diff --git a/defaults/vpn/README.md b/defaults/vpn/README.md index 364a91e..479a565 100644 --- a/defaults/vpn/README.md +++ b/defaults/vpn/README.md @@ -1,20 +1,32 @@ # VPN -We run a [Tailscale](https://tailscale.com) compatible VPN service on [vpn.qo.is](https://vpn.qo.is). +On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration: + +| Option | Recommended value | Description | +|--------|-------------------|-------------| +| `accept-routes` | enabled (flag) | Accept direct routes to internal services | +| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) | +| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one | + + +⚠️ Currently, if the client is in an IPv6 network, the transport is broken. See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for progress on this. + +## Exit nodes + +- `100.64.0.5`: lindberg (riedbach-net) +- `100.64.0.6`: cyprianspitz (plessur-net) + +Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future. ## User and Client Management -To register a new client on the `vpn.qo.is` host:, generate a pre-auth key and insert it in the client: +To register a new client, you can generate a pre-auth key and insert it in the client: ```bash -headscale users create marlene.mayer headscale preauthkeys create --user marlene.mayer ``` -> ⚠️ For now, the username must be added to `qois.vpn-server.wheelUsers`. -> In the future, the VPN ACL might get more granular to allow for non-wheel users. - -Alternatively to using a pre-auth key, the register command shown when configuring the VPN client may be used. +Or alternatively use the register command shown when configuring the VPN client. ## ACL @@ -22,43 +34,49 @@ At this time, there are a few ACL rules to isolate a users host but do not expec ## Exit Nodes -These nodes allow access to the internet for clients connected to the VPN: +To add an exit node, create a preauth secret on the `vpn.qo.is` host: -- `100.64.0.5`: lindberg (riedbach-net) -- `100.64.0.6`: cyprianspitz (plessur-net) +```bash +headscale preauthkeys create --user srv --reusable +``` -> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future. +and configure the host as follows: +```nix +# TODO: This should not be a snipped but a module -### Add exit nodes: +{config, ...}: { + # Use this node as vpn exit node + services.tailscale = let meta = config.qois.meta; in { + enable = true; + openFirewall = true; + useRoutingFeatures = "server"; + authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops. + extraUpFlags = [ + "--login-server=https://vpn.qo.is" + "--advertise-exit-node" + ( + with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}" + ) + "--advertise-tags=tag:srv" + ]; + }; +} +``` -1. Create a preauth secret on the `vpn.qo.is` host: - ```bash - headscale preauthkeys create --user srv --reusable - ``` -2. Configure the new exit-node host with the `qois.vpn-exit-node` module. +and register it in Headscale with: -When using the `srv` user, exit nodes and routes are automatically accepted as trusted. +```bash +headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz +``` + +With using the `srv` user, exit nodes and routes get automatically accepted as trusted. ## Clients -To use the service, you can use a normal Tailscale client with following additional configuration: - -| Option | Recommended value | Description | -|--------|-------------------|-------------| -| `accept-routes` | enabled (flag) | Accept direct routes to internal services | -| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) | -| `login-server` | `https://vpn.qo.is` | Use our own VPN service. | - - -> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken. -> Disable IPv6 connectivity to use the VPN. -> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details. - - ### NixOS -Sample config with automatic connectivity to VPN on boot: +Sample config: ```nix { config, pkgs, ... }: { @@ -78,12 +96,12 @@ Sample config with automatic connectivity to VPN on boot: } ``` -### Android +### Mobile App -See [this Headscale documentation for more](https://headscale.net/stable/usage/connect/android/) on how to configure the mobile app. +> Android App: Tip 5 times on the tooltip dots to reveal server config option + +See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌. -> ⚠️ Note that on restarts, sometimes you have to reopen/save the config dialog. -> If the Tailscale login site is shown, just close the browser with the ❌. ## Backup and Restore diff --git a/flake.lock b/flake.lock index 8023f2a..69307c9 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1741786315, - "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", + "lastModified": 1740485968, + "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", "owner": "nix-community", "repo": "disko", - "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", + "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixpkgs-nixos-stable": { "locked": { - "lastModified": 1742268799, - "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", + "lastModified": 1741445498, + "narHash": "sha256-F5Em0iv/CxkN5mZ9hRn3vPknpoWdcdCyR0e4WklHwiE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da044451c6a70518db5b730fe277b70f494188f1", + "rev": "52e3095f6d812b91b22fb7ad0bfc1ab416453634", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixpkgs-nixos-unstable": { "locked": { - "lastModified": 1742069588, - "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", + "lastModified": 1741379970, + "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", + "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f", "type": "github" }, "original": { @@ -140,11 +140,11 @@ ] }, "locked": { - "lastModified": 1742239755, - "narHash": "sha256-ptn8dR4Uat3UUadGYNnB7CIH9SQm8mK69D2A/twBUXQ=", + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "787afce414bcce803b605c510b60bf43c11f4b55", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", "type": "github" }, "original": { diff --git a/nixos-configurations/lindberg/filesystems.nix b/nixos-configurations/lindberg/filesystems.nix index d8b39b4..b594021 100644 --- a/nixos-configurations/lindberg/filesystems.nix +++ b/nixos-configurations/lindberg/filesystems.nix @@ -9,8 +9,12 @@ MAILADDR root ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93 ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000 + INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2 ''; + # TODO: RAID Monitoring + # TODO: Set spin-down time of physical disks + services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint; # Use the systemd-boot EFI boot loader. @@ -24,11 +28,11 @@ path = "/boot-primary"; efiBootloaderId = "NixOS primary"; } - { - devices = [ "nodev" ]; - path = "/boot-secondary"; - efiBootloaderId = "NixOS secondary"; - } + #{ + # devices = [ "nodev" ]; + # path = "/boot-secondary"; + # efiBootloaderId = "NixOS secondary"; + #} ]; }; }