diff --git a/Justfile b/Justfile index d3f1524b..86532558 100644 --- a/Justfile +++ b/Justfile @@ -85,16 +85,19 @@ yabai-reload: ############################################################################ # -# Idols, Commands related to my remote distributed building cluster +# Colmena - Remote NixOS deployment # ############################################################################ -idols-ssh-key: - ssh-add ~/.ssh/ai-idols +colmena-ssh-key: + ssh-add /etc/agenix/ssh-key-romantic -idols: idols-ssh-key +dist: colmena apply --on '@dist-build' +dist-debug: + colmena apply --on '@dist-build' --verbose --show-trace + aqua: colmena apply --on '@aqua' @@ -104,21 +107,21 @@ ruby: kana: colmena apply --on '@kana' -idols-debug: idols-ssh-key - colmena apply --on '@dist-build' --verbose --show-trace +tailscale-gw: + colmena apply --on '@tailscale-gw' -# only used once to setup the virtual machines -idols-image: - # take image for idols, and upload the image to proxmox nodes. +pve-image: nom build .#aquamarine - scp result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst + rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst nom build .#ruby - scp result root@s500plus:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst + rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-ruby.vma.zst nom build .#kana - scp result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst + rsync -avz --progress --copy-links result root@um560:/var/lib/vz/dump/vzdump-qemu-kana.vma.zst + nom build .#tailscale_gw + rsync -avz --progress --copy-links result root@s500plus:/var/lib/vz/dump/vzdump-qemu-tailscale-gw.vma.zst ############################################################################ # @@ -126,10 +129,10 @@ idols-image: # ############################################################################ -roll: idols-ssh-key +roll: colmena apply --on '@riscv' -roll-debug: idols-ssh-key +roll-debug: colmena apply --on '@dist-build' --verbose --show-trace nozomi: diff --git a/README.md b/README.md index cbcc4e40..ce052d26 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ nom build .#aquamarine # `nom`(nix-output-monitor) can be replaced by the stand # 2. upload the genereated image to proxmox server's backup directory `/var/lib/vz/dump` # please replace the vma file name with the one you generated in step 1. -scp result/vzdump-qemu-aquamarine-nixos-23.11.20230603.dd49825.vma.zst root@192.168.5.174:/var/lib/vz/dump +rsync -avz --progress --copy-links result root@gtr5:/var/lib/vz/dump/vzdump-qemu-aquamarine.vma.zst # 3. the image we uploaded will be listed in proxmox web ui's this page: [storage 'local'] -> [backups], we can restore a vm from it via the web ui now. ``` @@ -146,7 +146,7 @@ Once the virtual machine `aquamarine` is created, we can deploy updates to it wi ```shell # 1. add the ssh key to ssh-agent -ssh-add ~/.ssh/ai-idols +ssh-add /etc/agenix/ssh-key-romantic # 2. deploy the configuration to all the remote host with tag `@dist-build` # using the ssh key we added in step 1 diff --git a/hosts/12kingdoms_shoukei/default.nix b/hosts/12kingdoms_shoukei/default.nix index e1c27b45..c0d64fa2 100644 --- a/hosts/12kingdoms_shoukei/default.nix +++ b/hosts/12kingdoms_shoukei/default.nix @@ -1,15 +1,14 @@ -{ - pkgs, - nixos-hardware, - ... -} @ args: +{nixos-hardware, ...}: ############################################################# # # Shoukei - NixOS running on Macbook Pro 2020 I5 16G # https://github.com/NixOS/nixos-hardware/tree/master/apple/t2 # ############################################################# -{ +let + hostName = "shoukei"; # Define your hostname. + vars = import ../vars.nix; +in { imports = [ nixos-hardware.nixosModules.apple-t2 ./apple-set-os-loader.nix @@ -23,23 +22,11 @@ boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { - hostName = "shoukei"; # Define your hostname. