From da0395ceae91ef1be4ce13a88c9f9fecce6c3262 Mon Sep 17 00:00:00 2001
From: yomaq <yomaq@bsjm.xyz>
Date: Wed, 15 May 2024 21:50:32 -0500
Subject: [PATCH] initrd-tailscale init

---
 hosts/teal/teal.nix                      |   6 +-
 modules/hosts/initrd-tailscale/nixos.nix | 153 +++++++++++++++++++++++
 secrets/secrets.nix                      |   2 +-
 secrets/tailscaleKeyAcceptSsh.age        |   9 --
 secrets/tailscaleOAuthKeyAcceptSsh.age   | Bin 0 -> 934 bytes
 5 files changed, 158 insertions(+), 12 deletions(-)
 create mode 100644 modules/hosts/initrd-tailscale/nixos.nix
 delete mode 100644 secrets/tailscaleKeyAcceptSsh.age
 create mode 100644 secrets/tailscaleOAuthKeyAcceptSsh.age

diff --git a/hosts/teal/teal.nix b/hosts/teal/teal.nix
index c11aa5e..819dc91 100644
--- a/hosts/teal/teal.nix
+++ b/hosts/teal/teal.nix
@@ -17,6 +17,8 @@
     boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
     nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
     
+    yomaq.initrd-tailscale.enable = true;
+
     yomaq = {
       autoUpgrade.enable = true;
       primaryUser.users = [ "carln" "admin" ];
@@ -37,9 +39,9 @@
       };
       docker.enable = true;
       pods = {
-        windows.windowstest.enable = true;
+        # windows.windowstest.enable = true;
       };
-      nixos-containers.nextcloud.enable = true;
+      # nixos-containers.nextcloud.enable = true;
       # disk configuration
       disks = {
         enable = true;
diff --git a/modules/hosts/initrd-tailscale/nixos.nix b/modules/hosts/initrd-tailscale/nixos.nix
new file mode 100644
index 0000000..db9b447
--- /dev/null
+++ b/modules/hosts/initrd-tailscale/nixos.nix
@@ -0,0 +1,153 @@
+{ config, lib, pkgs, inputs, ... }:
+
+### pulled some lines from Andrew-d's comment here: https://github.com/NixOS/nixpkgs/pull/204249/files
+### oauthkeys are currently not working because of trusted CA issues. Currently don't know how to fix for initrd.
+### oauthkeys would be prefered because they don't need refreshed.
+### authkeys expired every 3 months and will need to be manually updated.
+### I have had weird results when trying to overwrite existing key files in initrd, often times only re-naming to a fresh file name appears to work.
+
+
+
+with lib;
+let
+  cfg = config.yomaq.initrd-tailscale;
+in
+{
+  options = {
+    yomaq.initrd-tailscale = {
+        enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Starts a Tailscale during initrd boot. It can be used to e.g.
+          remotely accessing the SSH service controlled by
+          {option}`boot.initrd.network.ssh` or other network services
+          included. Service is killed when stage-1 boot is finished.
+        '';
+      };
+      package = lib.mkPackageOptionMD pkgs "tailscale" {};
+
+      authKeyFile = mkOption {
+        type = types.nullOr types.path;
+        default = "${config.age.secrets.tailscaleOAuthKeyAcceptSsh.path}";
+        example = "/run/secrets/tailscale_key";
+        description = lib.mdDoc ''
+          A file containing the auth key.
+        '';
+      };
+      extraUpFlags = mkOption {
+        description = lib.mdDoc "Extra flags to pass to {command}`tailscale up`.";
+        type = types.listOf types.str;
+        default = [];
+        example = ["--ssh"];
+      };
+    };
+  };
+
+  config = 
+    let
+      iptables-static = pkgs.iptables.overrideAttrs (old: {
+          dontDisableStatic = true;
+          configureFlags = (lib.remove "--enable-shared" old.configureFlags) ++ [
+          "--enable-static"
+          "--disable-shared"
+          ];
+      });
+    in  
+    mkIf (config.boot.initrd.network.enable && cfg.enable) {
+
+
+    boot.initrd.kernelModules = [ "tun" "tap" ];
+    boot.initrd.availableKernelModules = [
+      "ip6_tables"
+      "ip6t_rpfilter"
+      "ip_tables"
+      "ipt_rpfilter"
+      "libcrc32c"
+      "nf_conntrack"
+      "nf_conntrack_netlink"
+      "nf_defrag_ipv4"
+      "nf_defrag_ipv6"
+      "nf_nat"
+      "nf_reject_ipv4"
+      "nf_reject_ipv6"
+      "nf_tables"
+      "nft_chain_nat"
+      "nft_compat"
+      "nfnetlink"
+      "nft_compat"
+      "tun"
+      "x_tables"
+      "xt_LOG"
+      "xt_MASQUERADE"
+      "xt_addrtype"
+      "xt_comment"
+      "xt_conntrack"
+      "xt_mark"
+      "xt_multiport"
+      "xt_pkttype"
+      "xt_tcpudp"
+    ];
+    # [...]
