chore: move tailscale to common settings

2025-05-09 13:19:59 +08:00 · 2025-05-09 13:19:59 +08:00 · 9fd4b69cd8
commit 9fd4b69cd8
parent 0e8343eb80
14 changed files with 169 additions and 187 deletions
--- a/machines/agate/default.nix
+++ b/machines/agate/default.nix
@ -106,12 +106,6 @@ in
  nixpkgs.config.contentAddressedByDefault = true;
  nixpkgs.overlays = [ fix-folly-build ];
  services.tailscale = {
    enable = true;
    openFirewall = true;
    permitCertUid = "caddy";
  };
  custom.prometheus.exporters = {
    enable = true;
    blackbox = {
--- a/machines/agate/services/minio.nix
+++ b/machines/agate/services/minio.nix
@ -0,0 +1,6 @@
 {
  services.minio = {
    enable = true;
    region = "ap-east-1";
  };
 }
--- a/machines/baryte/default.nix
+++ b/machines/baryte/default.nix
@ -13,7 +13,6 @@
    };
    services.openssh.enable = true;
    services.tailscale.enable = true;
    time.timeZone = "Asia/Shanghai";
  };
 }
--- a/machines/baryte/hardware-configuration.nix
+++ b/machines/baryte/hardware-configuration.nix
@ -0,0 +1,20 @@
 { config, modulesPath, ... }:
 {
  imports = [ ];
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/vda";
        content = {
          type = "gpt";
          partitions = {
            boot = config.diskPartitions.grubMbr;
            root = config.diskPartitions.btrfs;
          };
        };
      };
    };
  };
 }
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -40,19 +40,6 @@
    comin.enable = true;
  };
  custom.monitoring = {
    promtail.enable = true;
  };
  custom.prometheus.exporters = {
    enable = true;
    node.enable = true;
  };
  services.tailscale.enable = true;
  services.caddy.enable = true;
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -17,19 +17,8 @@
    };
  };
  services.tailscale = {
    enable = true;
    extraUpFlags = [ "--accept-routes" ];
  };
  # Open ports in the firewall.
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 3389 ];
  networking.firewall.allowedUDPPorts = [
    3389
    41641
  ];
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Use nftables to manager firewall
  networking.nftables.enable = true;
--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -33,8 +33,6 @@
      promtail.enable = true;
    };
    services.tailscale.enable = true;
    commonSettings = {
      auth.enable = true;
      comin.enable = true;
--- a/machines/osmium/default.nix
+++ b/machines/osmium/default.nix
@ -139,11 +139,6 @@
      };
    };
-    services.tailscale = {
+    services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ];
      enable = true;
      extraSetFlags = [
        "--advertise-routes=10.1.1.0/24"
      ];
    };
  };
 }
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -12,6 +12,8 @@
    nix.enable = true;
    auth.enable = true;
    comin.enable = true;
    network.enableProxy = false;
    serverComponents.enable = true;
  };
  nixpkgs.overlays = [
@ -36,15 +38,4 @@
  };
  time.timeZone = "Asia/Shanghai";
  # fileSystems."/".fsType = lib.mkForce "btrfs";
  boot.supportedFilesystems.zfs = lib.mkForce false;
  services.dae.enable = false;
  services.tailscale = {
    enable = true;
    permitCertUid = config.services.caddy.user;
    openFirewall = true;
  };
 }
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -3,6 +3,8 @@ prometheus:
    metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str]
 dae:
    sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
 tailscale:
    authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
 sops:
    age:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
@ -95,7 +97,7 @@ sops:
            MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
            VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-01T16:16:05Z"
+    lastmodified: "2025-05-09T01:56:54Z"
-    mac: ENC[AES256_GCM,data:sXZm1YVBaF//vU5Vtou4HOvKMZ9L6i9YCH6DASiEE6VQYQ6aN3RI5bf25c9C4Lx7ARxsqCFz1pUVGiSd6AIAx1swSZHwC0nRz77GW9B8S1Gn+uyvVdbhP7xYfJ3XP8jFPJetKQLYIIynjdT7uUA833ZydmtaUC85j+Kmw7aEIoQ=,iv:rXkqJqJX43bLxrjT19mP4qO/fpZboVLN3nbQ7RrJWto=,tag:5ZPThu4YCT0K8GJMmYK6Yg==,type:str]
+    mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2
--- a/machines/thorite/default.nix
+++ b/machines/thorite/default.nix
@ -31,8 +31,6 @@
      443
    ];
    services.tailscale.enable = true;
    services.caddy.enable = true;
    commonSettings = {
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -133,12 +133,6 @@
      ];
    };
    services.tailscale = {
      enable = true;
      openFirewall = true;
      permitCertUid = "caddy";
    };
    services.tailscale.derper = {
      enable = true;
      domain = "derper00.namely.icu";
--- a/modules/nixos/common-settings/network.nix
+++ b/modules/nixos/common-settings/network.nix
@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkOption mkIf;
  inherit (config.my-lib.settings)
@ -16,87 +21,137 @@ in
        default = 100;
      };
    };
    tailscale = {
      enable = mkEnableOption "Tailscale client" // {
        default = true;
      };
      before = mkOption {
        default = [ ];
        type = lib.types.listOf lib.types.str;
      };
    };
  };
-  config = {
+  config = lib.mkMerge [
