chore: move tailscale to common settings

2025-05-09 13:19:59 +08:00 · 2025-05-09 13:19:59 +08:00 · 9fd4b69cd8
commit 9fd4b69cd8
parent 0e8343eb80
14 changed files with 169 additions and 187 deletions
--- a/machines/agate/default.nix
+++ b/machines/agate/default.nix
@ -106,12 +106,6 @@ in
  nixpkgs.config.contentAddressedByDefault = true;
  nixpkgs.overlays = [ fix-folly-build ];

-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
-    permitCertUid = "caddy";
-  };
-
  custom.prometheus.exporters = {
    enable = true;
    blackbox = {
--- a/machines/agate/services/minio.nix
+++ b/machines/agate/services/minio.nix
@ -0,0 +1,6 @@
+{
+  services.minio = {
+    enable = true;
+    region = "ap-east-1";
+  };
+}
--- a/machines/baryte/default.nix
+++ b/machines/baryte/default.nix
@ -13,7 +13,6 @@
    };

    services.openssh.enable = true;
-    services.tailscale.enable = true;
    time.timeZone = "Asia/Shanghai";
  };
 }
--- a/machines/baryte/hardware-configuration.nix
+++ b/machines/baryte/hardware-configuration.nix
@ -0,0 +1,20 @@
+{ config, modulesPath, ... }:
+{
+  imports = [ ];
+
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = config.diskPartitions.grubMbr;
+            root = config.diskPartitions.btrfs;
+          };
+        };
+      };
+    };
+  };
+}
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -40,19 +40,6 @@
    comin.enable = true;
  };

-  custom.monitoring = {
-    promtail.enable = true;
-  };
-
-  custom.prometheus.exporters = {
-    enable = true;
-    node.enable = true;
-  };
-
-  services.tailscale.enable = true;
-
-  services.caddy.enable = true;
-
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -17,19 +17,8 @@
    };
  };

-  services.tailscale = {
-    enable = true;
-    extraUpFlags = [ "--accept-routes" ];
-  };
-
  # Open ports in the firewall.
  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 3389 ];
-  networking.firewall.allowedUDPPorts = [
-    3389
-    41641
-  ];
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Use nftables to manager firewall
  networking.nftables.enable = true;

--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -33,8 +33,6 @@
      promtail.enable = true;
    };

-    services.tailscale.enable = true;
-
    commonSettings = {
      auth.enable = true;
      comin.enable = true;
--- a/machines/osmium/default.nix
+++ b/machines/osmium/default.nix
@ -139,11 +139,6 @@
      };
    };

-    services.tailscale = {
-      enable = true;
-      extraSetFlags = [
-        "--advertise-routes=10.1.1.0/24"
-      ];
-    };
+    services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ];
  };
 }
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -12,6 +12,8 @@
    nix.enable = true;
    auth.enable = true;
    comin.enable = true;
+    network.enableProxy = false;
+    serverComponents.enable = true;
  };

  nixpkgs.overlays = [
@ -36,15 +38,4 @@
  };

  time.timeZone = "Asia/Shanghai";
-
-  # fileSystems."/".fsType = lib.mkForce "btrfs";
-  boot.supportedFilesystems.zfs = lib.mkForce false;
-
-  services.dae.enable = false;
-
-  services.tailscale = {
-    enable = true;
-    permitCertUid = config.services.caddy.user;
-    openFirewall = true;
-  };
 }
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -3,6 +3,8 @@ prometheus:
    metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str]
 dae:
    sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
+tailscale:
+    authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
 sops:
    age:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
@ -95,7 +97,7 @@ sops:
            MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
            VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-01T16:16:05Z"
-    mac: ENC[AES256_GCM,data:sXZm1YVBaF//vU5Vtou4HOvKMZ9L6i9YCH6DASiEE6VQYQ6aN3RI5bf25c9C4Lx7ARxsqCFz1pUVGiSd6AIAx1swSZHwC0nRz77GW9B8S1Gn+uyvVdbhP7xYfJ3XP8jFPJetKQLYIIynjdT7uUA833ZydmtaUC85j+Kmw7aEIoQ=,iv:rXkqJqJX43bLxrjT19mP4qO/fpZboVLN3nbQ7RrJWto=,tag:5ZPThu4YCT0K8GJMmYK6Yg==,type:str]
+    lastmodified: "2025-05-09T01:56:54Z"
+    mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2
--- a/machines/thorite/default.nix
+++ b/machines/thorite/default.nix
@ -31,8 +31,6 @@
      443
    ];

-    services.tailscale.enable = true;
-
    services.caddy.enable = true;

    commonSettings = {
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -133,12 +133,6 @@
      ];
    };

-    services.tailscale = {
-      enable = true;
-      openFirewall = true;
-      permitCertUid = "caddy";
-    };
-
    services.tailscale.derper = {
      enable = true;
      domain = "derper00.namely.icu";