From d8f281200351758c62ddff1edc2991d44092d868 Mon Sep 17 00:00:00 2001 From: Toast Date: Sat, 13 Dec 2025 15:24:18 +0100 Subject: [PATCH 1/4] Server/caddy: wait for tailscale ip before starting --- roles/server/caddy.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/server/caddy.nix b/roles/server/caddy.nix index 6542295..14ef62a 100644 --- a/roles/server/caddy.nix +++ b/roles/server/caddy.nix @@ -11,6 +11,19 @@ file_server browse root * /srv/dl/ ''; + script = pkgs.writeShellApplication { + name = "wait-for-tailscale-ip"; + runtimeInputs = [pkgs.iproute2]; + text = '' + # Based on https://github.com/tailscale/tailscale/issues/11504#issuecomment-2113331262 + echo Waiting for tailscale0 to get an IP adress.. + for i in {1..300}; do + if ip addr show dev tailscale0 | grep -q 'inet '; then break; fi + echo "Waiting $i/240 seconds" + sleep 1 + done + ''; + }; in { services.caddy = { enable = true; @@ -71,6 +84,7 @@ in { # in too little time services.caddy.serviceConfig.RestartSec = lib.mkForce "120s"; services.caddy.unitConfig.StartLimitBurst = lib.mkForce "infinity"; + services.caddy.preStart = "${script}/bin/wait-for-tailscale-ip"; }; programs.rust-motd.settings.service_status.Caddy = "caddy"; networking.firewall.allowedTCPPorts = [443 80]; From 2d801ae06a12b83fb9a33bc31baf3324d754c7a1 Mon Sep 17 00:00:00 2001 From: Toast Date: Sun, 14 Dec 2025 02:16:23 +0100 Subject: [PATCH 2/4] Server/ssh: only allow toast user --- roles/server/ssh.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server/ssh.nix b/roles/server/ssh.nix index 66e163d..33694c3 100755 --- a/roles/server/ssh.nix +++ b/roles/server/ssh.nix @@ -48,6 +48,7 @@ in { UseDns = true; PermitRootLogin = "no"; PasswordAuthentication = false; + AllowUsers = ["toast"]; }; # The forgejo module is fucky so I can't set this with the nixos option # https://github.com/NixOS/nixpkgs/issues/306205 From 4828dc5a2100dbb685a97220d3b0830e04810b6c Mon Sep 17 00:00:00 2001 From: Toast Date: Sun, 14 Dec 2025 02:18:31 +0100 Subject: [PATCH 3/4] Server: add borg repos --- roles/server/borg.nix | 18 ++++++++++++++++++ roles/server/default.nix | 1 + 2 files changed, 19 insertions(+) create mode 100644 roles/server/borg.nix diff --git a/roles/server/borg.nix b/roles/server/borg.nix new file mode 100644 index 0000000..1c8817d --- /dev/null +++ b/roles/server/borg.nix @@ -0,0 +1,18 @@ +{...}: { + services.borgbackup = { + repos = { + backups = { + allowSubRepos = true; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMtbHUcYanH/guWaKNjGr/IGa8gvI/xRTcNAI9yXhnK BorgBackup backups key" + ]; + }; + }; + }; + services.openssh.settings = { + AllowUsers = [ + "borg@*.tailscale" + "borg@192.168.1.0/24" + ]; + }; +} diff --git a/roles/server/default.nix b/roles/server/default.nix index 6ffed7e..8bdf5dc 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -14,6 +14,7 @@ ./headscale.nix ./caddy.nix ./rust_motd.nix + ./borg.nix ./adguard.nix ./grafana.nix ./prometheus.nix From 9f53c984f4ba97a6442d05abc6f57591c6dd1261 Mon Sep 17 00:00:00 2001 From: Toast Date: Sun, 14 Dec 2025 21:33:40 +0100 Subject: [PATCH 4/4] Server/borg: allow connections from localhost --- roles/server/borg.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server/borg.nix b/roles/server/borg.nix index 1c8817d..d69af2f 100644 --- a/roles/server/borg.nix +++ b/roles/server/borg.nix @@ -13,6 +13,7 @@ AllowUsers = [ "borg@*.tailscale" "borg@192.168.1.0/24" + "borg@localhost" ]; }; }