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + # configures the network interface(include wireless) via `nmcli` & `nmtui` networkmanager.enable = true; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # This value determines the NixOS release from which the default diff --git a/hosts/12kingdoms_shoukei/hardware-configuration.nix b/hosts/12kingdoms_shoukei/hardware-configuration.nix index 57c5cd05..18ccd804 100644 --- a/hosts/12kingdoms_shoukei/hardware-configuration.nix +++ b/hosts/12kingdoms_shoukei/hardware-configuration.nix @@ -29,7 +29,7 @@ # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = lib.mkForce [ "ext4" "btrfs" diff --git a/hosts/12kingdoms_suzu/default.nix b/hosts/12kingdoms_suzu/default.nix index 0802d2e9..6875cfbd 100644 --- a/hosts/12kingdoms_suzu/default.nix +++ b/hosts/12kingdoms_suzu/default.nix @@ -1,38 +1,28 @@ {nixos-rk3588, ...}: ############################################################# # -# Aquamarine - A NixOS VM running on Proxmox +# Suzu - Orange Pi 5, RK3588s # ############################################################# -{ +let + hostName = "suzu"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { imports = [ # import the rk3588 module, which contains the configuration for bootloader/kernel/firmware nixos-rk3588.nixosModules.orangepi5 ]; networking = { - hostName = "suzu"; # Define your hostname. - wireless.enable = false; # Enables wireless support via wpa_supplicant. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + networkmanager.enable = false; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - interfaces.end1 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.107"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # This value determines the NixOS release from which the default diff --git a/hosts/README.md b/hosts/README.md index 16e0ea9c..847eb228 100644 --- a/hosts/README.md +++ b/hosts/README.md @@ -1,6 +1,6 @@ # Hosts -1. macOS(darwin) +1. `darwin`(macOS) 1. `fern`: MacBook Pro 2022 13-inch M2 16G, mainly for business. 1. `harmonica`: MacBook Pro 2020 13-inch i5 16G, for personal use. 2. `idols` @@ -15,7 +15,8 @@ 4. `12kingdoms`: 1. `shoukei`: NixOS on Macbook Pro 2022 Intel i5, 13.3-inch, 16G RAM + 512G SSD. 1. `suzu`: Orange Pi 5, RK3588s(4xA76 + 4xA55), GPU(4Cores, Mail-G610), NPU(6Tops@int8), 8G RAM + 256G SSD. - +5. Homelab: + 1. `tailscale-gw`: A tailscale subnet router(gateway) for accessing my homelab remotely. NixOS VM running on Proxmox. # idols - Oshi no Ko diff --git a/hosts/homelab_tailscale_gw/default.nix b/hosts/homelab_tailscale_gw/default.nix new file mode 100644 index 00000000..7a85aa77 --- /dev/null +++ b/hosts/homelab_tailscale_gw/default.nix @@ -0,0 +1,43 @@ +############################################################# +# +# Tailscale Gateway(homelab subnet router) - a NixOS VM running on Proxmox +# +############################################################# +let + hostName = "tailscale-gw"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { + imports = [ + ./tailscale.nix + ]; + + # supported file systems, so we can mount any removable disks with these filesystems + boot.supportedFilesystems = [ + "ext4" + "btrfs" + "xfs" + "fat" + "vfat" + "exfat" + ]; + + networking = { + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + + networkmanager.enable = false; + interfaces.ens18 = { + useDHCP = false; + ipv4.addresses = [hostAddress]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/homelab_tailscale_gw/tailscale.nix b/hosts/homelab_tailscale_gw/tailscale.nix new file mode 100644 index 00000000..28f97f99 --- /dev/null +++ b/hosts/homelab_tailscale_gw/tailscale.nix @@ -0,0 +1,46 @@ +{ + config, + pkgs, + ... +}: +# ============================================================= +# +# Tailscale - your own private network(VPN) that uses WireGuard +# +# It's open souce and free for personal use, +# and it's really easy to setup and use. +# Tailscale has great client coverage for Linux, windows, Mac, android, and iOS. +# Tailscale is more mature and stable compared to other alternatives such as netbird/netmaker. +# Maybe I'll give netbird/netmaker a try when they are more mature, but for now, I'm sticking with Tailscale. +# +# How