From fab57a38f4e6e9ef7e9821231f7671851621f0b3 Mon Sep 17 00:00:00 2001 From: vkcku Date: Mon, 1 Jun 2026 15:56:19 +0530 Subject: infra: add tailscale to base module monorepo-revid: c8dffdfe5a8566e29e5d7fea43f4fbf4ec4f7c6e --- infra/modules/base/secrets.yaml | 8 +++++-- infra/modules/base/tailscale.nix | 52 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 infra/modules/base/tailscale.nix (limited to 'infra') diff --git a/infra/modules/base/secrets.yaml b/infra/modules/base/secrets.yaml index 361d835..12ddd13 100644 --- a/infra/modules/base/secrets.yaml +++ b/infra/modules/base/secrets.yaml @@ -1,3 +1,7 @@ +services: + tailscale: + auth_key: ENC[AES256_GCM,data:QF/BuwVIxmvq2fpu0j8AvmkRUs7LdzetP/iRJO59b+/pcIVcpAbE9RPU4Jr2mPI0KmrluR2lUSnha46sIg==,iv:zIrrqshSKl+c6xKJm+60+nhFW5ZIVckZ6Uv8Meq42KY=,tag:b8DuWv6OPIt57vF1JVP35g==,type:str] + nixos_vm_auth_key: ENC[AES256_GCM,data:xXnpn4rAl4AMMxs9B9eMRoMtqCc6eudwh0Kb5WvQNUQ+DCWGzA4OpP4IhGDI94ldFkyiiFnW2vgV9qRRE+0=,iv:LppvzOqpIXJl1BHHF7BMKb0rcJC2c4JFPMjOFO5I7aM=,tag:RrMePFIN40oD8M250541Tg==,type:str] hosts: indra: users: @@ -13,7 +17,7 @@ sops: X1SHrCHKm6P6QD5Nminy6tVZWP1BpGC+jcXas2lWq6URovNdMKSdPg== -----END AGE ENCRYPTED FILE----- recipient: age1jtl0m9t7rtfmh674zres8pecmcugv7yxamv8hkvlf3tk2g8p25nsnccslh - lastmodified: "2026-06-01T06:57:19Z" - mac: ENC[AES256_GCM,data:DZig1NCkYssUXxrGmKau2BpRr4l/Sap2XwyMwwvoZGj6oedS1oQyQnxSc5nitkNCW7xlkk4OgUYPiHqtxeFVIQ5hnfHdR8+rlkD64RcsPVWq+oyiTe8toWXbzpa9mHG6+XQp3iPybMVHfFrdRP0IZ6hNvbSS54ejH8CFDfZ9pYY=,iv:A1xBgPxWQrlmChD7qF/TpwknrjckuI6Fd/0pgHdM2+g=,tag:WK5kHak7ClTetpwqmollog==,type:str] + lastmodified: "2026-06-01T10:29:54Z" + mac: ENC[AES256_GCM,data:Kz6OH0IQ7qfH7CfRbt6Zs1W5Dy2Yb1rvngUA7EinsDvceRT8QJKLzmJQmWhFAK63mG9APTSInnljQrugLb9jzmjjJ7+L1S9hNfCzYrl4CTT3wr0D+7cc7c3y3LcEkLoDwNlAtDHlmXFxlx6IfDdxPuHGBc/IkP6eqPKU54R1fwA=,iv:gbNKaUCvnGrM5UabHETSJwzGspRXz5kfDjnWZrdDL4Q=,tag:oDNm+TKtur9py5xlwdtdiA==,type:str] unencrypted_suffix: _unencrypted version: 3.13.1 diff --git a/infra/modules/base/tailscale.nix b/infra/modules/base/tailscale.nix new file mode 100644 index 0000000..4fdee80 --- /dev/null +++ b/infra/modules/base/tailscale.nix @@ -0,0 +1,52 @@ +{ + flake.modules.nixos.base = + { config, lib, ... }: + { + options.infra.tailscale = { + authenticate = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to enable automatic authentication with the authkey."; + }; + + ssh = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to enable Tailscale SSH."; + }; + }; + + config = + let + cfg = config.infra.tailscale; + + datadir = "/var/lib/tailscale"; + in + { + sops.secrets."services/tailscale/auth_key" = { }; + + infra.persist.directories = [ datadir ]; + + systemd.services.tailscaled = { + serviceConfig.StateDirectory = "tailscale"; + }; + + services.tailscale = { + enable = true; + authKeyFile = + if cfg.authenticate then config.sops.secrets."services/tailscale/auth_key".path else null; + extraUpFlags = lib.lists.optional cfg.ssh "--ssh"; + extraDaemonFlags = [ + "--no-logs-no-support" + "--statedir=${datadir}" + ]; + }; + + virtualisation.vmVariant = { + # Use an auth key with ephemeral nodes so they get automatically + # deleted. + sops.secrets."services/tailscale/auth_key".key = lib.mkForce "services/tailscale/nixos_vm_auth_key"; + }; + }; + }; +} -- cgit v1.3.1