diff --git a/defaults/vpn/README.md b/defaults/vpn/README.md index 479a565..364a91e 100644 --- a/defaults/vpn/README.md +++ b/defaults/vpn/README.md @@ -1,32 +1,20 @@ # VPN -On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration: - -| Option | Recommended value | Description | -|--------|-------------------|-------------| -| `accept-routes` | enabled (flag) | Accept direct routes to internal services | -| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) | -| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one | - - -⚠️ Currently, if the client is in an IPv6 network, the transport is broken. See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for progress on this. - -## Exit nodes - -- `100.64.0.5`: lindberg (riedbach-net) -- `100.64.0.6`: cyprianspitz (plessur-net) - -Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future. +We run a [Tailscale](https://tailscale.com) compatible VPN service on [vpn.qo.is](https://vpn.qo.is). ## User and Client Management -To register a new client, you can generate a pre-auth key and insert it in the client: +To register a new client on the `vpn.qo.is` host:, generate a pre-auth key and insert it in the client: ```bash +headscale users create marlene.mayer headscale preauthkeys create --user marlene.mayer ``` -Or alternatively use the register command shown when configuring the VPN client. +> ⚠️ For now, the username must be added to `qois.vpn-server.wheelUsers`. +> In the future, the VPN ACL might get more granular to allow for non-wheel users. + +Alternatively to using a pre-auth key, the register command shown when configuring the VPN client may be used. ## ACL @@ -34,49 +22,43 @@ At this time, there are a few ACL rules to isolate a users host but do not expec ## Exit Nodes -To add an exit node, create a preauth secret on the `vpn.qo.is` host: +These nodes allow access to the internet for clients connected to the VPN: -```bash -headscale preauthkeys create --user srv --reusable -``` +- `100.64.0.5`: lindberg (riedbach-net) +- `100.64.0.6`: cyprianspitz (plessur-net) -and configure the host as follows: +> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future. -```nix -# TODO: This should not be a snipped but a module -{config, ...}: { - # Use this node as vpn exit node - services.tailscale = let meta = config.qois.meta; in { - enable = true; - openFirewall = true; - useRoutingFeatures = "server"; - authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops. - extraUpFlags = [ - "--login-server=https://vpn.qo.is" - "--advertise-exit-node" - ( - with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}" - ) - "--advertise-tags=tag:srv" - ]; - }; -} -``` +### Add exit nodes: -and register it in Headscale with: +1. Create a preauth secret on the `vpn.qo.is` host: + ```bash + headscale preauthkeys create --user srv --reusable + ``` +2. Configure the new exit-node host with the `qois.vpn-exit-node` module. -```bash -headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz -``` - -With using the `srv` user, exit nodes and routes get automatically accepted as trusted. +When using the `srv` user, exit nodes and routes are automatically accepted as trusted. ## Clients +To use the service, you can use a normal Tailscale client with following additional configuration: + +| Option | Recommended value | Description | +|--------|-------------------|-------------| +| `accept-routes` | enabled (flag) | Accept direct routes to internal services | +| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) | +| `login-server` | `https://vpn.qo.is` | Use our own VPN service. | + + +> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken. +> Disable IPv6 connectivity to use the VPN. +> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details. + + ### NixOS -Sample config: +Sample config with automatic connectivity to VPN on boot: ```nix { config, pkgs, ... }: { @@ -96,12 +78,12 @@ Sample config: } ``` -### Mobile App +### Android -> Android App: Tip 5 times on the tooltip dots to reveal server config option - -See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌. +See [this Headscale documentation for more](https://headscale.net/stable/usage/connect/android/) on how to configure the mobile app. +> ⚠️ Note that on restarts, sometimes you have to reopen/save the config dialog. +> If the Tailscale login site is shown, just close the browser with the ❌. ## Backup and Restore diff --git a/flake.lock b/flake.lock index f29987c..8023f2a 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1740485968, - "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", + "lastModified": 1741786315, + "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", "owner": "nix-community", "repo": "disko", - "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", + "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixpkgs-nixos-stable": { "locked": { - "lastModified": 1740865531, - "narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=", + "lastModified": 1742268799, + "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5ef6c425980847c78a80d759abc476e941a9bf42", + "rev": "da044451c6a70518db5b730fe277b70f494188f1", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixpkgs-nixos-unstable": { "locked": { - "lastModified": 1740828860, - "narHash": "sha256-cjbHI+zUzK5CPsQZqMhE3npTyYFt9tJ3+ohcfaOF/WM=", + "lastModified": 1742069588, + "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "303bd8071377433a2d8f76e684ec773d70c5b642", + "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", "type": "github" }, "original": { @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1739262228, - "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", + "lastModified": 1742239755, + "narHash": "sha256-ptn8dR4Uat3UUadGYNnB7CIH9SQm8mK69D2A/twBUXQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", + "rev": "787afce414bcce803b605c510b60bf43c11f4b55", "type": "github" }, "original": { diff --git a/nixos-configurations/lindberg/filesystems.nix b/nixos-configurations/lindberg/filesystems.nix index b594021..d8b39b4 100644 --- a/nixos-configurations/lindberg/filesystems.nix +++ b/nixos-configurations/lindberg/filesystems.nix @@ -9,12 +9,8 @@ MAILADDR root ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93 ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000 - INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2 ''; - # TODO: RAID Monitoring - # TODO: Set spin-down time of physical disks - services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint; # Use the systemd-boot EFI boot loader. @@ -28,11 +24,11 @@ path = "/boot-primary"; efiBootloaderId = "NixOS primary"; } - #{ - # devices = [ "nodev" ]; - # path = "/boot-secondary"; - # efiBootloaderId = "NixOS secondary"; - #} + { + devices = [ "nodev" ]; + path = "/boot-secondary"; + efiBootloaderId = "NixOS secondary"; + } ]; }; }