feat: enable tailscale

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-07-02 22:44:45 +02:00 · 2025-07-02 22:44:45 +02:00 · 77d8363b68
commit 77d8363b68
parent 887f26dbbd
3 changed files with 77 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,6 +1,8 @@
 keys:
  - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
  - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
+  - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
+  - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
  - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza

 creation_rules:
@ -16,6 +18,14 @@ creation_rules:
          - *wodan
        pgp:
          - *lander
+  - path_regex: hosts/common/servers/secrets.yam?l$
+    key_groups:
+      - age:
+          - *db-01
+          - *hosting-01
+          - *mail-01
+        pgp:
+          - *lander
  - path_regex: hosts/mail-01/secrets.yam?l$
    key_groups:
      - age:
--- a/hosts/common/servers/default.nix
+++ b/hosts/common/servers/default.nix
@ -1,4 +1,9 @@
-{ inputs, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 {
  imports = [
    inputs.disko.nixosModules.disko
@ -25,6 +30,21 @@
    ];
  };

+  sops.secrets.tailscale-authkey = {
+    owner = "root";
+    group = "root";
+    sopsFile = ./secrets.yaml;
+  };
+
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    extraUpFlags = [
+      "--login-server=https://headscale.escapeangle.com"
+    ];
+    authKeyFile = config.sops.secrets.tailscale-authkey.path;
+  };
+
  nix = {
    settings = {
      trusted-users = [ "lander" ];
--- a/hosts/common/servers/secrets.yaml
+++ b/hosts/common/servers/secrets.yaml
@ -0,0 +1,46 @@
+tailscale-authkey: ENC[AES256_GCM,data:qXgDw5Ua+J7XinLap+sco/9lVM/NMaj4Tpy6hlUJ+tcRoiSFVV1dQB1w20tt8/Rg,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:J3hI/0BP99yjw6juYX/JSw==,type:str]
+sops:
+    age:
+        - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVVNJRFc4S2NOVTdVZGFu
+            VjVPSXlJcytGTUdSZ2RhZ0UraElweVVVTUZZClF6SWs2NkdnVUdDVmFPUXhDeGE3
+            RFJaV1c5QVQ4NEFjWVowU21hL2IyRFUKLS0tIE5rZVQzY1FSYmRWT1JaNDgzZXB1
+            bHlYRWF1TWVkTTZ2SzdXbENPc1U2VmcKTPJ3SeHHoA5FOvOUMiWJdcKYGr9aXriZ
+            DuW/ijGrVV5zELOgXc/vAOSrsE9ZYW83QDXB80NRvOUnRNGyaax5Sg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSHZNazl3WVJIL2N6dUx6
+            cUVZZCtpZWVnVklkU0FnL2REYkZuc0JPREgwCnFIZ2lyMW1HdjZLNDRpRTczMmJC
+            eDJLSkw2S0dyWXBSNlpPOTRJU0ZNQ28KLS0tIHErZENXUkJnektyazdFS2FNQ1JU
+            ZFhhRm92SFpCc042U1p2VkE1a0dOZDAKFZuxY5YkAeINQRX/kcxAxIQMSEa7FATx
+            8v8eFMZLCpHH3wS2+CgtAzxxDX4bIMsPhwDa4C1bvtWkGmUg/2R86Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnhqOGtXS1RMY3BaRjdz
+            M2ViM3c2QzhCbTMvejdaOU9sRHd6M0ZzRHdRCnVmd0xiSUNqOHBaZGFkcmpaRU95
+            cW5oMHNycjZJN0RCc25tanJSQ1Q0TmMKLS0tIG9KeTdjdTJ2Vk43Um5BWmZVYlJ0
+            SnBFVkJBMk5DdDR0YlpjbHFDVlFDTHMKtjJMgkybidVzSvSCjrdUVgAXjLzhWBv/
+            x7nYJp7O5PqKZRcWdmpDp6bNG4+ENrtnMBXw1AwR2iWvlZC9YOtmdw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-02T21:02:01Z"
+    mac: ENC[AES256_GCM,data:oxLmFXvuLNbdiLFC8BCh8jb1gMctbdJeS88xuv27etLgn0P38KI2G4OFg7T03s/QK26lWvwt/0FSGc6o51p6FZ2KJLL8FtB96x2Q1QaJqNIUmU5WWnaJhQfRxiE+IDJgS4DkFYs8FMQhMorr1X8iVhQhoxpB5qKs7kVARAyF1FU=,iv:qhxdpeZCzEMoKJw5oVI6S1Y2OqpHRo67oI1guC1iRdM=,tag:F/YhPTth3NNtCZ/RVlQF1g==,type:str]
+    pgp:
+        - created_at: "2025-07-02T21:01:46Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DARdpY4woM6wSAQdAVK+ifhksSiXmYzGNYQcv2dZbhYrgQQSsqmIKMfyYuk4w
+            SEEGAA7mcqg9j4Cd2ozLnsX/3p5q41cdRapC0r4Tx/pW5dhE53g+K1OWkKNoq/1f
+            0l4BG9rFb0AiidaQU/A2WcOZ7Idgy4CuimDCVW1j6Th6k3QHkVDdCv4oQRTVc48P
+            48VQ2A1jp0gyRQHFbjE1dwUSSvLrFaJu3O7kGz7WuCwAZH25HonUx9ParK18nB+j
+            =jICO
+            -----END PGP MESSAGE-----
+          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2