+    boot.initrd.extraUtilsCommands = ''
+      copy_bin_and_libs ${cfg.package}/bin/.tailscaled-wrapped
+      copy_bin_and_libs ${cfg.package}/bin/.tailscale-wrapped
+      copy_bin_and_libs ${pkgs.iproute}/bin/ip
+      copy_bin_and_libs ${iptables-static}/bin/iptables
+      copy_bin_and_libs ${iptables-static}/bin/ip6tables
+      copy_bin_and_libs ${iptables-static}/bin/xtables-legacy-multi
+      copy_bin_and_libs ${iptables-static}/bin/xtables-nft-multi
+    '';
+    ## this didn't work for extraUtilsCommands
+      # ${lib.concatMapStringsSep "\n" (file: ''
+      #   cp "${file}" /etc/ssl/certs/
+      # '') config.security.pki.certificateFiles}
+
+
+
+    # boot.initrd.systemd.storePaths = [
+    #   # "${lib.getExe cfg.package}"
+    #   "${lib.getExe pkgs.kmod}"
+    #   "${cfg.package}}/bin/tailscale"
+    # ];
+
+
+    age.secrets.tailscaleOAuthKeyAcceptSsh.file = ( inputs.self + /secrets/tailscaleOAuthKeyAcceptSsh.age);
+
+    boot.initrd.secrets = {
+      "/etc/tauthkey" = cfg.authKeyFile;
+    };
+
+    # boot.initrd.extraFiles = {
+    #   "/etc/ssl/certs/".source = config.security.pki.certificateFiles;
+    # };
+    # boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) ''
+    #   $out/bin/tailscale --version
+    # '';
+
+    boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) ''
+      .tailscaled-wrapped --state=mem: &
+      .tailscale-wrapped up --hostname=${config.networking.hostName}-initrd --auth-key 'file:/etc/tauthkey' ${escapeShellArgs cfg.extraUpFlags} &
+    '';
+    # oathkeys need dns and trusted CA's.
+    # echo "nameserver 1.1.1.1" >> /etc/resolv.conf &
+
+
+  #   boot.initrd.systemd.enable = true;
+
+  #   boot.initrd.systemd.services.tailscaled = {
+  #     wantedBy = [ "initrd.target" ];
+  #     path = [ pkgs.kmod ];
+  #     after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
+  #     serviceConfig.ExecStart = ".tailscaled-wrapped";
+  #     serviceConfig.Type = "notify";
+  #   };
+
+  #   boot.initrd.systemd.services.tailscale = {
+  #     wantedBy = [ "initrd.target" ];
+  #     after = [ "tailscaled.service" ];
+  #     serviceConfig.ExecStart = ".tailscale-wrapped up --auth-key 'file:/etc/authkey' ${escapeShellArgs cfg.extraUpFlags}";
+  #     serviceConfig.Type = "notify";
+  #   };
+  };
+}
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a758766..c37236e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,7 +16,7 @@ in
