From 49e44fb20ca693f5dd9ba5f804b29b019105e3aa Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Fri, 24 Oct 2025 09:52:19 -0700 Subject: configure rivendell to be an exit node for tailscale --- machines/nixos/x86_64-linux/rivendell.nix | 14 ++++++++++++++ secrets/rivendell/ts.age | 7 +++++++ secrets/secrets.nix | 5 +++++ 3 files changed, 26 insertions(+) create mode 100644 secrets/rivendell/ts.age diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix index dc0205d..271da7f 100644 --- a/machines/nixos/x86_64-linux/rivendell.nix +++ b/machines/nixos/x86_64-linux/rivendell.nix @@ -23,6 +23,9 @@ wireguard = { file = ../../../secrets/rivendell/wireguard.age; }; + ts = { + file = ../../../secrets/rivendell/ts.age; + }; }; }; @@ -79,6 +82,17 @@ networking.firewall.allowedUDPPorts = [ 51871 ]; + services.tailscale = { + useRoutingFeatures = "both"; + authKeyFile = config.age.secrets.ts.path; + extraSetFlags = [ + "--accept-dns=true" + "--accept-routes=true" + "--advertise-exit-node=true" + "--ssh" + ]; + }; + my.modules.hardware.baremetal.enable = true; my.modules.remote-unlock.enable = true; diff --git a/secrets/rivendell/ts.age b/secrets/rivendell/ts.age new file mode 100644 index 0000000..1395c6f --- /dev/null +++ b/secrets/rivendell/ts.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 pFjJaA PGPTpGAwtNlmeqiL8x+D+XiDLjzFIguuPt3WAu7r+CU +BWophs8BWgdYkP4oYatp2sO3kic/BeVLizfsbgPKbRM +-> ssh-ed25519 Y5h84Q pGQSWR798tJtUvAIIQsW0OrCANtlB6dZWUrLHD4YiTs +lrLz8PewUz0ASgPfsCwBO2N++k7yqWn0ZgSoShIFIjg +--- PmLlCjtBfGMs+Ry8+H4ye5y32VuJXQvMAUiPKRamnis +_dԴVMcP,j[(/|s{ȕ9oXś/ւ vy>EFaEpǧRfB6nv \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 658da54..ce1ab49 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -59,4 +59,9 @@ in users.fcuny hosts.rivendell ]; + + "rivendell/ts.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; } -- cgit v1.2.3