to use: +# 1. Create a Tailscale account at https://login.tailscale.com +# 2. Login via `tailscale login` +# 3. join into your Tailscale network via `tailscale up --advertise-routes 192.168.5.0/24` +# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below. +# +# Status Data: +# `journalctl -u tailscaled` shows tailscaled's logs +# logs indicate that tailscale store its data in /var/lib/tailscale +# which is already persistent across reboots(via impermanence.nix) +# +# References: +# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/tailscale.nix +# +# ============================================================= +{ + # make the tailscale command usable to users + environment.systemPackages = [pkgs.tailscale]; + + # enable the tailscale service + services.tailscale = { + enable = true; + port = 41641; + interfaceName = "tailscale0"; + # allow the Tailscale UDP port through the firewall + openFirewall = true; + useRoutingFeatures = "server"; + extraUpFlags = "--advertise-routes 192.168.5.0/24"; + # authKeyFile = "/var/lib/tailscale/authkey"; + }; +} diff --git a/hosts/idols_ai/default.nix b/hosts/idols_ai/default.nix index dc87071a..dbfd45d8 100644 --- a/hosts/idols_ai/default.nix +++ b/hosts/idols_ai/default.nix @@ -3,7 +3,11 @@ # Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use. # ############################################################# -{ +let + hostName = "ai"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { imports = [ ./cifs-mount.nix # Include the results of the hardware scan. @@ -14,30 +18,16 @@ ]; networking = { - hostName = "ai"; + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + wireless.enable = false; # Enables wireless support via wpa_supplicant. - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - networkmanager.enable = true; - - enableIPv6 = false; # disable ipv6 + # configures the network interface(include wireless) via `nmcli` & `nmtui` + networkmanager.enable = false; interfaces.enp5s0 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.100"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # conflict with feature: containerd-snapshotter diff --git a/hosts/idols_ai/hardware-configuration.nix b/hosts/idols_ai/hardware-configuration.nix index 860c07e6..584acc5e 100644 --- a/hosts/idols_ai/hardware-configuration.nix +++ b/hosts/idols_ai/hardware-configuration.nix @@ -32,7 +32,7 @@ # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = [ "ext4" "btrfs" diff --git a/hosts/idols_aquamarine/default.nix b/hosts/idols_aquamarine/default.nix index a61d003d..4532133f 100644 --- a/hosts/idols_aquamarine/default.nix +++ b/hosts/idols_aquamarine/default.nix @@ -3,10 +3,14 @@ # Aquamarine - A NixOS VM running on Proxmox # ############################################################# -{ +let + hostName = "aquamarine"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = [ "ext4" "btrfs" @@ -23,28 +27,14 @@ boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { - hostName = "aquamarine"; # Define your hostname. - wireless.enable = false; # Enables wireless support via wpa_supplicant. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - networkmanager.enable = true; + networkmanager.enable = false; interfaces.ens18 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.101"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # This value determines the NixOS release from which the default diff --git a/hosts/idols_kana/default.nix b/hosts/idols_kana/default.nix index cf217ddf..d9625c52 100644 --- a/hosts/idols_kana/default.nix +++ b/hosts/idols_kana/default.nix @@ -3,10 +3,14 @@ # Kana - a NixOS VM running on Proxmox # ############################################################# -{ +let + hostName = "kana"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = [ "ext4" "btrfs" @@ -23,28 +27,14 @@ boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { - hostName = "kana"; # Define your hostname. - wireless.enable = false; # Enables wireless support via wpa_supplicant. