tunnels.${config.networking.hostName} = {
       credentialsFile = "${config.sops.secrets.cloudflared-hydra.path}";

modules/base/common/services/networking/default.nix

@@ -0,0 +1,8 @@
+_: {
+  imports = [
+    ./cloudflared
+    ./dns
+    ./nginx
+    ./tailscale
+  ];
+}

modules/base/common/services/dns/adguard/default.nix → modules/base/common/services/networking/dns/adguard/default.nix

@@ -5,7 +5,7 @@
 }: let
   inherit (lib) mkIf;
   inherit (config.networking) domain;
-  cfg = config.modules.services.dns.adguardhome;
+  cfg = config.modules.services.networking.dns.adguardhome;
 in {
   services = mkIf cfg.enable {
     adguardhome = {

modules/base/common/services/dns/nextdns/default.nix → modules/base/common/services/networking/dns/nextdns/default.nix

@@ -5,7 +5,7 @@
 }: let
   inherit (lib) mkIf;
   inherit (config.networking) domain;
-  cfg = config.modules.services.dns.nextdns;
+  cfg = config.modules.services.networking.dns.nextdns;
 in {
   services = mkIf cfg.enable {
     adguardhome = {

modules/base/common/services/nginx/default.nix → modules/base/common/services/networking/nginx/default.nix

@@ -3,11 +3,11 @@
   config,
   ...
 }: let
-  cfg = config.modules.services;
+  cfg = config.modules.services.networking.nginx;
   inherit (lib) mkIf;
   domain = "isabelroses.com";
 in {
-  config = {
+  config = mkIf cfg.enable {
     networking.domain = domain;
 
     security = {
@@ -17,7 +17,7 @@ in {
       };
     };
 
-    services.nginx = mkIf cfg.nginx.enable {
+    services.nginx = {
       enable = true;
       commonHttpConfig = ''
         real_ip_header CF-Connecting-IP;

modules/base/common/services/networking/tailscale/default.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.services.tailscale) interfaceName port;
+  inherit (lib) mkIf optionals;
+
+  cfg = config.modules.services.networking.tailscale;
+in {
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [tailscale];
+
+    networking.firewall = {
+      trustedInterfaces = [interfaceName];
+      allowedUDPPorts = [port];
+      checkReversePath = "loose";
+    };
+
+    boot.kernel.sysctl = mkIf (cfg.runMode == "server") {
+      # https://tailscale.com/kb/1103/exit-nodes/#enable-ip-forwarding
+      "net.ipv4.ip_forward" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+    };
+
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = cfg.runMode;
+      extraUpFlags =
+        [
+          "--ssh"
+        ]
+        ++ optionals (cfg.runMode == "server") [
+          "--advertise-exit-node"
+        ];
+      permitCertUid = mkIf (cfg.runMode != "server") "root";
+    };
+  };
+}

modules/base/options/services/default.nix

@@ -3,7 +3,7 @@
   lib,
   ...
 }: let
-  inherit (lib) mkEnableOption;
+  inherit (lib) mkEnableOption mkOption types;
   cfg = config.modules.services;
 
   # mkEnableOption is the same as mkEnableOption but with the default value being equal to cfg.monitoring.enable
@@ -20,8 +20,6 @@ in {
     vscode-server.enable = mkEnableOption "Enables remote ssh vscode server";
     isabelroses-web.enable = mkEnableOption "Enables my website";
     searxng.enable = mkEnableOption "Enables searxng search engine service";
-    nginx.enable = mkEnableOption "Enables nginx webserver";
-    cloudflared.enable = mkEnableOption "Enables cloudflared tunnels";
     wakapi.enable = mkEnableOption "Enables wakapi";
     jellyfin.enable = mkEnableOption "Enables the jellyfin service";
 
@@ -46,9 +44,23 @@ in {
       redis.enable = mkEnableOption "Redis service";
     };
 
-    dns = {
-      nextdns.enable = mkEnableOption "Enables the nextdns dns services";
-      adguardhome.enable = mkEnableOption "Enables the adguardhome dns service";
+    networking = {
+      tailscale = {
+        enable = mkEnableOption "Enable tailscale server service";
+        runMode = mkOption {
+          type = types.enum ["client" "server" "both"];
+          default = "client";
+          description = "The bootloader that should be used for the device.";
+        };
+      };
+
+      nginx.enable = mkEnableOption "Enables nginx webserver";
+      cloudflared.enable = mkEnableOption "Enables cloudflared tunnels";
+
+      dns = {
+        nextdns.enable = mkEnableOption "Enables the nextdns dns services";
+        adguardhome.enable = mkEnableOption "Enables the adguardhome dns service";
+      };
     };
 
     smb = {

modules/profiles/server/services/default.nix

@@ -3,7 +3,14 @@
 in {
   config.modules.services = {
     vscode-server.enable = mkDefault true;
-    nginx.enable = mkDefault true;
-    # cloudflared.enable = true;
+
+    networking = {
+      nginx.enable = mkDefault true;
+
+      tailscale = {
+        enable = true;
+        runMode = "server";
+      };
+    };
   };
 }