feat: tailscale

Co-author: NotAShelf <[email protected]>
isabelroses · Nov 14, 2023 · c4cdbcc · c4cdbcc
1 parent 123aa6f
commit c4cdbcc
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 0 deletions.
diff --git a/hosts/bernie/services.nix b/hosts/bernie/services.nix
@@ -10,6 +10,7 @@ _: {
     wakapi.enable = true;
     nginx.enable = true;
     cloudflared.enable = false;
+    headscale.enable = true;
 
     mailserver = {
       enable = true;

diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix
@@ -50,6 +50,7 @@ _: {
 
         networking = {
           optimizeTcp = true;
+          tailscale.client.enable = true;
           nftables.enable = true;
         };
 

diff --git a/modules/base/common/services/databases/postgresql/default.nix b/modules/base/common/services/databases/postgresql/default.nix
@@ -22,6 +22,7 @@ in {
         "grafana"
         "vaultwarden"
         "roundcube"
+        "headscale"
       ];
       ensureUsers = [
         {
@@ -48,6 +49,10 @@ in {
           name = "roundcube";
           ensurePermissions."DATABASE roundcube" = "ALL PRIVILEGES";
         }
+        {
+          name = "headscale";
+          ensurePermissions."DATABASE headscale" = "ALL PRIVILEGES";
+        }
       ];
 
       checkConfig = true;

diff --git a/modules/base/common/services/default.nix b/modules/base/common/services/default.nix
@@ -6,6 +6,7 @@ _: {
     ./databases
     ./dns
     ./forgejo
+    ./headscale
     ./jellyfin
     ./mailserver
     ./matrix
@@ -14,6 +15,7 @@ _: {
     ./nextcloud
     ./nginx
     ./photoprism
+    ./tailscale
     ./vaultwarden
     ./wakapi
   ];

diff --git a/modules/base/common/services/headscale/default.nix b/modules/base/common/services/headscale/default.nix
@@ -0,0 +1,67 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.networking) domain;
+
+  cfg = config.modules.services.headscale;
+in {
+  config = mkIf cfg.enable {
+    environment.systemPackages = [config.services.headscale.package];
+
+    services = {
+      headscale = {
+        enable = true;
+        address = "0.0.0.0";
+        port = 8085;
+
+        settings = {
+          server_url = "https://hs.${domain}";
+
+          dns_config = {
+            override_local_dns = true;
+            base_domain = domain;
+            magic_dns = true;
+            domains = ["hs.${domain}"];
+            nameservers = [
+              "1.1.1.1"
+              "1.0.0.1"
+              "9.9.9.9"
+            ];
+          };
+
+          log = {
+            level = "warn";
+          };
+
+          ip_prefixes = [
+            "100.64.0.0/10"
+            "fd7a:115c:a1e0::/48"
+          ];
+
+          db_type = "postgres";
+          db_host = "/run/postgresql";
+          db_name = "headscale";
+          db_user = "headscale";
+
+          # TODO: logtail
+          logtail = {
+            enabled = false;
+          };
+        };
+      };
+
+      nginx.virtualHosts."hs.${domain}" =
+        {
+          locations."/" = {
+            recommendedProxySettings = true;
+            proxyPass = "http://localhost:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+        }
+        // lib.sslTemplate;
+    };
+  };
+}
diff --git a/modules/base/common/services/tailscale/default.nix b/modules/base/common/services/tailscale/default.nix
@@ -0,0 +1,42 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.services.tailscale) interfaceName port;
+  inherit (lib) mkIf optionals;
+
+  cfg = config.modules.system.networking.tailscale;
+in {
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [tailscale];
+
+    networking.firewall = {
+      trustedInterfaces = [interfaceName];
+      checkReversePath = mkIf cfg.client.enable "loose";
+      allowedUDPPorts = [port];
+    };
+
+    # https://tailscale.com/kb/1019/subnets/?tab=linux#step-1-install-the-tailscale-client
+    boot.kernel.sysctl = mkIf cfg.server.enable {
+      "net.ipv4.ip_forward" = true;
+      "net.ipv6.conf.all.forwarding" = true;
+    };
+
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures =
+        if cfg.server.enable
+        then "server"
+        else "client";
+      extraUpFlags =
+        [
+          "--ssh"
+        ]
+        ++ optionals cfg.server.enable [
+          "--advertise-exit-node"
+        ];
+    };
+  };
+}
diff --git a/modules/base/options/services/default.nix b/modules/base/options/services/default.nix
@@ -24,6 +24,7 @@ in {
     cloudflared.enable = mkEnableOption "Enables cloudflared tunnels";
     wakapi.enable = mkEnableOption "Enables wakapi";
     jellyfin.enable = mkEnableOption "Enables the jellyfin service";
+    headscale.enable = mkEnableOption "Headscale service";
 
     mailserver = {
       enable = mkEnableOption "Enable the mailserver service";

diff --git a/modules/base/options/system/networking/default.nix b/modules/base/options/system/networking/default.nix
@@ -7,6 +7,17 @@ in {
     optimizeTcp = mkEnableOption "Enable tcp optimizations";
     nftables.enable = mkEnableOption "nftables firewall";
 
+    tailscale = {
+      enable = mkEnableOption "Enable the tailscale service";
+      client.enable = mkEnableOption "Tailscale for inter-machine VPN.";
+      server.enable = mkEnableOption ''
+        Tailscale inter-machine VPN exit node.
+
+        This option is mutually exlusive with {option}`tailscale.client.enable` as they both
+        configure Taiscale, but with different flags
+      '';
+    };
+
     wirelessBackend = mkOption {
       type = types.enum ["iwd" "wpa_supplicant"];
       default = "iwd";