Apply the VPN to all hosts in the datacenter

PsychoLlama · PsychoLlama · commit 2a7a6155c90f · 2025-01-23T08:15:37.000-05:00
After fiddling with Headscale a bit more I'm pretty sold. Now every host
on the network is connected to the VPN. I've added a `project vpn setup`
command to bootstrap new nodes, but I think the `tailscaled-autoconnect`
service is better suited. Hopefully I can find a clean way to make that
work without provisioning a key on every deployment (it only needs to
happen once).
diff --git a/flake.nix b/flake.nix
@@ -36,6 +36,9 @@
       inherit (nixpkgs-unstable) lib;
       inherit (import ./lib flake-inputs) defineHost deviceProfiles makeImage;
 
+      domain = "selfhosted.city";
+      datacenter = "nova";
+
       # A subset of Hydra's standard architectures.
       standardSystems = [
         "x86_64-linux"
@@ -130,8 +133,7 @@
 
       colmena = (lib.mapAttrs defineHost hosts) // rec {
         defaults.lab = {
-          domain = "selfhosted.city";
-          datacenter = "nova";
+          inherit datacenter domain;
 
           networks = {
             datacenter.ipv4 = {
@@ -260,6 +262,40 @@
                         }
                       ];
                     };
+
+                    vpn = {
+                      about = "Manage the VPN.";
+                      subcommands.register = {
+                        about = "Register a node on the VPN.";
+                        args = [
+                          {
+                            id = "host";
+                            about = "Host to initialize.";
+                            required = true;
+                          }
+                          {
+                            id = "server_url";
+                            about = "URL of the VPN server.";
+                            short = "s";
+                            long = "server-url";
+                            default_value = "http://rpi4-003.host.${datacenter}.${domain}:8080";
+                          }
+                        ];
+
+                        # TODO: Use Colmena's deploy key commands instead and
+                        # defer the oneshot setup by the key service.
+                        run = pkgs.unstable.writers.writeNu "bootstrap-vpn-client.nu" ''
+                          use std/log
+
+                          let server_host = $env.server_url | url parse | get host
+                          let response = ssh $server_host headscale preauthkey create --user dc-${datacenter} --output json | from json
+                          log info $"Auth key created id=($response.id)"
+
+                          ssh $env.host tailscale up --login-server $env.server_url --auth-key $response.key
+                          log info "VPN client ready"
+                        '';
+                      };
+                    };
                   };
                 };
               })
diff --git a/hosts/rpi3-001.nix b/hosts/rpi3-001.nix
@@ -1,4 +1,8 @@
 {
+  lab.profiles = {
+    vpn.client.enable = true;
+  };
+
   home-manager.users.root.home.stateVersion = "23.11";
   system.stateVersion = "23.05";
 }
diff --git a/hosts/rpi3-002.nix b/hosts/rpi3-002.nix
@@ -1,7 +1,12 @@
 {
-  # File server is temporarily disabled. 2/3 drives corrupted.
-  # I'm a terrible sysadmin.
-  lab.profiles.file-server.enable = false;
+  lab.profiles = {
+    vpn.client.enable = true;
+
+    # File server is temporarily disabled. 2/3 drives corrupted.
+    # I'm a terrible sysadmin.
+    file-server.enable = false;
+  };
+
   networking.hostId = "e3cda066"; # Required by ZFS
 
   home-manager.users.root.home.stateVersion = "23.11";
diff --git a/hosts/rpi4-001.nix b/hosts/rpi4-001.nix
@@ -5,7 +5,10 @@ let
   inherit (config.lab.services.gateway) wan;
 in
 {
-  lab.profiles.router.enable = true;
+  lab.profiles = {
+    router.enable = true;
+    vpn.client.enable = true;
+  };
 
   # Assign sensible names to the network interfaces. Anything with vlans needs
   # a hardware-related filter to avoid conflicts with virtual devices.
diff --git a/platforms/nixos/modules/lab/profiles/vpn/server.nix b/platforms/nixos/modules/lab/profiles/vpn/server.nix
@@ -19,17 +19,18 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ port ];
+
     services.headscale = {
       enable = true;
       settings = {
         server_url = "http://${config.networking.hostName}.host.${datacenter}.${domain}:${toString port}";
         listen_addr = "0.0.0.0:${toString port}";
-        dns.base_domain = "vpn.${datacenter}.${domain}";
+        dns.base_domain = "${datacenter}.vpn.${domain}";
+        logtail.enabled = true;
 
         # TODO: Define ACLs.
       };
     };
-
-    networking.firewall.allowedTCPPorts = [ port ];
   };
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,8 @@`
`1`	`1`	`{`
	`2`	`+ lab.profiles = {`
	`3`	`+ vpn.client.enable = true;`
	`4`	`+ };`
	`5`	`+`
`2`	`6`	`home-manager.users.root.home.stateVersion = "23.11";`
`3`	`7`	`system.stateVersion = "23.05";`
`4`	`8`	`}`