-    networking.resolvconf = mkIf cfg.localdns.enable {
+    (mkIf cfg.tailscale.enable {
-      enable = true;
+      sops = {
-      dnsExtensionMechanism = false;
+        secrets = {
-      # We should disable local resolver if dae is enabled
+          "tailscale/authkey" = {
-      # to let dns traffic go through dae
+            sopsFile = ../../../machines/secrets.yaml;
-      useLocalResolver = !config.commonSettings.network.enableProxy;
+          };
-    };
+        };
      };
-    services.resolved.enable = mkIf cfg.localdns.enable false;
+      services.tailscale = {
        enable = true;
        openFirewall = true;
        permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user;
        extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false");
        authKeyFile = config.sops.secrets."tailscale/authkey".path;
      };
      commonSettings.network.tailscale.before = (
        lib.optional config.services.caddy.enable "caddy.service"
      );
-    networking.firewall.trustedInterfaces = [
+      systemd.services.tailscaled.before = cfg.tailscale.before;
-      config.services.tailscale.interfaceName
+      systemd.services.tailscaled.serviceConfig.ExecStartPost =
-    ];
+        pkgs.writers.writePython3 "tailscale-wait-online"
-    services.tailscale = mkIf cfg.localdns.enable {
+          {
-      extraUpFlags = [ "--accept-dns=false" ];
+            flakeIgnore = [
-    };
+              "E401" # import on one line
-
+              "E501" # line length limit
    services.kresd = mkIf cfg.localdns.enable {
      enable = true;
      listenPlain = [ "127.0.0.1:53" ];
      listenTLS = [ "127.0.0.1:853" ];
      extraConfig =
        let
          listToLuaTable =
            x:
            lib.pipe x [
              (builtins.split "\n")
              (builtins.filter (s: s != [ ] && s != ""))
              (lib.strings.concatMapStrings (x: "'${x}',"))
            ];
-          chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
+          }
-          globalSettings = ''
+          ''
-            log_level("notice")
+            import subprocess, json, time
-            modules = { 'hints > iterate', 'stats', 'predict' }
+
-            cache.size = ${toString cfg.localdns.cacheSize} * MB
+            for _ in range(30):
-            trust_anchors.remove(".")
+                status = json.loads(
                    subprocess.run(
                        ["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
                    ).stdout
                )["Self"]["Online"]
                if status:
                    exit(0)
                time.sleep(1)
            exit(1)
          '';
-          tsSettings = ''
+
-            internalDomains = policy.todnames({'${internalDomain}'})
+    })
-            policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+
-          '';
+    (mkIf cfg.localdns.enable {
-          proxySettings = ''
+      networking.resolvconf = {
-            policy.add(policy.domains(
+        enable = true;
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+        dnsExtensionMechanism = false;
-              { todname('hk-00.namely.icu') }))
+        # We should disable local resolver if dae is enabled
-            policy.add(policy.domains(
+        # to let dns traffic go through dae
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+        useLocalResolver = !config.commonSettings.network.enableProxy;
-              { todname('la-00.namely.icu') }))
+      };
-            policy.add(policy.domains(
+      services.resolved.enable = false;
-              policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+
-              { todname('fra-00.namely.icu') }))
+      services.kresd = {
-          '';
+        enable = true;
-          mainlandSettings = ''
+        listenPlain = [ "127.0.0.1:53" ];
-            chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+        listenTLS = [ "127.0.0.1:853" ];
-            policy.add(policy.suffix(policy.TLS_FORWARD({
+        extraConfig =
-              { "223.5.5.5", hostname="dns.alidns.com" },
+          let
-              { "223.6.6.6", hostname="dns.alidns.com" },
+            listToLuaTable =
-            }), chinaDomains))
+              x:
-            policy.add(policy.all(policy.TLS_FORWARD({
+              lib.pipe x [
-              { "8.8.8.8", hostname="dns.google" },
+                (builtins.split "\n")
-              { "8.8.4.4", hostname="dns.google" },
+                (builtins.filter (s: s != [ ] && s != ""))
-            })))
+                (lib.strings.concatMapStrings (x: "'${x}',"))
-          '';
+              ];
-          overseaSettings = ''
+            chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
-            policy.add(policy.all(policy.TLS_FORWARD({
+            globalSettings = ''
-              { "8.8.8.8", hostname="dns.google" },
+              log_level("notice")
-              { "8.8.4.4", hostname="dns.google" },
+              modules = { 'hints > iterate', 'stats', 'predict' }
-            })))
+              cache.size = ${toString cfg.localdns.cacheSize} * MB
-          '';
+              trust_anchors.remove(".")
