rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(networking): use client-id and client-secret for tailscale auth

Browse source
This commit is contained in:
Mohammad Rafiq 2025-06-30 03:43:37 +08:00
parent c3acffe2bc
commit 2b97ee96ca
No known key found for this signature in database
3 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/default.nix
View file

@ -95,7 +95,6 @@ in
age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ]; age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
secrets = { secrets = {
"keys/openrouter" = { }; "keys/openrouter" = { };
"keys/tailscale" = { };
"keys/gemini" = { }; "keys/gemini" = { };
"keys/cvt-jira" = { }; "keys/cvt-jira" = { };
"keys/cloudflare" = { }; "keys/cloudflare" = { };
@ -104,6 +103,8 @@ in
"rafiq/hashedPassword".neededForUsers = true; "rafiq/hashedPassword".neededForUsers = true;
"rafiq/personalEmailPassword" = { }; "rafiq/personalEmailPassword" = { };
"rafiq/workEmailPassword" = { }; "rafiq/workEmailPassword" = { };
"tailscale/client-id" = { };
"tailscale/client-secret" = { };
}; };
}; };
environment.shellInit = # sh environment.shellInit = # sh

3
modules/nixos/networking/default.nix
View file

@ -17,7 +17,8 @@ in
services.tailscale = { services.tailscale = {
enable = true; enable = true;
authKeyFile = config.sops.secrets."keys/tailscale".path; authKeyFile = config.sops.secrets."tailscale/client-secret".path;
authKeyParameters.preauthorized = true;
}; };
persistDirs = singleton "/var/lib/tailscale"; persistDirs = singleton "/var/lib/tailscale";
} }

