diff options
-rw-r--r-- | flake.nix | 6 | ||||
-rw-r--r-- | secrets/golink.age | 8 | ||||
-rw-r--r-- | secrets/secrets.nix | 1 | ||||
-rw-r--r-- | system/linde.nix | 12 |
4 files changed, 27 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix index 67f09c25..05939ac1 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,10 @@ agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; searchix.url = "git+https://git.alanpearce.eu/searchix"; + golink = { + url = "github:tailscale/golink"; + inputs.nixpkgs.follows = "nixpkgs-small"; + }; }; outputs = @@ -28,6 +32,7 @@ , emacs-overlay , agenix , searchix + , golink , ... }: let @@ -70,6 +75,7 @@ modules = [ agenix.nixosModules.default searchix.nixosModules.web + golink.nixosModules.default ./system/linde.nix ]; }; diff --git a/secrets/golink.age b/secrets/golink.age new file mode 100644 index 00000000..c7039771 --- /dev/null +++ b/secrets/golink.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 cvV2sw Afv1D+MaopWkuWEKI0t0zp4qlcam7bBUtWHq7CwABg8 +T49GUjm0yIB8L93giMNNQm56goIlyUKw81Awem7LGBE +-> piv-p256 u9NeZg Aym6b0XVHJFxEaH1bi82HjDGpbId6LjDzeANPlP1q75N +euudxSXIVs2mTeP8DKe6+8ixQb5doTwp3HR7eyfCsCk +--- c0wvkDM428LPfxbK7xL22xMmUh9OaEXM+gEImi6FVJg + ¢ +h׃Uß…?•“Í/3 ;!Ç»¤îP‰Ù'.‚¾ÕrÄÁætæ±\Üì‹©:¤ ¶uèƒÌ9ùY‚y˜_xº€9 Œ.ÇO˜£#פö=%#ìû£,MP?®Ù£ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0a8c4a9d..75c174d1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ let paperless = [ linde ]; powerdns = [ linde ]; dex = [ linde ]; + golink = [ linde ]; dyndns = [ nanopi ]; syncthing = [ nanopi ]; diff --git a/system/linde.nix b/system/linde.nix index a55abb06..00c71b49 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -38,6 +38,14 @@ in binarycache.file = ../secrets/binarycache.age; dex.file = ../secrets/dex.age; powerdns.file = ../secrets/powerdns.age; + golink = let golink = config.services.golink; in { + # hope this doesn't collide... + path = "${golink.dataDir}/.config/tsnet-golink/auth.key"; + owner = golink.user; + mode = "400"; + symlink = false; + file = ../secrets/golink.age; + }; }; # Use the systemd-boot EFI boot loader. @@ -269,6 +277,10 @@ in extraUpFlags = [ "--accept-routes" ]; useRoutingFeatures = "client"; }; + services.golink = { + enable = true; + tailscaleAuthKeyFile = config.age.secrets.golink.path; + }; services.journald.extraConfig = '' MaxRetentionSec=1 month |