-        in
+            '';
-        globalSettings
+            tsSettings = ''
-        + (if config.services.tailscale.enable then tsSettings else "")
+              internalDomains = policy.todnames({'${internalDomain}'})
-        + (
+              policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
-          if config.commonSettings.network.enableProxy then
+            '';
-            proxySettings + mainlandSettings
+            proxySettings = ''
-          else
+              policy.add(policy.domains(
-            overseaSettings
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
-        );
+                { todname('hk-00.namely.icu') }))
-    };
+              policy.add(policy.domains(
-  };
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
                { todname('la-00.namely.icu') }))
              policy.add(policy.domains(
                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
                { todname('fra-00.namely.icu') }))
            '';
            mainlandSettings = ''
              chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
              policy.add(policy.suffix(policy.TLS_FORWARD({
                { "223.5.5.5", hostname="dns.alidns.com" },
                { "223.6.6.6", hostname="dns.alidns.com" },
              }), chinaDomains))
              policy.add(policy.all(policy.TLS_FORWARD({
                { "8.8.8.8", hostname="dns.google" },
                { "8.8.4.4", hostname="dns.google" },
              })))
            '';
            overseaSettings = ''
              policy.add(policy.all(policy.TLS_FORWARD({
                { "8.8.8.8", hostname="dns.google" },
                { "8.8.4.4", hostname="dns.google" },
              })))
            '';
          in
          globalSettings
          + (if config.services.tailscale.enable then tsSettings else "")
          + (
            if config.commonSettings.network.enableProxy then
              proxySettings + mainlandSettings
            else
              overseaSettings
          );
      };
    })
  ];
 }
--- a/modules/nixos/monitor/exporters.nix
+++ b/modules/nixos/monitor/exporters.nix
@ -11,35 +11,9 @@ let
 in
 {
  config = {
-    systemd.services.tailscaled.before =
+    commonSettings.network.tailscale.before =
      (lib.optional cfg.node.enable "prometheus-node-exporters.service")
-      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
+      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service");
      ++ (lib.optional config.services.caddy.enable "caddy.service");
    systemd.services.tailscaled.serviceConfig.ExecStartPost =
      pkgs.writers.writePython3 "tailscale-wait-online"
        {
          flakeIgnore = [
            "E401" # import on one line
            "E501" # line length limit
          ];
        }
        ''
          import subprocess, json, time
          for _ in range(30):
              status = json.loads(
                  subprocess.run(
                      ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
                  ).stdout
              )["Self"]["Online"]
              if status:
                  exit(0)
              time.sleep(1)
          exit(1)
        '';
    services.prometheus.exporters.node = mkIf cfg.node.enable {
      enable = true;
      enabledCollectors = [
@ -122,26 +96,6 @@ in
    services.ntfy-sh.settings.enable-metrics = true;
    services.caddy.globalConfig = ''
      servers {
        metrics
      }
      admin unix//var/run/caddy/admin.sock {
        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
      }
    '';
    systemd.services.caddy.serviceConfig = {
      RuntimeDirectory = "caddy";
      RuntimeDirectoryMode = "0700";
    };
    services.tailscale = {
      permitCertUid = config.services.caddy.user;
      openFirewall = true;
    };
    services.caddy = {
      virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = ''
        handle /metrics {