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - networkmanager.enable = true; + networkmanager.enable = false; interfaces.ens18 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.103"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # This value determines the NixOS release from which the default diff --git a/hosts/idols_ruby/default.nix b/hosts/idols_ruby/default.nix index 336d633c..2df32584 100644 --- a/hosts/idols_ruby/default.nix +++ b/hosts/idols_ruby/default.nix @@ -3,10 +3,14 @@ # Ruby - a NixOS VM running on Proxmox # ############################################################# -{ +let + hostName = "ruby"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { # Enable binfmt emulation of aarch64-linux, this is required for cross compilation. boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"]; - # supported fil systems, so we can mount any removable disks with these filesystems + # supported file systems, so we can mount any removable disks with these filesystems boot.supportedFilesystems = [ "ext4" "btrfs" @@ -23,28 +27,14 @@ boot.extraModprobeConfig = "options kvm_amd nested=1"; # for amd cpu networking = { - hostName = "ruby"; # Define your hostname. - wireless.enable = false; # Enables wireless support via wpa_supplicant. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - networkmanager.enable = true; + networkmanager.enable = false; interfaces.ens18 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.102"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; }; # This value determines the NixOS release from which the default diff --git a/hosts/rolling_girls_chiaya/default.nix b/hosts/rolling_girls_chiaya/default.nix index ad35a160..fa932c99 100644 --- a/hosts/rolling_girls_chiaya/default.nix +++ b/hosts/rolling_girls_chiaya/default.nix @@ -9,38 +9,27 @@ # WIP, not working yet. # ############################################################# -{ +let + hostName = "chiaya"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { imports = [ ]; # Set static IP address / gateway / DNS servers. networking = { - hostName = "chiaya"; # Define your hostname. - wireless.enable = false; + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; # Failed to enable firewall due to the following error: # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported firewall.enable = false; - - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; - - # Configure network proxy if necessary - # proxy.default = "http://user:password@proxy:port/"; - # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - + networkmanager.enable = false; # milkv-mars RJ45 port interfaces.end0 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.106"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; }; diff --git a/hosts/rolling_girls_nozomi/default.nix b/hosts/rolling_girls_nozomi/default.nix index 8dce2913..7b2e22f9 100644 --- a/hosts/rolling_girls_nozomi/default.nix +++ b/hosts/rolling_girls_nozomi/default.nix @@ -4,7 +4,11 @@ # Nozomi - NixOS configuration for Lichee Pi 4A # ############################################################# -{ +let + hostName = "nozomi"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { imports = [ # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware (nixos-licheepi4a + "/modules/licheepi4a.nix") @@ -14,7 +18,9 @@ # Set static IP address / gateway / DNS servers. networking = { - hostName = "nozomi"; # Define your hostname. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + wireless = { # https://wiki.archlinux.org/title/wpa_supplicant enable = true; @@ -33,12 +39,6 @@ # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported firewall.enable = false; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; - # Configure network proxy if necessary # proxy.default = "http://user:password@proxy:port/"; # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -46,12 +46,7 @@ # LPI4A's wireless interface interfaces.wlan0 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.104"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; # LPI4A's first ethernet interface # interfaces.end0 = { diff --git a/hosts/rolling_girls_yukina/default.nix b/hosts/rolling_girls_yukina/default.nix index 0ff0098a..9687db07 100644 --- a/hosts/rolling_girls_yukina/default.nix +++ b/hosts/rolling_girls_yukina/default.nix @@ -4,7 +4,11 @@ # Yukina - NixOS configuration for Lichee Pi 4A # ############################################################# -{ +let + hostName = "yukina"; # Define your hostname. + vars = import ../vars.nix; + hostAddress = vars.networking.hostAddress.