configure rivendell to be an exit node for tailscale

3 files changed, 26 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index dc0205d..271da7f 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -23,6 +23,9 @@
       wireguard = {
         file = ../../../secrets/rivendell/wireguard.age;
       };
+      ts = {
+        file = ../../../secrets/rivendell/ts.age;
+      };
     };
   };
 
@@ -79,6 +82,17 @@
 
   networking.firewall.allowedUDPPorts = [ 51871 ];
 
+  services.tailscale = {
+    useRoutingFeatures = "both";
+    authKeyFile = config.age.secrets.ts.path;
+    extraSetFlags = [
+      "--accept-dns=true"
+      "--accept-routes=true"
+      "--advertise-exit-node=true"
+      "--ssh"
+    ];
+  };
+
   my.modules.hardware.baremetal.enable = true;
   my.modules.remote-unlock.enable = true;
 
diff --git a/secrets/rivendell/ts.age b/secrets/rivendell/ts.age
new file mode 100644
index 0000000..1395c6f
--- /dev/null
+++ b/secrets/rivendell/ts.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA PGPTpGAwtNlmeqiL8x+D+XiDLjzFIguuPt3WAu7r+CU
+BWophs8BWgdYkP4oYatp2sO3kic/BeVLizfsbgPKbRM
+-> ssh-ed25519 Y5h84Q pGQSWR798tJtUvAIIQsW0OrCANtlB6dZWUrLHD4YiTs
+lrLz8PewUz0ASgPfsCwBO2N++k7yqWn0ZgSoShIFIjg
+--- PmLlCjtBfGMs+Ry8+H4ye5y32VuJXQvMAUiPKRamnis
+_d�ԴV�M��cP�,�j[�(/|��s{ȕ���9���o�X�����ś/�ւ v�y��>��EFaE��pǧ��RfB������6n���v
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 658da54..ce1ab49 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -59,4 +59,9 @@ in
     users.fcuny
     hosts.rivendell
   ];
+
+  "rivendell/ts.age".publicKeys = [
+    users.fcuny
+    hosts.rivendell
+  ];
 }