   "ryn.age".publicKeys = [ blue ] ++ all;
   "encrypt.age".publicKeys = all;
   "tailscaleKey.age".publicKeys = [ green azure teal smalt ] ++ all;
-  "tailscaleKeyAcceptSsh.age".publicKeys = [ ] ++ all;
+  "tailscaleOAuthKeyAcceptSsh.age".publicKeys = [ green azure teal smalt ] ++ all;
   "tailscaleEnvFile.age".publicKeys = [ green azure teal smalt ] ++ all;
   "tailscaleOAuthEnvFile.age".publicKeys = [ green azure teal smalt ] ++ all;
   "piholeEnvFile.age".publicKeys = [ green ] ++ all;
diff --git a/secrets/tailscaleKeyAcceptSsh.age b/secrets/tailscaleKeyAcceptSsh.age
deleted file mode 100644
index 37d5377..0000000
--- a/secrets/tailscaleKeyAcceptSsh.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 ziJpqg UgTyAly+jzc6ADIVw5kj0qYu+8l6VGEEQHAVUPQR2TE
-QH/rpLjLbW7Qe0a6R1T2lmZikQxpX4iWD36h/lltqco
--> ssh-ed25519 PzSKMw RWMXzWP5/arwlfwqcDll/xLIhWo/WYxibTdrkCTUsWw
-4EOZy38cfldMH6m79kiicXLMdAG8wRCsUf6fO24LQpU
--> ssh-ed25519 eytxVw MOoQBZ4Dz3aFmcTAlCcfY/69u3clw6Sq+cXkoyRRmw0
-ZsmNxDuyODMzh0HXiCik1MZBOH9zMvOLBYF6MoyI9aI
---- zGuU7Si3s9A0XtUWhelQcfDgifs/EwQR1NpPk/9q6Yw
-��t�$���]˦qF��6��|����G�pR�����gՊ�2sM�� �Z���Ksn�gž"/h��Ik2����Vu��}�dyb8�ծ
\ No newline at end of file
diff --git a/secrets/tailscaleOAuthKeyAcceptSsh.age b/secrets/tailscaleOAuthKeyAcceptSsh.age
new file mode 100644
index 0000000000000000000000000000000000000000..7fa35293473525e1f165ffec39cca4c449ace846
GIT binary patch
literal 934
zcmZY7yX)h0008jc;c^5-Tm>bYLavwQ)g~Z9@@<kfueM3^>XxK=v`LfZ(Y&TRRB#bo
z9Ua8Q(LoLl+(bc+69g9pM-e;`)J@#$U+`HzUK~!sJgA0Cb1d?QMHQnh22I|9>pGc)
z2b`iX2KLlWOk!ARfXe`_+w4rolytFewShBb6liPjV0RYLT}5$UY=yLj0xTLS&={Zq
z5uZjGz&T#_sI4a&bhV8r8apk7!*1tf>aB(zP$Q4wL0OVTOPjpYR^z$53hREvmW<^t
zY+pbrv<9YT<*wWcG*q3j3j@dn<1}htHb-?2W;?#Dtz{YDyE7N6GsP+L;fil>wS+xn
zc?TDWl}ZJ5RmF3-FV7A}@+h6izPmN(da<IBCaS`NTwL`4@?24z?wgI}gL*W&2GD2T
zbV7{iP-=(ra&I3MM`|p}G;cL`Ih>jfj@76GS)he6FB`JY2b{UvT&gLSZy2KR#Rwzj
zZkew8jD(1wISBk=IxJ64j%dE^W(I|n*JYjH4eEu7G(?<Kh-16D)yAWADPwr8L_)Zl
zg%xW_<BY(X5%D&ozV5afUG+vf?^iNGU3vtIA+Eq(1(9juBCJKO)qy!OWqAs8&f0d)
zP_H7)O_SOYw!y8o84X$OV7EG`X^5{giYc(;qC%vpzuOZ6GoMw8ds<YIvgfmqlvopL
zSE=di+B6OPfhAZ#8O6AvM-aQwR95OG(%CUxCzo{gza`<&^i~I-&Bm5%lwBLxbahgX
zjcYHQewLuxNhghfBE4$l%m6=T1+*VlO|D1O(#0wJ>Rz`}Zr1vloM)avvMPCD5<aH}
zl@48KGMT`@!fl-Q`eOuWD_B}1CaIX+Gn}3^x)I|vQDLzO)RRO*FMaXrvq#0<lQ+Nq
z&Hh>YcKm?&^uZhPmmeeSTmSk${rx_8@g#rzsC!%a^N07Ix)}K5muL6Cn}781uY2Fr
o%IEOY^po$udbj-WpBJ(9{Il18Z(n)!j(xd%j^DeZqSt=>4?k8qPXGV_

literal 0
HcmV?d00001