fix blocky container

machines/Home-Hypervisor/default.nix

@@ -39,7 +39,7 @@ in {
     customProfiles.yandex-db
 
     (import customProfiles.blocky {
-      inherit config;
+      inherit config pkgs;
       inherit (import ./dns-mapping.nix) dns-mapping;
     })
 

machines/Home-Hypervisor/dns-headscale.nix

@@ -9,23 +9,23 @@
     { name = "cal.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "cocalc.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "code.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "dimension.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "docs.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "element.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "fb.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "file.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "fsync.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "goneb.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "home.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "jackett.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "jellyfin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "jitsi.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "joplin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "kavita.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "ldap.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "lib.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     # { name = "mail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "matrix.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "medusa.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "microbin.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "nzbhydra.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@@ -41,9 +41,9 @@
     { name = "sonarr.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "sonarrtv.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "startpage.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "stats.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "tools.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
-    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.21"; }
+    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.1"; }
     { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     # { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
     { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
@@ -57,23 +57,23 @@
     { name = "cal.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "cocalc.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "code.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "dimension.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "docs.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "element.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "fb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "file.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "fsync.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "goneb.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "home.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "jackett.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "jellyfin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "jitsi.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "joplin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "kavita.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "ldap.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "lib.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     # { name = "mail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "matrix.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "medusa.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "microbin.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "nzbhydra.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@@ -89,9 +89,9 @@
     { name = "sonarr.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "sonarrtv.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "startpage.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "stats.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "tools.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
-    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::15"; }
+    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::1"; }
     { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     # { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
     { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }

profiles/servers/blocky.nix

@@ -1,23 +1,30 @@
-{ config, dns-mapping ? [], ... }:
+{ config, pkgs, dns-mapping ? [], ... }:
 let
   nodeAddress = "192.168.0.5";
-  wgAddress = "10.100.0.1";
+  upstream-dns = "100.64.0.1";
-  wgConf = config.secrets.wg-hypervisor-dns.decrypted;
 in {
-  boot.kernelModules = [ "wireguard" ];
+  systemd.tmpfiles.rules = [
-  secrets.wg-hypervisor-dns.services = [ "container@blocky.service" ];
+    "d /srv/blocky-tailscale 0755 root root -"
+  ];
+  systemd.services.gen-headscale-key = {
+    before = [ "container@blocky.service" ];
+    requiredBy = [ "container@blocky.service" ];
+    serviceConfig.Type = "oneshot";
+    path = [ pkgs.headscale ];
+    script = ''
+      headscale preauthkeys create --ephemeral -e 1h -u ataraxiadev | tee /tmp/blocky-authkey
+    '';
+  };
   containers.blocky = {
     autoStart = true;
+    enableTun = true;
     ephemeral = true;
     privateNetwork = true;
     hostBridge = "br0";
     localAddress = "${nodeAddress}/24";
     tmpfs = [ "/" ];
-    bindMounts."${wgConf}" = {
+    bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
-      hostPath = wgConf;
+    config = { config, pkgs, lib, ... }:
-      isReadOnly = true;
-    };
-    config = { config, pkgs, ... }:
     let
       grafanaPort = config.services.grafana.settings.server.http_port;
       blockyPort = config.services.blocky.settings.ports.dns;
@@ -26,7 +33,7 @@ in {
       networking = {
         defaultGateway = "192.168.0.1";
         hostName = "blocky-node";
-        nameservers = [ wgAddress ];
+        nameservers = [ "127.0.0.1" ];
         enableIPv6 = false;
         useHostResolvConf = false;
         firewall = {
@@ -34,8 +41,21 @@ in {
           allowedTCPPorts = [ blockyPort grafanaPort ];
           allowedUDPPorts = [ blockyPort ];
         };
-        wg-quick.interfaces.wg0.configFile = wgConf;
       };
+      # ephemeral tailscale node
+      services.tailscale = {
+        enable = true;
+        useRoutingFeatures = "client";
+        authKeyFile = "/tmp/blocky-authkey";
+        extraUpFlags = [ "--login-server=https://wg.ataraxiadev.com" "--accept-dns=false" ];
+      };
+      systemd.services.tailscaled.serviceConfig.Environment = let
+        cfg = config.services.tailscale;
+      in lib.mkForce [
+        "PORT=${toString cfg.port}"
+        ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} --state=mem:"''
+      ];
+
       services.dnsmasq = {
         enable = true;
         alwaysKeepRunning = true;
@@ -52,7 +72,7 @@ in {
       services.blocky = {
         enable = true;
         settings = {
-          upstream.default = [ wgAddress ];
+          upstream.default = [ upstream-dns ];
           upstreamTimeout = "10s";
           caching = {
             minTime = "0m";
@@ -134,7 +154,7 @@ in {
           user = "grafana";
         };
       };
-      system.stateVersion = "23.05";
+      system.stateVersion = "23.11";
     };
   };
 }