tailscale: use agenix

agenix/hosts/attic/config.nix

@@ -3,5 +3,9 @@
     user-daniel-password = {
       file = ./user/danielPassword.age;
     };
+
+    tailscale-authkey = {
+      file = ./tailscale/authkey.age;
+    };
   };
 }

agenix/hosts/attic/tailscale/authkey.age

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA0RWxY
+emZBSTBlQ1hTRkhDaU9HaS9JMUpCaWRYcHB1enh2TGRUcmFwZDFrCmdkZDRMY0hz
+MS9ERy9kcndQVC8wRzhZK1JWNGlobzcralBzSjdZTGNSSk0KLT4gc3NoLWVkMjU1
+MTkgc1ZmNkNBIGJqRHI1R2J3dTVlUmhXNW1JaTNvNTNBcVJyTmhuVlcydlhiS1Vn
+ZkVyaVUKUWJjNG83YmNmV0wwcVd1L3o4bzh4aFBjNGI1NzJYUGtKME01MDBkOEYr
+cwotPiAyaTEtZ3JlYXNlICYpR08jeiB7LCVNc0R4TyBSdGFnU0wgMT49d0hmdApW
+N1pieTVZd3U0NVJ6VXR1dFlvSmtRVFp3Yi9SSmpxdStNTVE5SE80ZUs5RDhlNUI5
+bDI5eE45NWROdTJPVE9FCkQyUUVyZkhYVldEUVlqcHFBK1ZhCi0tLSA0VVBZR2c2
+TTBIb1hTWnM0TzRpUzRqZUp2QlpLWDQ0ZUJIcFhKUWMrR0Y4Ci83j/AYh3pgxFQA
+iaWWkiOCPIAh7J8D6vJhpECGSxrfFlPyzVWSVoCtvFJgcOlsrsm7kUkyisbG3O7I
+AqgBfmCyJbkhjMzKl2RbzlV1IGnJeFP/2jFnXGHC6w==
+-----END AGE ENCRYPTED FILE-----

agenix/hosts/sail/config.nix

@@ -6,6 +6,10 @@
       group = "acme";
     };
 
+    tailscale-authkey = {
+      file = ./tailscale/authkey.age;
+    };
+
     mastodon-database-password = {
       file = ./mastodon/databasePassword.age;
       owner = "mastodon";

agenix/hosts/sail/tailscale/authkey.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBGMEx1
+MDZxTTlPM3I0OW1jeHFoV1pneDNLUjIvazBZRGhYQ3oxak84RmlnCmRMU2VkMi83
+Sy9vTEVoaUpGZEljMEExU05jZmxvS3RZakVTWmhidWxVN1EKLT4gc3NoLWVkMjU1
+MTkgTmJWNGh3IFgyS0pZRTRScDU2REppODhQYlZMeENMU1FlbDVzM2UramgyNktR
+K3RCdzAKT1QwZVVKa2krZERxeVlqYjQ4WFZBZ1d5eDR5Sm4vZ0hCKzhnNk9Vdjlw
+SQotPiAxfThiLWdyZWFzZSBFe0kgPVp4R2IiTSA0bgo2MzU5K0U3UFZqS2NQUDF5
+dENQNUNhSkVvdwotLS0geFBEM0d2MHQzdTIrL25Ka21FaGxjUjNpazFhdGJoQ25w
+Uk5XS1ZJaHhwcwq968fFE3WeIkYgzqjHkDbJU6t0vBqII6/urAckSzfR/2PIrSJX
+1pg/U1U/CnTe15PnIopE9qB7gttNaaec0z6f2lzvYudfIrydhUzr2hHy8rx79XJS
+L0CBK+E=
+-----END AGE ENCRYPTED FILE-----

secrets.nix

@@ -11,6 +11,8 @@ in
   # sail
   "agenix/hosts/sail/acme/credentials.age".publicKeys = sail;
 
+  "agenix/hosts/sail/tailscale/authkey.age".publicKeys = sail;
+
   "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
@@ -44,4 +46,6 @@ in
 
   # attic
   "agenix/hosts/attic/user/danielPassword.age".publicKeys = attic;
+
+  "agenix/hosts/attic/tailscale/authkey.age".publicKeys = attic;
 }

system/hosts/attic.nix

@@ -10,6 +10,8 @@ in
     ../nixos/ssh.nix
 
     ../nixos/git.nix
+
+    ../nixos/tailscale.nix
   ];
 
   system.stateVersion = "22.11";

system/hosts/sail.nix

@@ -39,7 +39,7 @@ in
 
     ../nixos/websites-sail.nix
 
-    (import ../nixos/tailscale.nix (args // { inherit secret; }))
+    ../nixos/tailscale.nix
 
     ../nixos/mosquitto.nix
 

system/nixos/tailscale.nix

@@ -1,4 +1,4 @@
-{ pkgs, secret, ... }:
+{ pkgs, config, ... }:
 
 {
   environment.systemPackages = [ pkgs.tailscale ];
@@ -25,7 +25,8 @@
       fi
 
       # otherwise authenticate with tailscale
-      ${pkgs.tailscale}/bin/tailscale up -authkey ${secret.tailscale.key}
+      authkey="$(cat ${config.age.secrets.tailscale-authkey.path})"
+      ${pkgs.tailscale}/bin/tailscale up -authkey "$authkey"
     '';
   };
 }