xin/configs/net-overlay.nix

67 lines
1.7 KiB
Nix
Raw Normal View History

2023-09-12 08:44:05 -06:00
{ config
, lib
, pkgs
, ...
2023-07-11 09:12:50 -06:00
}:
2022-08-25 12:21:35 -06:00
with lib; {
options = {
zerotier = {
enable = mkOption {
description = "Enable ZeroTier";
default = false;
example = true;
type = lib.types.bool;
};
};
tailscale = {
enable = mkOption {
description = "Enable TailScale";
default = true;
example = true;
type = lib.types.bool;
};
sshOnly = mkOption {
2023-07-11 09:12:50 -06:00
description = "Enable TailScale with only ssh traffic to the tailnet allowed";
default = false;
example = true;
type = lib.types.bool;
};
2022-08-25 12:21:35 -06:00
};
};
config = mkMerge [
(mkIf config.tailscale.enable {
2023-09-12 08:44:05 -06:00
services = { tailscale = { enable = mkDefault true; }; };
networking.firewall.checkReversePath = mkDefault "loose";
2022-08-25 12:21:35 -06:00
})
(mkIf (config.tailscale.enable && config.tailscale.sshOnly) {
sops.secrets = {
ts_sshonly = {
sopsFile = config.xin-secrets.net-overlays;
owner = "root";
mode = "400";
};
};
systemd.services = {
"tailscale-ssh-init" = {
2023-09-12 08:44:05 -06:00
wantedBy = [ "tailscaled.service" ];
after = [ "tailscaled.service" ];
serviceConfig = {
2023-07-11 09:12:50 -06:00
ExecStart = "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.ts_sshonly.path}";
};
};
};
})
2022-08-25 12:21:35 -06:00
(mkIf config.zerotier.enable {
2023-09-12 08:44:05 -06:00
environment.systemPackages = with pkgs; [ zerotierone ];
2022-08-25 12:21:35 -06:00
services = {
zerotierone = {
enable = true;
2023-09-12 08:44:05 -06:00
joinNetworks = [ "db64858fedd3b256" ];
2022-08-25 12:21:35 -06:00
};
};
networking.firewall.checkReversePath = "loose";
})
];
}