qo.is/infrastructure
3
0
Fork 0
Code Issues 10 Pull requests 1 Projects Activity Actions

Compare commits

base: qo.is:b7b33f7e41749beccb717df7063fca906eba2499
Branches Tags
qo.is:main
qo.is:renovate/lock-file-maintenance
qo.is:update-deploy-flags
qo.is:18-caral
..
compare: qo.is:379c644c05579bccf2b5f78540622b6e12a88c67
Branches Tags
qo.is:renovate/lock-file-maintenance
qo.is:update-deploy-flags
qo.is:main
qo.is:18-caral

4 commits
b7b33f7e41 ... 379c644c05

Author SHA1 Message Date
Renovate Bot
379c644c05 chore(deps): lock file maintenance
All checks were successful
CI / build (push) Successful in 9m14s
Details
2025-03-18 15:40:48 +01:00
Raphael Zimmermann
1db545ebab Extend vpn user docs
All checks were successful
CI / build (push) Successful in 2m49s
Details 
Co-authored-by: Fabian Hauser <fabian@fh2.ch>
 2025-03-18 16:38:56 +02:00
Fabian Hauser
3a9454bd92 lindberg: Reinstate /boot-secondary
All checks were successful
CI / build (push) Successful in 2m58s
Details
2025-03-06 10:28:24 +02:00
Fabian Hauser
24edc73914 lindberg: Remove old md_data raid 2025-03-06 10:28:24 +02:00
3 changed files with 54 additions and 76 deletions
Show stats Expand all files Collapse all files

92
defaults/vpn/README.md
View file

@ -1,32 +1,20 @@
# VPN # VPN
On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration: We run a [Tailscale](https://tailscale.com) compatible VPN service on [vpn.qo.is](https://vpn.qo.is).
| Option | Recommended value | Description |
|--------|-------------------|-------------|
| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one |
⚠️ Currently, if the client is in an IPv6 network, the transport is broken. See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for progress on this.
## Exit nodes
- `100.64.0.5`: lindberg (riedbach-net)
- `100.64.0.6`: cyprianspitz (plessur-net)
Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
## User and Client Management ## User and Client Management
To register a new client, you can generate a pre-auth key and insert it in the client: To register a new client on the `vpn.qo.is` host:, generate a pre-auth key and insert it in the client:
```bash ```bash
headscale users create marlene.mayer
headscale preauthkeys create --user marlene.mayer headscale preauthkeys create --user marlene.mayer
``` ```
Or alternatively use the register command shown when configuring the VPN client. > ⚠️ For now, the username must be added to `qois.vpn-server.wheelUsers`.
> In the future, the VPN ACL might get more granular to allow for non-wheel users.
Alternatively to using a pre-auth key, the register command shown when configuring the VPN client may be used.
## ACL ## ACL
@ -34,49 +22,43 @@ At this time, there are a few ACL rules to isolate a users host but do not expec
## Exit Nodes ## Exit Nodes
To add an exit node, create a preauth secret on the `vpn.qo.is` host: These nodes allow access to the internet for clients connected to the VPN:
```bash - `100.64.0.5`: lindberg (riedbach-net)
headscale preauthkeys create --user srv --reusable - `100.64.0.6`: cyprianspitz (plessur-net)
```
and configure the host as follows: > ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
```nix
# TODO: This should not be a snipped but a module
{config, ...}: { ### Add exit nodes:
# Use this node as vpn exit node
services.tailscale = let meta = config.qois.meta; in {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops.
extraUpFlags = [
"--login-server=https://vpn.qo.is"
"--advertise-exit-node"
(
with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
)
"--advertise-tags=tag:srv"
];
};
}
```
and register it in Headscale with: 1. Create a preauth secret on the `vpn.qo.is` host:
```bash
headscale preauthkeys create --user srv --reusable
```
2. Configure the new exit-node host with the `qois.vpn-exit-node` module.
```bash When using the `srv` user, exit nodes and routes are automatically accepted as trusted.
headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz
```
With using the `srv` user, exit nodes and routes get automatically accepted as trusted.
## Clients ## Clients
To use the service, you can use a normal Tailscale client with following additional configuration:
| Option | Recommended value | Description |
|--------|-------------------|-------------|
| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
| `login-server` | `https://vpn.qo.is` | Use our own VPN service. |
> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken.
> Disable IPv6 connectivity to use the VPN.
> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
### NixOS ### NixOS
Sample config: Sample config with automatic connectivity to VPN on boot:
```nix ```nix
{ config, pkgs, ... }: { { config, pkgs, ... }: {
@ -96,12 +78,12 @@ Sample config:
} }
``` ```
### Mobile App ### Android
> Android App: Tip 5 times on the tooltip dots to reveal server config option See [this Headscale documentation for more](https://headscale.net/stable/usage/connect/android/) on how to configure the mobile app.
See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌.
> ⚠️ Note that on restarts, sometimes you have to reopen/save the config dialog.
> If the Tailscale login site is shown, just close the browser with the ❌.
## Backup and Restore ## Backup and Restore

24
flake.lock generated
View file

@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1740485968, "lastModified": 1741786315,
"narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -74,11 +74,11 @@
}, },
"nixpkgs-nixos-stable": { "nixpkgs-nixos-stable": {
"locked": { "locked": {
"lastModified": 1741445498, "lastModified": 1742268799,
"narHash": "sha256-F5Em0iv/CxkN5mZ9hRn3vPknpoWdcdCyR0e4WklHwiE=", "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "52e3095f6d812b91b22fb7ad0bfc1ab416453634", "rev": "da044451c6a70518db5b730fe277b70f494188f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -90,11 +90,11 @@
}, },
"nixpkgs-nixos-unstable": { "nixpkgs-nixos-unstable": {
"locked": { "locked": {
"lastModified": 1741379970, "lastModified": 1742069588,
"narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=", "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f", "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741043164, "lastModified": 1742239755,
"narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", "narHash": "sha256-ptn8dR4Uat3UUadGYNnB7CIH9SQm8mK69D2A/twBUXQ=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "3f2412536eeece783f0d0ad3861417f347219f4d", "rev": "787afce414bcce803b605c510b60bf43c11f4b55",
"type": "github" "type": "github"
}, },
"original": { "original": {

14
nixos-configurations/lindberg/filesystems.nix
View file

@ -9,12 +9,8 @@
MAILADDR root MAILADDR root
ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93 ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93
ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000 ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000
INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2
''; '';
# TODO: RAID Monitoring
# TODO: Set spin-down time of physical disks
services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint; services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -28,11 +24,11 @@
path = "/boot-primary"; path = "/boot-primary";
efiBootloaderId = "NixOS primary"; efiBootloaderId = "NixOS primary";
} }
#{ {
# devices = [ "nodev" ]; devices = [ "nodev" ];
# path = "/boot-secondary"; path = "/boot-secondary";
# efiBootloaderId = "NixOS secondary"; efiBootloaderId = "NixOS secondary";
#} }
]; ];
}; };
} }