summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--flake.nix6
-rw-r--r--secrets/golink.age8
-rw-r--r--secrets/secrets.nix1
-rw-r--r--system/linde.nix12
4 files changed, 27 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix
index 67f09c25..05939ac1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,6 +14,10 @@
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     searchix.url = "git+https://git.alanpearce.eu/searchix";
+    golink = {
+      url = "github:tailscale/golink";
+      inputs.nixpkgs.follows = "nixpkgs-small";
+    };
   };
 
   outputs =
@@ -28,6 +32,7 @@
     , emacs-overlay
     , agenix
     , searchix
+    , golink
     , ...
     }:
     let
@@ -70,6 +75,7 @@
         modules = [
           agenix.nixosModules.default
           searchix.nixosModules.web
+          golink.nixosModules.default
           ./system/linde.nix
         ];
       };
diff --git a/secrets/golink.age b/secrets/golink.age
new file mode 100644
index 00000000..c7039771
--- /dev/null
+++ b/secrets/golink.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw Afv1D+MaopWkuWEKI0t0zp4qlcam7bBUtWHq7CwABg8
+T49GUjm0yIB8L93giMNNQm56goIlyUKw81Awem7LGBE
+-> piv-p256 u9NeZg Aym6b0XVHJFxEaH1bi82HjDGpbId6LjDzeANPlP1q75N
+euudxSXIVs2mTeP8DKe6+8ixQb5doTwp3HR7eyfCsCk
+--- c0wvkDM428LPfxbK7xL22xMmUh9OaEXM+gEImi6FVJg
+
¢
+h׃Uß…?•“Í/3
;!Ç»¤îP‰Ù'.‚¾ÕrÄÁætæ±\Üì‹©:¤	¶uèƒÌ9ùY‚y˜_xº€9	Œ.ÇO˜£#פö=%#ìû£,MP?®Ù£
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0a8c4a9d..75c174d1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,7 @@ let
     paperless = [ linde ];
     powerdns = [ linde ];
     dex = [ linde ];
+    golink = [ linde ];
 
     dyndns = [ nanopi ];
     syncthing = [ nanopi ];
diff --git a/system/linde.nix b/system/linde.nix
index a55abb06..00c71b49 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -38,6 +38,14 @@ in
     binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
+    golink = let golink = config.services.golink; in {
+      # hope this doesn't collide...
+      path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
+      owner = golink.user;
+      mode = "400";
+      symlink = false;
+      file = ../secrets/golink.age;
+    };
   };
 
   # Use the systemd-boot EFI boot loader.
@@ -269,6 +277,10 @@ in
     extraUpFlags = [ "--accept-routes" ];
     useRoutingFeatures = "client";
   };
+  services.golink = {
+    enable = true;
+    tailscaleAuthKeyFile = config.age.secrets.golink.path;
+  };
 
   services.journald.extraConfig = ''
     MaxRetentionSec=1 month