8
secrets/secrets.yaml
View file

@ -5,7 +5,6 @@ rafiq:
oldSMBCredentials: ENC[AES256_GCM,data:aY41trUJcvGa584H0A==,iv:3h9AZ33HXWT4D/vGMyy/o+TXyGg75Ixcj3+h2EskvIQ=,tag:dDo55h1ljOYLZBHn9bK7ew==,type:str] oldSMBCredentials: ENC[AES256_GCM,data:aY41trUJcvGa584H0A==,iv:3h9AZ33HXWT4D/vGMyy/o+TXyGg75Ixcj3+h2EskvIQ=,tag:dDo55h1ljOYLZBHn9bK7ew==,type:str]
keys: keys:
openrouter: ENC[AES256_GCM,data:Uddc0leKVD2xxpvDpsTJV3qZ4oe89Uz6dJMuzF/TeI5iIrG+DNIAYPcnIQiA6LDScO9mag8XNiYpYH7lyMnUg1cvThChiVhO+A==,iv:RHSrL/L74dSvLKAvGwyMME53RzKr2+RDnI8xBpDJVng=,tag:d81mr26SeStmAa8UgEF/LA==,type:str] openrouter: ENC[AES256_GCM,data:Uddc0leKVD2xxpvDpsTJV3qZ4oe89Uz6dJMuzF/TeI5iIrG+DNIAYPcnIQiA6LDScO9mag8XNiYpYH7lyMnUg1cvThChiVhO+A==,iv:RHSrL/L74dSvLKAvGwyMME53RzKr2+RDnI8xBpDJVng=,tag:d81mr26SeStmAa8UgEF/LA==,type:str]
tailscale: ENC[AES256_GCM,data:sW64TZY/GtWD+8KOQDHYvnwzWiqOlsJ5782utaxVwUaiWa18hU+Ppd3gp/8f0R3rK6gskaPC22iuCuzvuA==,iv:TN2zWKgU6eXH3uaL7Ci2JKmo8Ql4DUSWS3Lxfnag7j4=,tag:s5of4wLdCp6b5VMGWLLxvw==,type:str]
gemini: ENC[AES256_GCM,data:t4XTzJLMbHBG7LNaWMwO0YyYHREYOp4Zn95Kwshunnpwq9ezVv+0,iv:ZHq1ytak7Qy5a/zHghwEIWRinDWAkk2Vxw4iu/Q/UPk=,tag:Wyk0FqLTOWelznWHg/anxg==,type:str] gemini: ENC[AES256_GCM,data:t4XTzJLMbHBG7LNaWMwO0YyYHREYOp4Zn95Kwshunnpwq9ezVv+0,iv:ZHq1ytak7Qy5a/zHghwEIWRinDWAkk2Vxw4iu/Q/UPk=,tag:Wyk0FqLTOWelznWHg/anxg==,type:str]
cvt-jira: ENC[AES256_GCM,data:y9enN905hAxp9F6TPcnYdcnA7VQQjTsysltBn7k9CVtOYUDBX5UKCbO4VEE=,iv:Hy/RshBTSFqEVlHq/fi/UqNdbzBvMaBmXnSHAz0WplY=,tag:bBgB+HJdHRu4bg/f9vq9nw==,type:str] cvt-jira: ENC[AES256_GCM,data:y9enN905hAxp9F6TPcnYdcnA7VQQjTsysltBn7k9CVtOYUDBX5UKCbO4VEE=,iv:Hy/RshBTSFqEVlHq/fi/UqNdbzBvMaBmXnSHAz0WplY=,tag:bBgB+HJdHRu4bg/f9vq9nw==,type:str]
cloudflare: ENC[AES256_GCM,data:nrtHnQR0Oon9BrSN0AeAjl8H8B7quuwSu/Qjabe9HFpWgcZq9n1JCA==,iv:ovyHqy5iKXDYXe4H7eRA51+kODhP+vAWoc98cS/6zG0=,tag:JyktO6EMRZ00CRhTb03+fg==,type:str] cloudflare: ENC[AES256_GCM,data:nrtHnQR0Oon9BrSN0AeAjl8H8B7quuwSu/Qjabe9HFpWgcZq9n1JCA==,iv:ovyHqy5iKXDYXe4H7eRA51+kODhP+vAWoc98cS/6zG0=,tag:JyktO6EMRZ00CRhTb03+fg==,type:str]
@ -19,6 +18,9 @@ librechat:
jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str] jwt_refresh_secret: ENC[AES256_GCM,data:/4X6h51oRRaOg7UZ/zUcS1L8QyFnhsTYrz8D6R3ZP/tFAEMO/IfYJHHQQ8UtgKjAEwIVYcpIco8lUDhm06folw==,iv:02/LgoiMZ6MzBSd+JAi+iuF3dzqsVyqX6gQfWPY8sIc=,tag:5VrCh7ZKNJD3ynjcyQpVyg==,type:str]
matterbridge: matterbridge:
mattermost-password: ENC[AES256_GCM,data:sMk4M2gADl1iPA7XEH1/D3sw,iv:YnTYTo0NVJVLtS/uhaodoCuyDqJf6IKCojKFljKSFCE=,tag:8vEK0RyxopiPUcML6hwqpg==,type:str] mattermost-password: ENC[AES256_GCM,data:sMk4M2gADl1iPA7XEH1/D3sw,iv:YnTYTo0NVJVLtS/uhaodoCuyDqJf6IKCojKFljKSFCE=,tag:8vEK0RyxopiPUcML6hwqpg==,type:str]
tailscale:
client-id: ENC[AES256_GCM,data:YxL4lpnSpz+UQQdoVK/KC/o=,iv:ZGV/ZAdvpmUUlRcbP60ALcxMVzdiXiAxedRyl4sZbaQ=,tag:18Qmvw9aK8CaUUKXE7C7MA==,type:str]
client-secret: ENC[AES256_GCM,data:+PZ3iqj/s6HOoCZJqglt+uzGXy5bJmnqqt7dQReZj/5HTNUlE+QqnCdXNoQkGqnuZ/TN44AExZpowh6NXYyGVQ==,iv:LCZgNZz7qCfk1zXcZTczSoA0a9BF36sV+IpB+ce73P0=,tag:E/vVE6persTCPKbOvvmTjw==,type:str]
sops: sops:
age: age:
- recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
@ -30,7 +32,7 @@ sops:
WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY
M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw== M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-17T19:11:07Z" lastmodified: "2025-06-29T19:38:14Z"
mac: ENC[AES256_GCM,data:EVDPzk2P284ULwMx/hCQeP4eehIiqx5OxhNDc17KhjRv19iPUjzhX7/SQy+r34ZfiKSFnB2W3zmhl6JtGqme10v4xZDT+D5wBLrYU7h4ylht65iDo0Eaw38TNLXPNqfNlKWqTcpgvMpez26CdL/7v3bUKU0aLYX0HkVxl2CQt5g=,iv:gujsDVgpH7RajOliQxL7Unkm24Xqp7BEeYtUMyXq2oc=,tag:KdKXPJ4cF2myFe4vJ1/YnQ==,type:str] mac: ENC[AES256_GCM,data:vn5y4Jlbv6foOB15XWE8kVsxIfTqswUDNsOoOyL/84AZtD69E5QpiUE6ed1DmQAcKxEI/H8OYbdijFYJ5jB8CGp8huwuQ4h+dYKDV+OtX7uk6w2E31fcJ54xCYdpHA3rTyiEh3S5aS+YLcEsHWmHlwebBxYg3tIwXDSOcVrIGgo=,iv:KfpSrigxu8dxjHO1sINTAuZ0mfRVsHsliqHRxfWQq4E=,tag:z3lBzeBETxZOQ9/hSFd/cg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2