fix: sys-nix: mosh now works, troubleshoot-writeup: c3dd64a3e2 (private atm)

2022-11-24 03:48:28 +00:00 · 2022-11-24 03:48:28 +00:00 · 9de22c1476
parent 2e66288ce0
commit 9de22c1476
2 changed files with 100 additions and 93 deletions
--- a/system-nix/configuration.nix
+++ b/system-nix/configuration.nix
@ -74,23 +74,26 @@ with lib;
    # have the job run this shell script
    script = ''
      # wait for tailscaled to settle
-      sleep 5
+      sleep 2
      # check if we are already authenticated to tailscale
      status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
      if [ $status = "Running" ]; then # if so, then do nothing
        exit 0
      fi
-      # otherwise authenticate with tailscale
+
-      ${pkgs.tailscale}/bin/tailscale up -authkey tskey-examplekeyhere
+      # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url
      # This time, configure device auth so that we authenticate from portal
      # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network 
      ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW
    '';
  };
  # Don't touch networking.firewall.enable, just configure everything else.
  # inherit networking;
  networking = networking // {
    firewall = {
-      checkReversePath = "loose";
+      trustedInterfaces = networking.firewall.trustedInterfaces or [] ++ [ "tailscale0" ];
-      trustedInterfaces = [ "tailscale0" ];
+      allowedUDPPorts = networking.firewall.allowedUDPPorts or [] ++ [ config.services.tailscale.port ];
-      allowedUDPPorts = [ config.services.tailscale.port ];
+      allowedTCPPorts = networking.firewall.allowedTCPPorts or [] ++ [ 22 ];
    };
  };
--- a/system-nix/flake.nix
+++ b/system-nix/flake.nix
@ -5,101 +5,105 @@
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs = { self, nixpkgs, ... }: {
+  outputs = { self, nixpkgs, ... }:
-    # Windows with NixOS WSL
+    let lib = nixpkgs.lib; in
-    nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
+    {
-      system = "x86_64-linux";
+      # Windows with NixOS WSL
-      modules = [
+      nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
-        ./wsl-configuration.nix
+        system = "x86_64-linux";
-      ];
+        modules = [
-      specialArgs = {
+          ./wsl-configuration.nix
-        # includeHardware = false;
+        ];
-        hostname = "Felia";
+        specialArgs = {
          # includeHardware = false;
          hostname = "Felia";
        };
      };
-    };
+      # Generic machine
-    # Generic machine
+      nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
-    nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
-      system = "x86_64-linux";
+        modules = [
-      modules = [
+          ./configuration.nix
-        ./configuration.nix
+        ];
-      ];
+        specialArgs = {
-      specialArgs = {
+          hostname = "lizzi";
-        hostname = "lizzi";
+          networking = {
-        networking = {
+            interfaces.eth1.ipv4.addresses = [{
-          interfaces.eth1.ipv4.addresses = [{
+              address = "71.0.0.1";
-            address = "71.0.0.1";
+              prefixLength = 24;
-            prefixLength = 24;
+            }];
-          }];
+            firewall.enable = false;
-          firewall.enable = false;
+            useDHCP = false;
-          useDHCP = false;
+            interfaces.eth0.useDHCP = true;
-          interfaces.eth0.useDHCP = true;
+          };
-        };
+          boot.loader.grub.enable = true;
-        boot.loader.grub.enable = true;
+          boot.loader.grub.version = 2;
-        boot.loader.grub.version = 2;
+          services.openssh = {
-        services.openssh = {
+            permitRootLogin = "no";
-          permitRootLogin = "no";
+            enable = true;
-          enable = true;
+          };
-        };
+          services.gitea = {
-        services.gitea = {
+            enable = true;
-          enable = true;
+            stateDir = "/gitea";
-          stateDir = "/gitea";
+            rootUrl = "https://git.pegasust.com";
-          rootUrl = "https://git.pegasust.com";
+            settings = {
-          settings = {
+              repository = {
-            repository = {
+                "ENABLE_PUSH_CREATE_USER" = true;
-              "ENABLE_PUSH_CREATE_USER" = true;
+                "ENABLE_PUSH_CREATE_ORG" = true;
-              "ENABLE_PUSH_CREATE_ORG" = true;
+              };
            };
          };
          services.nginx = {
            enable = true;
            clientMaxBodySize = "100m";
            recommendedGzipSettings = true;
            recommendedOptimisation = true;
            recommendedProxySettings = true;
            recommendedTlsSettings = true;
            virtualHosts."git.pegasust.com" = {
              # Gitea hostname
              sslCertificate = "/var/lib/acme/git.pegasust.com/fullchain.pem";
              sslCertificateKey = "/var/lib/acme/git.pegasust.com/key.pem";
              forceSSL = true; # Runs on port 80 and 443
              locations."/".proxyPass = "http://localhost:3000/"; # Proxy to Gitea
            };
          };
        };
-        services.nginx = {
+      };
-          enable = true;
+      nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
-          clientMaxBodySize = "100m";
+        system = "x86_64-linux";
-          recommendedGzipSettings = true;
+        modules = [
-          recommendedOptimisation = true;
+          ./configuration.nix
-          recommendedProxySettings = true;
+        ];
-          recommendedTlsSettings = true;
+        specialArgs = {
-          virtualHosts."git.pegasust.com" = {
+          hostname = "nyx";
-            # Gitea hostname
+          networking = {
-            sslCertificate = "/var/lib/acme/git.pegasust.com/fullchain.pem";
+            interfaces.eth1.ipv4.addresses = [{
-            sslCertificateKey = "/var/lib/acme/git.pegasust.com/key.pem";
+              address = "71.0.0.2";
-            forceSSL = true; # Runs on port 80 and 443
+              prefixLength = 24;
-            locations."/".proxyPass = "http://localhost:3000/"; # Proxy to Gitea
+            }];
            firewall.enable = true;
            firewall.allowedTCPPorts = [ 22 ];
            firewall.allowedUDPPorts = lib.range 60000 61000; # mosh
            useDHCP = false;
            interfaces.eth0.useDHCP = true;
          };
          boot.loader.grub.enable = true;
          boot.loader.grub.version = 2;
          services.openssh = {
            permitRootLogin = "no";
            enable = true;
          };
        };
      };
-    };
+      nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
-    nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
-      system = "x86_64-linux";
+        modules = [
-      modules = [
+          ./configuration.nix
-        ./configuration.nix
+        ];
-      ];
+        specialArgs = {
-      specialArgs = {
+          hostname = "nixos";
        hostname = "nyx";
        networking = {
          interfaces.eth1.ipv4.addresses = [{
            address = "71.0.0.2";
            prefixLength = 24;
          }];
          firewall.enable = false;
          useDHCP = false;
          interfaces.eth0.useDHCP = true;
        };
        boot.loader.grub.enable = true;
        boot.loader.grub.version = 2;
        services.openssh = {
          permitRootLogin = "no";
          enable = true;
        };
      };
    };
    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
      ];
      specialArgs = {
        hostname = "nixos";
      };
    };
  };
 }