diff --git a/modules/mosh.sys.nix b/modules/mosh.sys.nix index 193f661..33571cd 100644 --- a/modules/mosh.sys.nix +++ b/modules/mosh.sys.nix @@ -2,12 +2,24 @@ , lib , config , ... -}: { - environment.systemPackages = [ pkgs.mosh ]; - networking.firewall = lib.mkIf config.networking.firewall.enable { - allowedUDPPortRanges = [ - { from = 60000; to = 61000; } # mosh - ]; +}: +let cfg = config.mod.mosh; in +{ + options.mod.mosh = { + enable = lib.mkOption { + type = lib.types.bool; + description = "enable mosh"; + default = true; + example = false; + }; + }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.mosh ]; + networking.firewall = lib.mkIf config.networking.firewall.enable { + allowedUDPPortRanges = [ + { from = 60000; to = 61000; } # mosh + ]; + }; }; } diff --git a/modules/tailscale.sys.nix b/modules/tailscale.sys.nix index f926523..6e3e1bb 100644 --- a/modules/tailscale.sys.nix +++ b/modules/tailscale.sys.nix @@ -2,48 +2,53 @@ , config , lib , ... -}: { - environment.systemPackages = [ pkgs.tailscale ]; - services.tailscale.enable = true; - - systemd.services.tailscale-autoconnect = { - description = "Automatically connects to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - # check if we are already authenticated to tailscale - status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url - # This time, configure device auth so that we authenticate from portal - # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network - ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW - ''; +}: let cfg = config.mod.tailscale; in { + options.mod.tailscale = { + enable = lib.mkEnableOption "tailscale"; }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.tailscale ]; + services.tailscale.enable = true; - networking.firewall = lib.mkIf config.networking.firewall.enable { - trustedInterfaces = [ - "tailscale0" - ]; - allowedUDPPorts = [ - config.services.tailscale.port - ]; - allowedTCPPorts = [ - 22 - ]; - checkReversePath = "loose"; + systemd.services.tailscale-autoconnect = { + description = "Automatically connects to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = '' + # wait for tailscaled to settle + sleep 2 + # check if we are already authenticated to tailscale + status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url + # This time, configure device auth so that we authenticate from portal + # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network + ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW + ''; + }; + + networking.firewall = lib.mkIf config.networking.firewall.enable { + trustedInterfaces = [ + "tailscale0" + ]; + allowedUDPPorts = [ + config.services.tailscale.port + ]; + allowedTCPPorts = [ + 22 + ]; + checkReversePath = "loose"; + }; }; } diff --git a/native_configs/ssh/config b/native_configs/ssh/config index 13a3cea..a1b2f67 100644 --- a/native_configs/ssh/config +++ b/native_configs/ssh/config @@ -47,3 +47,8 @@ Host mokoi User ubuntu_admin Port 22 +Host noami + HostName 10.100.200.230 + User htran + Port 22 + diff --git a/nix-conf/system/configuration.nix b/nix-conf/system/configuration.nix index 1ab2020..e4318dd 100755 --- a/nix-conf/system/configuration.nix +++ b/nix-conf/system/configuration.nix @@ -11,9 +11,11 @@ in with lib; { imports = (if includeHardware then [ - ./profiles/${hostname}/hardware-configuration.nix + "${proj_root}/hosts/${hostname}/hardware-configuration.nix" ] else [ ]) ++ [ "${modulesPath}/profiles/minimal.nix" + "${proj_root}/modules/tailscale.sys.nix" + "${proj_root}/modules/mosh.sys.nix" ]; boot = _boot; @@ -54,67 +56,6 @@ with lib; pkgs.inetutils # network diag pkgs.mtr # network diag pkgs.sysstat # sys diag - pkgs.mosh # ssh-alt; parsec-like - pkgs.tailscale # VPC ]; - # tailscale is mandatory : ^) - # inherit services; - services = lib.recursiveUpdate _services { - tailscale.enable = true; - ntp.enable = true; - }; - # create a oneshot job to authenticate to Tailscale - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - # check if we are already authenticated to tailscale - status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url - # This time, configure device auth so that we authenticate from portal - # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network - ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW - ''; - }; - # Don't touch networking.firewall.enable, just configure everything else. - # inherit networking; - # inherit _networking; - networking = lib.recursiveUpdate _networking { - firewall = - if _networking ? firewall.enable && _networking.firewall.enable then { - trustedInterfaces = _networking.firewall.trustedInterfaces or [ ] ++ [ - "tailscale0" - ]; - allowedUDPPorts = _networking.firewall.allowedUDPPorts or [ ] ++ [ - config.services.tailscale.port - ]; - allowedTCPPorts = _networking.firewall.allowedTCPPorts or [ ] ++ [ - 22 - ]; - allowedUDPPortRanges = _networking.firewall.allowedUDPPortRanges or [ ] ++ [ - { from = 60000; to = 61000; } # mosh - - ]; - checkReversePath = "loose"; - } else { enable = false; }; - }; - - environment.noXlibs = lib.mkForce false; - } diff --git a/nix-conf/system/flake.nix b/nix-conf/system/flake.nix index 31f4dde..ed34adc 100644 --- a/nix-conf/system/flake.nix +++ b/nix-conf/system/flake.nix @@ -56,6 +56,7 @@ ./configuration.nix { system.stateVersion = "22.05"; + mod.tailscale.enable = true; } ]; specialArgs = { @@ -205,6 +206,37 @@ hostname = "nixos"; }; }; + nixosConfigurations.htran-dev = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = base_modules ++ [ + ./configuration.nix + { + system.stateVersion = "22.11"; + mod.tailscale.enable = false; + networking.defaultGateway = { + address = "10.100.200.1"; + # interface = "ens32"; + }; + networking.interface.ens32.ipv4.addresses = [ + {address = "10.100.200.230"; prefixLength = 24;} + ]; + } + ]; + specialArgs = { + hostname = "htran-dev"; + _networking = { + firewall.enable = true; + useDHCP = false; + interfaces.eth0.useDHCP = true; + }; + _boot.loader.grub.enable = true; + _boot.loader.grub.version = 2; + _services.openssh = { + permitRootLogin = "no"; + enable = true; + }; + }; + }; nixosConfigurations.bao = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs.hostname = "bao"; @@ -260,14 +292,15 @@ services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5 = { enable = true; - excludePackages = let plasma5 = pkgs.libsForQt5; in [ - plasma5.elisa # audio viewer - plasma5.konsole # I use alacritty instaed - plasma5.plasma-browser-integration - plasma5.print-manager # will enable if I need - plasma5.khelpcenter # why not just write manpages instead :( - # plasma5.ksshaskpass # pls just put prompts on my dear terminal - ]; + excludePackages = let plasma5 = pkgs.libsForQt5; in + [ + plasma5.elisa # audio viewer + plasma5.konsole # I use alacritty instaed + plasma5.plasma-browser-integration + plasma5.print-manager # will enable if I need + plasma5.khelpcenter # why not just write manpages instead :( + # plasma5.ksshaskpass # pls just put prompts on my dear terminal + ]; }; # disables KDE's setting of askpassword @@ -292,6 +325,7 @@ hardware.pulseaudio.support32Bit = true; nixpkgs.config.pulseaudio = true; hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; + mod.tailscale.enable = true; # Sound: pipewire # sound.enable = false;