profiles/server: start using tailscale ssh

5 files changed, 35 insertions, 6 deletions

diff --git a/hosts/profiles.nix b/hosts/profiles.nix
index b8adc8e..143fcd0 100644
--- a/hosts/profiles.nix
+++ b/hosts/profiles.nix
@@ -74,7 +74,10 @@ in {
 
       {
         getchoo = {
-          features.tailscale.enable = true;
+          features.tailscale = {
+            enable = true;
+            ssh.enable = true;
+          };
 
           server = {
             enable = true;
diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix
index 042426b..1c307bb 100644
--- a/modules/nixos/features/tailscale.nix
+++ b/modules/nixos/features/tailscale.nix
@@ -26,26 +26,24 @@ in {
         allowedUDPPorts = [config.services.tailscale.port];
         trustedInterfaces = ["tailscale0"];
       }
-      // (mkIf cfg.ssh.enable {
+      // lib.optionalAttrs cfg.ssh.enable {
         allowedTCPPorts = [22];
-      });
+      };
 
     services = {
       tailscale.enable = mkDefault true;
     };
 
+    # https://tailscale.com/kb/1096/nixos-minecraft/
     systemd.services.tailscale-autoconnect = {
       description = "Automatic connection to Tailscale";
 
-      # make sure tailscale is running before trying to connect to tailscale
       after = ["network-pre.target" "tailscale.service"];
       wants = ["network-pre.target" "tailscale.service"];
       wantedBy = ["multi-user.target"];
 
-      # set this service as a oneshot job
       serviceConfig.Type = "oneshot";
 
-      # have the job run this shell script
       script = let
         inherit (pkgs) tailscale jq;
       in ''
diff --git a/secrets/hosts/atlas/tailscaleAuthKey.age b/secrets/hosts/atlas/tailscaleAuthKey.age
new file mode 100644
index 0000000..1517baf
--- /dev/null
+++ b/secrets/hosts/atlas/tailscaleAuthKey.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGxXSVVGUSAxWVA0
+WmxmSGlLYkdKM2tTUlNUem1abDR4YnZHWHJ5Ym8yZnY5angzQlNrCmpCRmNyNE9C
+Tjk3MWYwdXI5QStxbm5kd3hGM3FHNVJhcXJ2Q21HNlhEMk0KLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIGY4MURyWjlBN1V5dk9qU2FvNDhscFc1dTFlNFlSOGJobUZYcEdU
+K09sanMKVWUyaGIzQXRJMnJKOFovT2JjWGNBOU0xaXBlMzlEZHBmZTZIL0V0N2Zq
+TQotPiAlemJgLWU7aS1ncmVhc2UgISA5STA/QiB9IENcYX5bbAp0N0pIZUpJQS9p
+MzJWb3NCclg0VytQQU8zT3Q0N0hkQzdhcDNyZFdpb3NxampSa2VhV0xxbTBKNHpU
+WnA2bkIzCnl4dUdRdWpRK2x5dEZ5dWppWG81M1orUElWemNoQklzdGduMDJJTkVm
+TXpUVGtoazhRCi0tLSBUc084T0srWmRlelZjNjZoUnIzcjRLQ3hWN21oMkZnYTJR
+b3NFVVJhVnc4CknQQMmTw+5tonM00ULIiexDkVXCuiExEwVcSIDJvD3BvYyziApV
+31vE4QgNU0qSW0BKqulx2JlMETajydqgZ6YTxHfJN78IP6ErWrGTA9b25ivKPjzT
+8QabTw==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hosts/p-body/tailscaleAuthKey.age b/secrets/hosts/p-body/tailscaleAuthKey.age
new file mode 100644
index 0000000..e525b92
--- /dev/null
+++ b/secrets/hosts/p-body/tailscaleAuthKey.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyAyYnds
+VTFmby83QndHSDB3aGpZcndCajMvbTZXR0hUbzJreDV4aXB5ZnljCnBETEFjNHdn
+akppQjdDalNtcEVVS3Bra3ZPL1BSZmgwOWxiVFRvWWQ2NzAKLT4gc3NoLWVkMjU1
+MTkgSTkyQTNRIFFSNGs0anNzc1NoK1dnNlFzSk93R3p2dDVKK1kwaS9qYk14WWZM
+Y3J2QW8KZmNDbWU2TW42bG5weEdoMFpuNzB6OFJIbEJxUGNURWhUMi8wbGtsdTFQ
+cwotPiBRKDotZ3JlYXNlIGM3K0M/dSggKzFHW1kqbksKTTVlaCtnM3BDTFlnQzk3
+Y1ZtbkQyN0pVc1BhZ3ZCMAotLS0gUEp5Rmk2WHhQU1IvdE40VmxUR2N5WEJ5aCt3
+Yk54M2dSbTRXN0J2blFLZwpqDEmxDLbwk2hFDBz+vK2iTWChKQ+0AgZqVDMTZ2vY
+OsrXweugSYJqR6JgB3GL9J/SRpGH/0mh/16Fu3MfvaLvMOkMBAc+OJ9YtRVQrPj8
+kmk2GTTs0SaI+Q==
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9dd4eb2..f74dabc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -15,6 +15,7 @@ in {
   "hosts/atlas/clusterToken.age".publicKeys = atlas;
   "hosts/atlas/secretsJson.age".publicKeys = atlas;
   "hosts/atlas/miniflux.age".publicKeys = atlas;
+  "hosts/atlas/tailscaleAuthKey.age".publicKeys = atlas;
 
   "hosts/p-body/rootPassword.age".publicKeys = p-body;
   "hosts/p-body/userPassword.age".publicKeys = p-body;
@@ -22,4 +23,5 @@ in {
   "hosts/p-body/binaryCache.age".publicKeys = p-body;
   "hosts/p-body/clusterToken.age".publicKeys = p-body;
   "hosts/p-body/secretsJson.age".publicKeys = p-body;
+  "hosts/p-body/tailscaleAuthKey.age".publicKeys = p-body;
 }