From 56d0e7b9fa916f4867a0332dbd178309eda993e0 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Tue, 4 Apr 2023 15:05:39 +0200
Subject: [PATCH] tailscale: use agenix

---
 agenix/hosts/attic/config.nix            |  4 ++++
 agenix/hosts/attic/tailscale/authkey.age | 13 +++++++++++++
 agenix/hosts/sail/config.nix             |  4 ++++
 agenix/hosts/sail/tailscale/authkey.age  | 12 ++++++++++++
 secrets.nix                              |  4 ++++
 system/hosts/attic.nix                   |  2 ++
 system/hosts/sail.nix                    |  2 +-
 system/nixos/tailscale.nix               |  5 +++--
 8 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 agenix/hosts/attic/tailscale/authkey.age
 create mode 100644 agenix/hosts/sail/tailscale/authkey.age

diff --git a/agenix/hosts/attic/config.nix b/agenix/hosts/attic/config.nix
index 417b8c0..882429d 100644
--- a/agenix/hosts/attic/config.nix
+++ b/agenix/hosts/attic/config.nix
@@ -3,5 +3,9 @@
     user-daniel-password = {
       file = ./user/danielPassword.age;
     };
+
+    tailscale-authkey = {
+      file = ./tailscale/authkey.age;
+    };
   };
 }
diff --git a/agenix/hosts/attic/tailscale/authkey.age b/agenix/hosts/attic/tailscale/authkey.age
new file mode 100644
index 0000000..2f51042
--- /dev/null
+++ b/agenix/hosts/attic/tailscale/authkey.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA0RWxY
+emZBSTBlQ1hTRkhDaU9HaS9JMUpCaWRYcHB1enh2TGRUcmFwZDFrCmdkZDRMY0hz
+MS9ERy9kcndQVC8wRzhZK1JWNGlobzcralBzSjdZTGNSSk0KLT4gc3NoLWVkMjU1
+MTkgc1ZmNkNBIGJqRHI1R2J3dTVlUmhXNW1JaTNvNTNBcVJyTmhuVlcydlhiS1Vn
+ZkVyaVUKUWJjNG83YmNmV0wwcVd1L3o4bzh4aFBjNGI1NzJYUGtKME01MDBkOEYr
+cwotPiAyaTEtZ3JlYXNlICYpR08jeiB7LCVNc0R4TyBSdGFnU0wgMT49d0hmdApW
+N1pieTVZd3U0NVJ6VXR1dFlvSmtRVFp3Yi9SSmpxdStNTVE5SE80ZUs5RDhlNUI5
+bDI5eE45NWROdTJPVE9FCkQyUUVyZkhYVldEUVlqcHFBK1ZhCi0tLSA0VVBZR2c2
+TTBIb1hTWnM0TzRpUzRqZUp2QlpLWDQ0ZUJIcFhKUWMrR0Y4Ci83j/AYh3pgxFQA
+iaWWkiOCPIAh7J8D6vJhpECGSxrfFlPyzVWSVoCtvFJgcOlsrsm7kUkyisbG3O7I
+AqgBfmCyJbkhjMzKl2RbzlV1IGnJeFP/2jFnXGHC6w==
+-----END AGE ENCRYPTED FILE-----
diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index 405e491..b30941f 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -6,6 +6,10 @@
       group = "acme";
     };
 
+    tailscale-authkey = {
+      file = ./tailscale/authkey.age;
+    };
+
     mastodon-database-password = {
       file = ./mastodon/databasePassword.age;
       owner = "mastodon";
diff --git a/agenix/hosts/sail/tailscale/authkey.age b/agenix/hosts/sail/tailscale/authkey.age
new file mode 100644
index 0000000..7f28bad
--- /dev/null
+++ b/agenix/hosts/sail/tailscale/authkey.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBGMEx1
+MDZxTTlPM3I0OW1jeHFoV1pneDNLUjIvazBZRGhYQ3oxak84RmlnCmRMU2VkMi83
+Sy9vTEVoaUpGZEljMEExU05jZmxvS3RZakVTWmhidWxVN1EKLT4gc3NoLWVkMjU1
+MTkgTmJWNGh3IFgyS0pZRTRScDU2REppODhQYlZMeENMU1FlbDVzM2UramgyNktR
+K3RCdzAKT1QwZVVKa2krZERxeVlqYjQ4WFZBZ1d5eDR5Sm4vZ0hCKzhnNk9Vdjlw
+SQotPiAxfThiLWdyZWFzZSBFe0kgPVp4R2IiTSA0bgo2MzU5K0U3UFZqS2NQUDF5
+dENQNUNhSkVvdwotLS0geFBEM0d2MHQzdTIrL25Ka21FaGxjUjNpazFhdGJoQ25w
+Uk5XS1ZJaHhwcwq968fFE3WeIkYgzqjHkDbJU6t0vBqII6/urAckSzfR/2PIrSJX
+1pg/U1U/CnTe15PnIopE9qB7gttNaaec0z6f2lzvYudfIrydhUzr2hHy8rx79XJS
+L0CBK+E=
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets.nix b/secrets.nix
index 10ff89f..f4a2825 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -11,6 +11,8 @@ in
   # sail
   "agenix/hosts/sail/acme/credentials.age".publicKeys = sail;
 
+  "agenix/hosts/sail/tailscale/authkey.age".publicKeys = sail;
+
   "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
@@ -44,4 +46,6 @@ in
 
   # attic
   "agenix/hosts/attic/user/danielPassword.age".publicKeys = attic;
+
+  "agenix/hosts/attic/tailscale/authkey.age".publicKeys = attic;
 }
diff --git a/system/hosts/attic.nix b/system/hosts/attic.nix
index 1d8447b..f49285e 100644
--- a/system/hosts/attic.nix
+++ b/system/hosts/attic.nix
@@ -10,6 +10,8 @@ in
     ../nixos/ssh.nix
 
     ../nixos/git.nix
+
+    ../nixos/tailscale.nix
   ];
 
   system.stateVersion = "22.11";
diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix
index 96e299d..6db5c52 100644
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@@ -39,7 +39,7 @@ in
 
     ../nixos/websites-sail.nix
 
-    (import ../nixos/tailscale.nix (args // { inherit secret; }))
+    ../nixos/tailscale.nix
 
     ../nixos/mosquitto.nix
 
diff --git a/system/nixos/tailscale.nix b/system/nixos/tailscale.nix
index 256df72..a698d59 100644
--- a/system/nixos/tailscale.nix
+++ b/system/nixos/tailscale.nix
@@ -1,4 +1,4 @@
-{ pkgs, secret, ... }:
+{ pkgs, config, ... }:
 
 {
   environment.systemPackages = [ pkgs.tailscale ];
@@ -25,7 +25,8 @@
       fi
 
       # otherwise authenticate with tailscale
-      ${pkgs.tailscale}/bin/tailscale up -authkey ${secret.tailscale.key}
+      authkey="$(cat ${config.age.secrets.tailscale-authkey.path})"
+      ${pkgs.tailscale}/bin/tailscale up -authkey "$authkey"
     '';
   };
 }