From 5001e70c14ecbdfe64211eaf90a829ce73d1791c Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 17 Jul 2024 19:06:24 +0200 Subject: [PATCH 1/3] Change my tailscale network name --- .justfile | 4 ++-- flake.lock | 4 ++-- flake.nix | 2 +- roles/common/programs/git.nix | 2 +- roles/desktop/programs/ssh.nix | 4 ++-- roles/server/dns.nix | 12 ++++++------ roles/server/forgejo.nix | 6 +++--- roles/server/nfs.nix | 2 +- roles/server/syncthing.nix | 4 ++-- roles/server/transmission.nix | 8 ++++---- 10 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.justfile b/.justfile index c03f8d8..09e5f48 100644 --- a/.justfile +++ b/.justfile @@ -19,8 +19,8 @@ update-input input: nix flake lock --update-input {{input}} @edit-secrets: - git clone ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets.git /tmp/secrets - sed -i 's\git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix + git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets + sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix just -q update-input secrets echo "{{bold}}All done!" echo "{{normal}}Remember to restore flake.nix" diff --git a/flake.lock b/flake.lock index ff3b031..bcc1ee7 100644 --- a/flake.lock +++ b/flake.lock @@ -527,11 +527,11 @@ "rev": "08944755d22a7499b0b3fd39d48fdf1dabf4c83f", "revCount": 19, "type": "git", - "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets" + "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" }, "original": { "type": "git", - "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets" + "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" } }, "systems": { diff --git a/flake.nix b/flake.nix index c7d95cc..c2385d3 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { secrets = { - url = "git+ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets"; + url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets"; flake = false; }; nixpkgs-raw.url = "nixpkgs/nixos-24.05"; diff --git a/roles/common/programs/git.nix b/roles/common/programs/git.nix index 02dc612..037bc6d 100644 --- a/roles/common/programs/git.nix +++ b/roles/common/programs/git.nix @@ -1,6 +1,6 @@ {...}: { programs.ssh.knownHosts = { - "[git.everest.sable-pancake.ts.net]:4222".publicKey = '' + "[git.everest.tailscale]:4222".publicKey = '' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoUcWx56NZ3kqydN3d0gLNz6SlBm1ArkHhqR9Fwd8qs ''; }; diff --git a/roles/desktop/programs/ssh.nix b/roles/desktop/programs/ssh.nix index 4e1bd2f..8449fe4 100644 --- a/roles/desktop/programs/ssh.nix +++ b/roles/desktop/programs/ssh.nix @@ -2,7 +2,7 @@ programs.ssh.knownHosts = { everest = { hostNames = [ - "everest.sable-pancake.ts.net" + "everest.tailscale" "toast003.xyz" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqfABZKnF5YYGZTOKuT7m+sOnUqBQSvLke9c3JDsF5s"; @@ -15,7 +15,7 @@ matchBlocks = { "everest" = { host = "everest"; - hostname = "everest.sable-pancake.ts.net"; + hostname = "everest.tailscale"; forwardAgent = true; sendEnv = ["COLORTERM"]; }; diff --git a/roles/server/dns.nix b/roles/server/dns.nix index e1c92c7..88402e1 100644 --- a/roles/server/dns.nix +++ b/roles/server/dns.nix @@ -16,18 +16,18 @@ dns-loop-detect = true; host-record = [ - "winmax2,winmax2.sable-pancake.ts.net,100.106.73.20" - "everest,everest.sable-pancake.ts.net,100.73.96.48" - "archie,archie.sable-pancake.ts.net,100.113.139.93" - "steamdeck,steamdeck.sable-pancake.ts.net,100.85.48.85" - "surfacego,surfacego.sable-pancake.ts.net,100.96.92.13" + "winmax2,winmax2.tailscale,100.106.73.20" + "everest,everest.tailscale,100.73.96.48" + "archie,archie.tailscale,100.113.139.93" + "steamdeck,steamdeck.tailscale,100.85.48.85" + "surfacego,surfacego.tailscale,100.96.92.13" ]; # If this isn't set a cname that targets a host might return the wrong ip localise-queries = true; ## IPv6 is not a thing in Spain so I'm guaranteed to not use it filter-AAAA = true; - domain = "sable-pancake.ts.net"; + domain = "tailscale"; domain-needed = true; }; }; diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix index af99060..cc16a44 100644 --- a/roles/server/forgejo.nix +++ b/roles/server/forgejo.nix @@ -30,7 +30,7 @@ in { }; server = { OFFLINE_MODE = false; - ROOT_URL = "http://git.everest.sable-pancake.ts.net"; + ROOT_URL = "http://git.everest.tailscale"; START_SSH_SERVER = true; SSH_PORT = 4222; SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path; @@ -45,7 +45,7 @@ in { }; # Add a cname for forgejo - services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"]; + services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"]; # Set up traefik as the reverse proxy for Forgejo services.traefik = { @@ -53,7 +53,7 @@ in { http = { routers = { forgejo-subpath = { - rule = "Host(`git.everest.sable-pancake.ts.net`)"; + rule = "Host(`git.everest.tailscale`)"; service = "forgejo"; }; }; diff --git a/roles/server/nfs.nix b/roles/server/nfs.nix index 22dbe91..37e472d 100755 --- a/roles/server/nfs.nix +++ b/roles/server/nfs.nix @@ -2,7 +2,7 @@ services = { nfs.server = { enable = true; - exports = "/srv/nfs *.sable-pancake.ts.net(ro,fsid=root)"; + exports = "/srv/nfs *.tailscale(ro,fsid=root)"; # NFSv3 uses random ports, so you need to make them static to be able to pass though the firewall statdPort = 4000; lockdPort = 4001; diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix index 137c32b..c581918 100755 --- a/roles/server/syncthing.nix +++ b/roles/server/syncthing.nix @@ -34,7 +34,7 @@ }; # Add a cname for syncthing - services.dnsmasq.settings.cname = ["sync.everest.sable-pancake.ts.net,everest"]; + services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"]; # Set up traefik as the reverse proxy for syncthing services.traefik = { @@ -42,7 +42,7 @@ http = { routers = { syncthing-subdomain = { - rule = "Host(`sync.everest.sable-pancake.ts.net`)"; + rule = "Host(`sync.everest.tailscale`)"; service = "syncthing"; }; }; diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix index 9b90f1b..ec28ab8 100755 --- a/roles/server/transmission.nix +++ b/roles/server/transmission.nix @@ -9,7 +9,7 @@ in { settings = { incomplete-dir-enabled = false; rpc-bind-address = "0.0.0.0"; - rpc-host-whitelist = "transmission.everest.sable-pancake.ts.net"; + rpc-host-whitelist = "transmission.everest.tailscale"; rpc-whitelist = "127.0.0.1"; }; }; @@ -20,7 +20,7 @@ in { mountPoint = "/srv/nfs/transmission"; options = ["bind"]; }; - services.nfs.server.exports = "${mountPoint} *.sable-pancake.ts.net(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})"; + services.nfs.server.exports = "${mountPoint} *.tailscale(ro,all_squash,anonuid=${transmissionUid},anongid=${transmissionGid})"; services.avahi.extraServiceFiles = { Transmission-downloads-nfs = '' @@ -38,7 +38,7 @@ in { }; # Add a cname for transmission - services.dnsmasq.settings.cname = ["transmission.everest.sable-pancake.ts.net,everest"]; + services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"]; # Set up traefik as the reverse proxy for transmission services.traefik = { @@ -46,7 +46,7 @@ in { http = { routers = { transmission-subdomain = { - rule = "Host(`transmission.everest.sable-pancake.ts.net`)"; + rule = "Host(`transmission.everest.tailscale`)"; service = "transmission"; }; }; From 863840b2b19bcf47e8ba1ba061f2b0cbc1f4f5ed Mon Sep 17 00:00:00 2001 From: Toast Date: Thu, 18 Jul 2024 00:45:00 +0200 Subject: [PATCH 2/3] Server: replace traefik with caddy --- roles/server/caddy.nix | 11 +++++++++++ roles/server/default.nix | 2 +- roles/server/forgejo.nix | 22 +++++++--------------- roles/server/syncthing.nix | 22 +++++++--------------- roles/server/traefik.nix | 31 ------------------------------- roles/server/transmission.nix | 22 +++++++--------------- 6 files changed, 33 insertions(+), 77 deletions(-) create mode 100644 roles/server/caddy.nix delete mode 100644 roles/server/traefik.nix diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix new file mode 100644 index 0000000..d963527 --- /dev/null +++ b/roles/server/caddy.nix @@ -0,0 +1,11 @@ +{...