From f29fd6cd0d60ec6ccf71625cc905cbb917ad9f85 Mon Sep 17 00:00:00 2001 From: Yan Lin Date: Sat, 29 Nov 2025 17:53:36 +0100 Subject: [PATCH] replace wireguard with tailscale --- hosts/nixos/hs/system.nix | 15 +++------ hosts/nixos/thinkpad/system.nix | 15 ++------- hosts/nixos/vps/system.nix | 30 ++---------------- modules/homebrew.nix | 1 + modules/tailscale.nix | 54 +++++++++++++++++++++++++++++++++ 5 files changed, 64 insertions(+), 51 deletions(-) create mode 100644 modules/tailscale.nix diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix index 7b321e8..2ce22b5 100644 --- a/hosts/nixos/hs/system.nix +++ b/hosts/nixos/hs/system.nix @@ -4,7 +4,7 @@ ./containers.nix ./proxy.nix ../system-default.nix - ../../../modules/wireguard.nix + ../../../modules/tailscale.nix ../../../modules/podman.nix ../../../modules/traefik.nix ../../../modules/borg/client.nix @@ -257,16 +257,9 @@ ''; }; - # WireGuard VPN configuration (HS as client/spoke) - services.wireguard-custom = { - enable = true; - mode = "client"; - clientConfig = { - address = "10.2.2.20/24"; - serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM="; - serverEndpoint = "91.98.84.215:51820"; - allowedIPs = [ "10.2.2.0/24" ]; - }; + services.tailscale-custom = { + exitNode = true; + subnetRoutes = [ "10.1.1.0/24" ]; }; # Samba file sharing diff --git a/hosts/nixos/thinkpad/system.nix b/hosts/nixos/thinkpad/system.nix index fa170ff..1f87ab6 100644 --- a/hosts/nixos/thinkpad/system.nix +++ b/hosts/nixos/thinkpad/system.nix @@ -5,7 +5,7 @@ ./hardware-configuration.nix ../system-default.nix ../../../modules/hyprland/system.nix - ../../../modules/wireguard.nix + ../../../modules/tailscale.nix ../../../modules/login-display.nix ../../../modules/dufs.nix ]; @@ -230,18 +230,7 @@ # Apply XKB config to console (TTY) as well console.useXkbConfig = true; - # WireGuard VPN configuration (ThinkPad as client/spoke) - services.wireguard-custom = { - enable = true; - mode = "client"; - privateKeyFile = "/etc/wireguard/thinkpad_private.key"; - clientConfig = { - address = "10.2.2.30/24"; - serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM="; - serverEndpoint = "91.98.84.215:51820"; - allowedIPs = [ "10.2.2.0/24" ]; - }; - }; + services.tailscale-custom.exitNode = true; # Login display with SMART disk health status services.login-display = { diff --git a/hosts/nixos/vps/system.nix b/hosts/nixos/vps/system.nix index 8ff54a7..a8a04e4 100644 --- a/hosts/nixos/vps/system.nix +++ b/hosts/nixos/vps/system.nix @@ -4,7 +4,7 @@ ./containers.nix ./proxy.nix ../system-default.nix - ../../../modules/wireguard.nix + ../../../modules/tailscale.nix ../../../modules/podman.nix ../../../modules/traefik.nix ../../../modules/borg/client.nix @@ -42,7 +42,7 @@ firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS - trustedInterfaces = [ "wg0" ]; # Allow all traffic through WireGuard interface + trustedInterfaces = [ "tailscale0" ]; }; }; @@ -109,30 +109,6 @@ showBorgStatus = true; }; - # WireGuard VPN configuration (VPS as hub/server) - services.wireguard-custom = { - enable = true; - mode = "server"; - serverConfig = { - address = "10.2.2.1/24"; - peers = [ - { - name = "hs"; - publicKey = "HZY7V8QlnFvY6ZWNiI0WgUgWUISnEqUdzXi7Oq9M1Es="; - allowedIPs = [ "10.2.2.20/32" ]; - } - { - name = "thinkpad"; - publicKey = "p3442J2HBGY5Pksu+0F4SFkBGjG99KIgwyk8eAt4YmA="; - allowedIPs = [ "10.2.2.30/32" ]; - } - { - name = "rpi-wg-10-2-2-200"; - publicKey = "vA+jDEtpkqHG0h3AfE0sZXuvw7kkLy/rq5VwwtCOnyE="; - allowedIPs = [ "10.2.2.200/32" ]; - } - ]; - }; - }; + services.tailscale-custom.exitNode = true; } diff --git a/modules/homebrew.nix b/modules/homebrew.nix index 48ce6c3..210f117 100644 --- a/modules/homebrew.nix +++ b/modules/homebrew.nix @@ -37,6 +37,7 @@ "calibre" "linearmouse" "omnigraffle" + "tailscale" ]; taps = [ # Additional repositories if needed diff --git a/modules/tailscale.nix b/modules/tailscale.nix new file mode 100644 index 0000000..3ba58e4 --- /dev/null +++ b/modules/tailscale.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.tailscale-custom; + isRouter = cfg.exitNode || cfg.subnetRoutes != []; +in + +{ + # NOTE: Auth key file: /etc/tailscale/authkey + # Generate at https://login.tailscale.com/admin/settings/keys + # Place on host with mode 0600 + + options.services.tailscale-custom = { + exitNode = mkOption { + type = types.bool; + default = false; + description = "Advertise this node as an exit node"; + }; + + subnetRoutes = mkOption { + type = types.listOf types.str; + default = []; + example = [ "10.1.1.0/24" "192.168.1.0/24" ]; + description = "Subnets to advertise to the Tailscale network"; + }; + + acceptRoutes = mkOption { + type = types.bool; + default = true; + description = "Accept subnet routes advertised by other nodes"; + }; + }; + + config = { + services.tailscale = { + enable = true; + authKeyFile = "/etc/tailscale/authkey"; + useRoutingFeatures = if isRouter then "server" else "client"; + extraUpFlags = + optional cfg.exitNode "--advertise-exit-node" + ++ optional (cfg.subnetRoutes != []) "--advertise-routes=${concatStringsSep "," cfg.subnetRoutes}" + ++ optional cfg.acceptRoutes "--accept-routes"; + }; + + boot.kernel.sysctl = mkIf isRouter { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + networking.firewall.trustedInterfaces = [ "tailscale0" ]; + }; +}