about summary refs log tree commit diff
path: root/ops/machines/whitby
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-06-20T11·59+0300
committertazjin <tazjin@tvl.su>2023-06-22T13·23+0000
commit8cdad7d45c6c58f0b93f0ca5b4779e31bd845bb9 (patch)
tree031a5ed66c717d590b7e16089c06a571602cde76 /ops/machines/whitby
parentf32abbdc1a20d019538a1961b827653518630d3a (diff)
feat(ops): introduce (head|tail)scale server at net.tvl.fyi r/6343
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.

This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).

This setup isn't fully stable yet, notably:

* The IP range used by tailscale is just the default one right now,
  I'm not sure if that should be changed or what.

* The system is stateful (on sanduny), but the state is not (yet)
  backed up anywhere. Use with caution.

* Machine joining is a manual process requiring SSH & root access to
  sanduny.

  The process is to log in to sanduny, then get a headscale shell with
  `sudo -u headscale bash`, and to use the `headscale` CLI within
  there to administrate access.

  I've opted to create a user account `tvl` for TVL-owned machines,
  and a personal account for myself and my machines.

Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
Diffstat (limited to 'ops/machines/whitby')
-rw-r--r--ops/machines/whitby/default.nix6
1 files changed, 6 insertions, 0 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index f2a459047163..c7874cd2352d 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -624,6 +624,12 @@ in
     };
   };
 
+  # Join TVL Tailscale network at net.tvl.fyi
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server"; # for exit-node usage
+  };
+
   # Allow Keycloak access to the LDAP module by forcing in the JVM
   # configuration
   systemd.services.keycloak.environment.PREPEND_JAVA_OPTS =