}: { + services.caddy = { + enable = true; + extraConfig = '' + (tailscale) { + tls internal + bind 100.73.96.48 + } + ''; + }; +} diff --git a/roles/server/default.nix b/roles/server/default.nix index 7468b3c..5e32379 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -11,7 +11,7 @@ ./ddclient.nix ./beep.nix ./tailscale.nix - ./traefik.nix + ./caddy.nix ./dns.nix ./rust_motd.nix ]; diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix index cc16a44..65fbf83 100644 --- a/roles/server/forgejo.nix +++ b/roles/server/forgejo.nix @@ -47,20 +47,12 @@ in { # Add a cname for forgejo services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"]; - # Set up traefik as the reverse proxy for Forgejo - services.traefik = { - dynamicConfigOptions = { - http = { - routers = { - forgejo-subpath = { - rule = "Host(`git.everest.tailscale`)"; - service = "forgejo"; - }; - }; - services.forgejo.loadBalancer.servers = [ - {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";} - ]; - }; - }; + # Set up caddy as the reverse proxy for Forgejo + services.caddy.virtualHosts.forgejo = { + hostName = "git.everest.tailscale"; + extraConfig = '' + import tailscale + reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} + ''; }; } diff --git a/roles/server/syncthing.nix b/roles/server/syncthing.nix index c581918..f684129 100755 --- a/roles/server/syncthing.nix +++ b/roles/server/syncthing.nix @@ -36,20 +36,12 @@ # Add a cname for syncthing services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"]; - # Set up traefik as the reverse proxy for syncthing - services.traefik = { - dynamicConfigOptions = { - http = { - routers = { - syncthing-subdomain = { - rule = "Host(`sync.everest.tailscale`)"; - service = "syncthing"; - }; - }; - services.syncthing.loadBalancer.servers = [ - {url = "http://localhost:8384";} - ]; - }; - }; + # Set up caddy as the reverse proxy for syncthing + services.caddy.virtualHosts.syncthing = { + hostName = "sync.everest.tailscale"; + extraConfig = '' + import tailscale + reverse_proxy localhost:8384 + ''; }; } diff --git a/roles/server/traefik.nix b/roles/server/traefik.nix deleted file mode 100644 index 171f64d..0000000 --- a/roles/server/traefik.nix +++ /dev/null @@ -1,31 +0,0 @@ -{...}: { - specialisation.traefikEnableWebUI.configuration.services.traefik = { - staticConfigOptions = { - api = { - # Enable the web ui - insecure = true; - dashboard = true; - }; - }; - }; - - services.traefik = { - enable = true; - staticConfigOptions = { - entryPoints = { - http = {address = "100.73.96.48:80";}; - }; - }; - }; - - systemd = { - units.tailscaled.requiredBy = ["traefik.service"]; - # We have somewhat frequent power outages, and our ISP router takes - # ages to boot up. If I don't add a delay, traefik tries to bind to - # the tailscale interface before it's ready, making it crash too much - # in too little time - services.traefik.serviceConfig.RestartSec = 120; - }; - - networking.firewall.allowedTCPPorts = [80 8080]; -} diff --git a/roles/server/transmission.nix b/roles/server/transmission.nix index ec28ab8..e52f286 100755 --- a/roles/server/transmission.nix +++ b/roles/server/transmission.nix @@ -40,20 +40,12 @@ in { # Add a cname for transmission services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"]; - # Set up traefik as the reverse proxy for transmission - services.traefik = { - dynamicConfigOptions = { - http = { - routers = { - transmission-subdomain = { - rule = "Host(`transmission.everest.tailscale`)"; - service = "transmission"; - }; - }; - services.transmission.loadBalancer.servers = [ - {url = "http://localhost:${toString config.services.transmission.settings.rpc-port}";} - ]; - }; - }; + # Set up caddy as the reverse proxy for transmission + services.caddy.virtualHosts.transmission = { + hostName = "transmission.everest.tailscale"; + extraConfig = '' + import tailscale + reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port} + ''; }; } From e1f4b528c6aee4564cfc0973e7f184cd2f66b258 Mon Sep 17 00:00:00 2001 From: Toast Date: Thu, 18 Jul 2024 00:55:00 +0200 Subject: [PATCH 3/3] Server/caddy: serve the NixOS manual --- roles/server/caddy.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix index d963527..f643527 100644 --- a/roles/server/caddy.nix +++ b/roles/server/caddy.nix @@ -1,4 +1,6 @@ -{...}: { +{config, ...}: let + manualHostname = "manual.everest.tailscale"; +in { services.caddy = { enable = true; extraConfig = '' @@ -7,5 +9,14 @@ bind 100.73.96.48 } ''; + virtualHosts.nixos-manual = { + hostName = manualHostname; + extraConfig = '' + import tailscale + file_server + root * ${config.system.build.manual.manualHTML}/share/doc/nixos + ''; + }; }; + services.dnsmasq.settings.cname = ["${manualHostname},everest"]; }