fix blocky container

2024-01-21 16:32:37 +03:00 · 2024-01-21 16:32:37 +03:00 · 545d616b4a
commit 545d616b4a
parent 47a778a82a
3 changed files with 49 additions and 29 deletions
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -39,7 +39,7 @@ in {
    customProfiles.yandex-db

    (import customProfiles.blocky {
-      inherit config;
+      inherit config pkgs;
      inherit (import ./dns-mapping.nix) dns-mapping;
    })

--- a/machines/Home-Hypervisor/dns-headscale.nix
+++ b/machines/Home-Hypervisor/dns-headscale.nix
@ -9,23 +9,23 @@
    { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    # { name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -41,9 +41,9 @@
    { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    # { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@ -57,23 +57,23 @@
    { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    # { name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -89,9 +89,9 @@
    { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    # { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
--- a/profiles/servers/blocky.nix
+++ b/profiles/servers/blocky.nix
@ -1,23 +1,30 @@
-{ config, dns-mapping ? [], ... }:
+{ config, pkgs, dns-mapping ? [], ... }:
 let
  nodeAddress = "192.168.0.5";
-  wgAddress = "10.100.0.1";
-  wgConf = config.secrets.wg-hypervisor-dns.decrypted;
+  upstream-dns = "100.64.0.1";
 in {
-  boot.kernelModules = [ "wireguard" ];
-  secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ];
+  systemd.tmpfiles.rules = [
+    "d /srv/blocky-tailscale 0755 root root -"
+  ];
+  systemd.services.gen-headscale-key = {
+    before = [ "container@blocky.service" ];
+    requiredBy = [ "container@blocky.service" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.headscale ];
+    script = ''
+      headscale preauthkeys create --ephemeral -e 1h -u ataraxiadev | tee /tmp/blocky-authkey
+    '';
+  };
  containers.blocky = {
    autoStart = true;
+    enableTun = true;
    ephemeral = true;
    privateNetwork = true;
    hostBridge = "br0";
    localAddress = "${nodeAddress}/24";
    tmpfs = [ "/" ];
-    bindMounts."${wgConf}" = {
-      hostPath = wgConf;
-      isReadOnly = true;
-    };
-    config = { config, pkgs, ... }:
+    bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
+    config = { config, pkgs, lib, ... }:
    let
      grafanaPort = config.services.grafana.settings.server.http_port;
      blockyPort = config.services.blocky.settings.ports.dns;
@ -26,7 +33,7 @@ in {
      networking = {
        defaultGateway = "192.168.0.1";
        hostName = "blocky-node";
-        nameservers = [ wgAddress ];
+        nameservers = [ "127.0.0.1" ];
        enableIPv6 = false;
        useHostResolvConf = false;
        firewall = {
@ -34,8 +41,21 @@ in {
          allowedTCPPorts = [ blockyPort grafanaPort ];
          allowedUDPPorts = [ blockyPort ];
        };
-        wg-quick.interfaces.wg0.configFile = wgConf;
      };
+      # ephemeral tailscale node
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "client";
+        authKeyFile = "/tmp/blocky-authkey";
+        extraUpFlags = [ "--login-server=https://wg.ataraxiadev.com" "--accept-dns=false" ];
+      };
+      systemd.services.tailscaled.serviceConfig.Environment = let
+        cfg = config.services.tailscale;
+      in lib.mkForce [
+        "PORT=${toString cfg.port}"
+        ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} --state=mem:"''
+      ];
+
      services.dnsmasq = {
        enable = true;
        alwaysKeepRunning = true;
@ -52,7 +72,7 @@ in {
      services.blocky = {
        enable = true;
        settings = {
-          upstream.default = [ wgAddress ];
+          upstream.default = [ upstream-dns ];
          upstreamTimeout = "10s";
          caching = {
            minTime = "0m";
@ -134,7 +154,7 @@ in {
          user = "grafana";
        };
      };
-      system.stateVersion = "23.05";
+      system.stateVersion = "23.11";
    };
  };
 }