yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

replace wireguard with tailscale

Browse source
This commit is contained in:
Yan Lin 2025-11-29 17:53:36 +01:00
parent f5fff0f4c3
commit f29fd6cd0d
5 changed files with 64 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

15
hosts/nixos/hs/system.nix
View file

@ -4,7 +4,7 @@
./containers.nix ./containers.nix
./proxy.nix ./proxy.nix
../system-default.nix ../system-default.nix
../../../modules/wireguard.nix ../../../modules/tailscale.nix
../../../modules/podman.nix ../../../modules/podman.nix
../../../modules/traefik.nix ../../../modules/traefik.nix
../../../modules/borg/client.nix ../../../modules/borg/client.nix
@ -257,16 +257,9 @@
''; '';
}; };
# WireGuard VPN configuration (HS as client/spoke) services.tailscale-custom = {
services.wireguard-custom = { exitNode = true;
enable = true; subnetRoutes = [ "10.1.1.0/24" ];
mode = "client";
clientConfig = {
address = "10.2.2.20/24";
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
serverEndpoint = "91.98.84.215:51820";
allowedIPs = [ "10.2.2.0/24" ];
};
}; };
# Samba file sharing # Samba file sharing

15
hosts/nixos/thinkpad/system.nix
View file

@ -5,7 +5,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
../system-default.nix ../system-default.nix
../../../modules/hyprland/system.nix ../../../modules/hyprland/system.nix
../../../modules/wireguard.nix ../../../modules/tailscale.nix
../../../modules/login-display.nix ../../../modules/login-display.nix
../../../modules/dufs.nix ../../../modules/dufs.nix
]; ];
@ -230,18 +230,7 @@
# Apply XKB config to console (TTY) as well # Apply XKB config to console (TTY) as well
console.useXkbConfig = true; console.useXkbConfig = true;
# WireGuard VPN configuration (ThinkPad as client/spoke) services.tailscale-custom.exitNode = true;
services.wireguard-custom = {
enable = true;
mode = "client";
privateKeyFile = "/etc/wireguard/thinkpad_private.key";
clientConfig = {
address = "10.2.2.30/24";
serverPublicKey = "46QHjSzAas5g9Hll1SCEu9tbR5owCxXAy6wGOUoPwUM=";
serverEndpoint = "91.98.84.215:51820";
allowedIPs = [ "10.2.2.0/24" ];
};
};
# Login display with SMART disk health status # Login display with SMART disk health status
services.login-display = { services.login-display = {

30
hosts/nixos/vps/system.nix
View file

@ -4,7 +4,7 @@
./containers.nix ./containers.nix
./proxy.nix ./proxy.nix
../system-default.nix ../system-default.nix
../../../modules/wireguard.nix ../../../modules/tailscale.nix
../../../modules/podman.nix ../../../modules/podman.nix
../../../modules/traefik.nix ../../../modules/traefik.nix
../../../modules/borg/client.nix ../../../modules/borg/client.nix
@ -42,7 +42,7 @@
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
trustedInterfaces = [ "wg0" ]; # Allow all traffic through WireGuard interface trustedInterfaces = [ "tailscale0" ];
}; };
}; };
@ -109,30 +109,6 @@
showBorgStatus = true; showBorgStatus = true;
}; };
# WireGuard VPN configuration (VPS as hub/server) services.tailscale-custom.exitNode = true;
services.wireguard-custom = {
enable = true;
mode = "server";
serverConfig = {
address = "10.2.2.1/24";
peers = [
{
name = "hs";
publicKey = "HZY7V8QlnFvY6ZWNiI0WgUgWUISnEqUdzXi7Oq9M1Es=";
allowedIPs = [ "10.2.2.20/32" ];
}
{
name = "thinkpad";
publicKey = "p3442J2HBGY5Pksu+0F4SFkBGjG99KIgwyk8eAt4YmA=";
allowedIPs = [ "10.2.2.30/32" ];
}
{
name = "rpi-wg-10-2-2-200";
publicKey = "vA+jDEtpkqHG0h3AfE0sZXuvw7kkLy/rq5VwwtCOnyE=";
allowedIPs = [ "10.2.2.200/32" ];
}
];
};
};
} }

1
modules/homebrew.nix
View file

@ -37,6 +37,7 @@
"calibre" "calibre"
"linearmouse" "linearmouse"
"omnigraffle" "omnigraffle"
"tailscale"
]; ];
taps = [ taps = [
# Additional repositories if needed # Additional repositories if needed

54
modules/tailscale.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.tailscale-custom;
isRouter = cfg.exitNode || cfg.subnetRoutes != [];
in
{
# NOTE: Auth key file: /etc/tailscale/authkey
# Generate at https://login.tailscale.com/admin/settings/keys
# Place on host with mode 0600
options.services.tailscale-custom = {
exitNode = mkOption {
type = types.bool;
default = false;
description = "Advertise this node as an exit node";
};
subnetRoutes = mkOption {
type = types.listOf types.str;
default = [];
example = [ "10.1.1.0/24" "192.168.1.0/24" ];
description = "Subnets to advertise to the Tailscale network";
};
acceptRoutes = mkOption {
type = types.bool;
default = true;
description = "Accept subnet routes advertised by other nodes";
};
};
config = {
services.tailscale = {
enable = true;
authKeyFile = "/etc/tailscale/authkey";
useRoutingFeatures = if isRouter then "server" else "client";
extraUpFlags =
optional cfg.exitNode "--advertise-exit-node"
++ optional (cfg.subnetRoutes != []) "--advertise-routes=${concatStringsSep "," cfg.subnetRoutes}"
++ optional cfg.acceptRoutes "--accept-routes";
};
boot.kernel.sysctl = mkIf isRouter {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
networking.firewall.trustedInterfaces = [ "tailscale0" ];
};
}