${hostName}; +in { imports = [ # import the licheepi4a module, which contains the configuration for bootloader/kernel/firmware (nixos-licheepi4a + "/modules/licheepi4a.nix") @@ -14,7 +18,9 @@ # Set static IP address / gateway / DNS servers. networking = { - hostName = "yukina"; # Define your hostname. + inherit hostName; + inherit (vars.networking) defaultGateway nameservers; + wireless = { # https://wiki.archlinux.org/title/wpa_supplicant enable = true; @@ -33,12 +39,6 @@ # firewall-start[2300]: iptables: Failed to initialize nft: Protocol not supported firewall.enable = false; - defaultGateway = "192.168.5.201"; - nameservers = [ - "119.29.29.29" # DNSPod - "223.5.5.5" # AliDNS - ]; - # Configure network proxy if necessary # proxy.default = "http://user:password@proxy:port/"; # proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -46,19 +46,14 @@ # LPI4A's wireless interface interfaces.wlan0 = { useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.5.105"; - prefixLength = 24; - } - ]; + ipv4.addresses = [hostAddress]; }; # LPI4A's first ethernet interface # interfaces.end0 = { # useDHCP = false; # ipv4.addresses = [ # { - # address = "192.168.5.105"; + # address = "192.168.5.104"; # prefixLength = 24; # } # ]; diff --git a/hosts/vars.nix b/hosts/vars.nix new file mode 100644 index 00000000..ddcae494 --- /dev/null +++ b/hosts/vars.nix @@ -0,0 +1,49 @@ +{ + networking = rec { + defaultGateway = "192.168.5.201"; + nameservers = [ + "119.29.29.29" # DNSPod + "223.5.5.5" # AliDNS + ]; + prefixLength = 24; + + hostAddress = { + "ai" = { + inherit prefixLength; + address = "192.168.5.100"; + }; + "aquamarine" = { + inherit prefixLength; + address = "192.168.5.101"; + }; + "ruby" = { + inherit prefixLength; + address = "192.168.5.102"; + }; + "kana" = { + inherit prefixLength; + address = "192.168.5.103"; + }; + "nozomi" = { + inherit prefixLength; + address = "192.168.5.104"; + }; + "yukina" = { + inherit prefixLength; + address = "192.168.5.105"; + }; + "chiaya" = { + inherit prefixLength; + address = "192.168.5.106"; + }; + "suzu" = { + inherit prefixLength; + address = "192.168.5.107"; + }; + "tailscale-gw" = { + inherit prefixLength; + address = "192.168.5.192"; + }; + }; + }; +} diff --git a/lib/nixosSystem.nix b/lib/nixosSystem.nix index 0e2aee24..8003d2a2 100644 --- a/lib/nixosSystem.nix +++ b/lib/nixosSystem.nix @@ -5,7 +5,7 @@ system, specialArgs, nixos-modules, - home-module, + home-module ? null, }: let inherit (specialArgs) username; in @@ -22,14 +22,19 @@ in proxmox.qemuConf.name = "${config.networking.hostName}-nixos-${config.system.nixos.label}"; }; } + ] + ++ ( + if (home-module != null) + then [ + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - - home-manager.extraSpecialArgs = specialArgs; - home-manager.users."${username}" = home-module; - } - ]; + home-manager.extraSpecialArgs = specialArgs; + home-manager.users."${username}" = home-module; + } + ] + else [] + ); } diff --git a/modules/base.nix b/modules/base.nix index 25fc42c0..ae239ab1 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -25,9 +25,9 @@ # 2. Never leave the device and never sent over the network. # 2. Or just use hardware security keys like Yubikey/CanoKey. openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica" - "" ]; }; diff --git a/modules/nixos/desktop/remote-desktop/tailscale.nix b/modules/nixos/desktop/remote-desktop/tailscale.nix index f493c3d2..777c053e 100644 --- a/modules/nixos/desktop/remote-desktop/tailscale.nix +++ b/modules/nixos/desktop/remote-desktop/tailscale.nix @@ -16,8 +16,8 @@ # How to use: # 1. Create a Tailscale account at https://login.tailscale.com # 2. Login via `tailscale login` -# 3. join into your Tailscale network via `tailscale up` -# 4. If you prefer automatic connection to Tailscale, then generate a authkey, and uncomment the systemd service below. +# 3. join into your Tailscale network via `tailscale up --accept-routes` +# 4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below. # # Status Data: # `journalctl -u tailscaled` shows tailscaled's logs @@ -25,7 +25,7 @@ # which is already persistent across reboots(via impermanence.nix) # # References: -# https://tailscale.com/blog/nixos-minecraft +# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/tailscale.nix # # ============================================================= { @@ -33,44 +33,14 @@ environment.systemPackages = [pkgs.tailscale]; # enable the tailscale service - services.tailscale.enable = true; - - # create a oneshot job to authenticate to Tailscale - # systemd.services.tailscale-autoconnect = { - # description = "Automatic connection to Tailscale"; - # - # # make sure tailscale is running before trying to connect to tailscale - # after = ["network-pre.target" "tailscale.service"]; - # wants = ["network-pre.target" "tailscale.service"]; - # wantedBy = ["multi-user.target"]; - # - # # set this service as a oneshot job - # serviceConfig.Type = "oneshot"; - # - # # have the job run this shell script - # script = with pkgs; '' - # # wait for tailscaled to settle - # sleep 2 - # - # # check if we are already authenticated to tailscale - # status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - # if [ $status = "Running" ]; then # if so, then do nothing - # exit 0 - # fi - # - # # otherwise authenticate with tailscale - # ${tailscale}/bin/tailscale up -authkey file:${config.age.secrets.tailscale-authkey.path} - # ''; - # }; - - networking.firewall = { - # always allow traffic from your Tailscale network - trustedInterfaces = ["tailscale0"]; - + services.tailscale = { + enable = true; + port = 41641; + interfaceName = "tailscale0"; # allow the Tailscale UDP port through the firewall - allowedUDPPorts = [config.services.tailscale.port]; - - # allow you to SSH in over the public internet - allowedTCPPorts = [22]; + openFirewall = true; + useRoutingFeatures = "client"; + extraUpFlags = "--accept-routes"; + # authKeyFile = "/var/lib/tailscale/authkey"; }; } diff --git a/systems/colmena.nix b/systems/colmena.nix index 5775df22..d6ea2d82 100644 --- a/systems/colmena.nix +++ b/systems/colmena.nix @@ -80,6 +80,11 @@ in { idol_kana_modules {host_tags = idol_kana_tags;} ]); + tailscale_gw = colmenaSystem (attrs.mergeAttrsList [ + x64_base_args + homelab_tailscale_gw_modules + {host_tags = homelab_tailscale_gw_tags;} + ]); # riscv64 SBCs nozomi = colmenaSystem (attrs.mergeAttrsList [ diff --git a/systems/nixos.nix b/systems/nixos.nix index e98caa2e..b70a4fc1 100644 --- a/systems/nixos.nix +++ b/systems/nixos.nix @@ -23,6 +23,8 @@ in { aquamarine = nixosSystem (idol_aquamarine_modules // base_args); ruby = nixosSystem (idol_ruby_modules // base_args); kana = nixosSystem (idol_kana_modules // base_args); + + tailscale_gw = nixosSystem (homelab_tailscale_gw_modules // base_args); }; # take system images for idols @@ -44,6 +46,8 @@ in { "aquamarine" "ruby" "kana" + + "tailscale_gw" ] # generate proxmox image for virtual machines without desktop environment (host: self.nixosConfigurations.${host}.config.formats.proxmox) diff --git a/systems/vars.nix b/systems/vars.nix index 3a029c1a..eb57c748 100644 --- a/systems/vars.nix +++ b/systems/vars.nix @@ -82,6 +82,16 @@ in { }; idol_kana_tags = ["dist-build" "kana"]; + homelab_tailscale_gw_modules = { + nixos-modules = [ + ../hosts/homelab_tailscale_gw + ../modules/nixos/server/server.nix + ../modules/nixos/server/proxmox-hardware-configuration.nix + ]; + # home-module.imports = []; + }; + homelab_tailscale_gw_tags = ["tailscale-gw"]; + # 森友 望未, Moritomo Nozomi rolling_nozomi_modules = { nixos-modules = [