-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
158 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,153 @@ | ||
| { config, lib, pkgs, inputs, ... }: | ||
|
|
||
| ### pulled some lines from Andrew-d's comment here: https://github.com/NixOS/nixpkgs/pull/204249/files | ||
| ### oauthkeys are currently not working because of trusted CA issues. Currently don't know how to fix for initrd. | ||
| ### oauthkeys would be prefered because they don't need refreshed. | ||
| ### authkeys expired every 3 months and will need to be manually updated. | ||
| ### I have had weird results when trying to overwrite existing key files in initrd, often times only re-naming to a fresh file name appears to work. | ||
|
|
||
|
|
||
|
|
||
| with lib; | ||
| let | ||
| cfg = config.yomaq.initrd-tailscale; | ||
| in | ||
| { | ||
| options = { | ||
| yomaq.initrd-tailscale = { | ||
| enable = mkOption { | ||
| type = types.bool; | ||
| default = false; | ||
| description = lib.mdDoc '' | ||
| Starts a Tailscale during initrd boot. It can be used to e.g. | ||
| remotely accessing the SSH service controlled by | ||
| {option}`boot.initrd.network.ssh` or other network services | ||
| included. Service is killed when stage-1 boot is finished. | ||
| ''; | ||
| }; | ||
| package = lib.mkPackageOptionMD pkgs "tailscale" {}; | ||
|
|
||
| authKeyFile = mkOption { | ||
| type = types.nullOr types.path; | ||
| default = "${config.age.secrets.tailscaleOAuthKeyAcceptSsh.path}"; | ||
| example = "/run/secrets/tailscale_key"; | ||
| description = lib.mdDoc '' | ||
| A file containing the auth key. | ||
| ''; | ||
| }; | ||
| extraUpFlags = mkOption { | ||
| description = lib.mdDoc "Extra flags to pass to {command}`tailscale up`."; | ||
| type = types.listOf types.str; | ||
| default = []; | ||
| example = ["--ssh"]; | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| config = | ||
| let | ||
| iptables-static = pkgs.iptables.overrideAttrs (old: { | ||
| dontDisableStatic = true; | ||
| configureFlags = (lib.remove "--enable-shared" old.configureFlags) ++ [ | ||
| "--enable-static" | ||
| "--disable-shared" | ||
| ]; | ||
| }); | ||
| in | ||
| mkIf (config.boot.initrd.network.enable && cfg.enable) { | ||
|
|
||
|
|
||
| boot.initrd.kernelModules = [ "tun" "tap" ]; | ||
| boot.initrd.availableKernelModules = [ | ||
| "ip6_tables" | ||
| "ip6t_rpfilter" | ||
| "ip_tables" | ||
| "ipt_rpfilter" | ||
| "libcrc32c" | ||
| "nf_conntrack" | ||
| "nf_conntrack_netlink" | ||
| "nf_defrag_ipv4" | ||
| "nf_defrag_ipv6" | ||
| "nf_nat" | ||
| "nf_reject_ipv4" | ||
| "nf_reject_ipv6" | ||
| "nf_tables" | ||
| "nft_chain_nat" | ||
| "nft_compat" | ||
| "nfnetlink" | ||
| "nft_compat" | ||
| "tun" | ||
| "x_tables" | ||
| "xt_LOG" | ||
| "xt_MASQUERADE" | ||
| "xt_addrtype" | ||
| "xt_comment" | ||
| "xt_conntrack" | ||
| "xt_mark" | ||
| "xt_multiport" | ||
| "xt_pkttype" | ||
| "xt_tcpudp" | ||
| ]; | ||
| # [...] | ||
| boot.initrd.extraUtilsCommands = '' | ||
| copy_bin_and_libs ${cfg.package}/bin/.tailscaled-wrapped | ||
| copy_bin_and_libs ${cfg.package}/bin/.tailscale-wrapped | ||
| copy_bin_and_libs ${pkgs.iproute}/bin/ip | ||
| copy_bin_and_libs ${iptables-static}/bin/iptables | ||
| copy_bin_and_libs ${iptables-static}/bin/ip6tables | ||
| copy_bin_and_libs ${iptables-static}/bin/xtables-legacy-multi | ||
| copy_bin_and_libs ${iptables-static}/bin/xtables-nft-multi | ||
| ''; | ||
| ## this didn't work for extraUtilsCommands | ||
| # ${lib.concatMapStringsSep "\n" (file: '' | ||
| # cp "${file}" /etc/ssl/certs/ | ||
| # '') config.security.pki.certificateFiles} | ||
|
|
||
|
|
||
|
|
||
| # boot.initrd.systemd.storePaths = [ | ||
| # # "${lib.getExe cfg.package}" | ||
| # "${lib.getExe pkgs.kmod}" | ||
| # "${cfg.package}}/bin/tailscale" | ||
| # ]; | ||
|
|
||
|
|
||
| age.secrets.tailscaleOAuthKeyAcceptSsh.file = ( inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age); | ||
|
|
||
| boot.initrd.secrets = { | ||
| "/etc/tauthkey" = cfg.authKeyFile; | ||
| }; | ||
|
|
||
| # boot.initrd.extraFiles = { | ||
| # "/etc/ssl/certs/".source = config.security.pki.certificateFiles; | ||
| # }; | ||
| # boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' | ||
| # $out/bin/tailscale --version | ||
| # ''; | ||
|
|
||
| boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) '' | ||
| .tailscaled-wrapped --state=mem: & | ||
| .tailscale-wrapped up --hostname=${config.networking.hostName}-initrd --auth-key 'file:/etc/tauthkey' ${escapeShellArgs cfg.extraUpFlags} & | ||
| ''; | ||
| # oathkeys need dns and trusted CA's. | ||
| # echo "nameserver 1.1.1.1" >> /etc/resolv.conf & | ||
|
|
||
|
|
||
| # boot.initrd.systemd.enable = true; | ||
|
|
||
| # boot.initrd.systemd.services.tailscaled = { | ||
| # wantedBy = [ "initrd.target" ]; | ||
| # path = [ pkgs.kmod ]; | ||
| # after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; | ||
| # serviceConfig.ExecStart = ".tailscaled-wrapped"; | ||
| # serviceConfig.Type = "notify"; | ||
| # }; | ||
|
|
||
| # boot.initrd.systemd.services.tailscale = { | ||
| # wantedBy = [ "initrd.target" ]; | ||
| # after = [ "tailscaled.service" ]; | ||
| # serviceConfig.ExecStart = ".tailscale-wrapped up --auth-key 'file:/etc/authkey' ${escapeShellArgs cfg.extraUpFlags}"; | ||
| # serviceConfig.Type = "notify"; | ||
| # }; | ||
| }; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Binary file not shown.