From 2fb8afe55c89031b1f84ddc07556dd3f048e3dce Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Tue, 23 Sep 2025 12:23:05 +0000 Subject: [PATCH] feat(collabora): add second tailscale instance Change-Id: yvxzunysmzqzvutxvquvsqzlmvotmsms Internally for Freshly we use Tailscale to access hosts, but Collabora now also use Tailscale to access hosts. For a while, I've been using 'tailscale switch' to move back/forth but this takes some time and doesn't allow me to use multiple nets at once. I evaluated what I wanted to use my own personal tailscale for, and it was the following things: - https://files.freshly.space (I have a mounted webdav drive which is only available over tailscale, and the web interface auto-logs-in over tailscale which is very nice...) - https://silverbullet.clicks.codes (All of my notes are here. I would need to switch notetaking app for work stuff if I were to stop using my own tailnet) - https://silverbullet.starrysky.fyi (Actually, some work stuff is also here because I have some things which I am contractually obliged not to make public - even to my friends. This one does tailscale auth to check that I am my own tailscale user) - My own devices (which I could put on to the work tailnet, although I would either forgo nice device names or manage my own /etc/hosts and I would need to manage switching back/forth (potentially making any /etc/hosts editing pretty fraught...)) While some of this could be put on the work tailnet, by no means all of it could be. In contrast, I need the work tailnet to access SSH/web interfaces for several internal services. These can't be used without it, but I only really need to use them from redhead. The cleanest solution is to have multiple tailnets at once - and select which one I'm using such that the collabora tailnet is only used for the things it's needed for. Here's how I'm proxying SSH hosts through the tailnet Host collabora-foo foo ProxyCommand nc -X 5 -x localhost:1055 %h %p Hostname ... And I'm using the "FoxyProxy" extension in Firefox to do the same for specific URL matches. I'm hoping this'll be enough to let me neatly access everything I want to all of the time... --- packetmix/homes/collabora/tailscale.nix | 9 +++++++++ packetmix/systems/collabora/tailscale.nix | 22 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 packetmix/homes/collabora/tailscale.nix create mode 100644 packetmix/systems/collabora/tailscale.nix diff --git a/packetmix/homes/collabora/tailscale.nix b/packetmix/homes/collabora/tailscale.nix new file mode 100644 index 00000000..a8cc21bc --- /dev/null +++ b/packetmix/homes/collabora/tailscale.nix @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: 2025 Collabora Productivity Limited +# +# SPDX-License-Identifier: MIT + +{ pkgs, ... }: +{ + # system shellAliases are often disabled in hm-managed shell profiles... so we should copy the alias here too + home.shellAliases.tailscale-collabora = "${pkgs.tailscale}/bin/tailscale --socket /var/run/tailscale/tailscaled-collabora.sock"; +} diff --git a/packetmix/systems/collabora/tailscale.nix b/packetmix/systems/collabora/tailscale.nix new file mode 100644 index 00000000..a2301862 --- /dev/null +++ b/packetmix/systems/collabora/tailscale.nix @@ -0,0 +1,22 @@ +# SPDX-FileCopyrightText: 2025 Collabora Productivity Limited +# +# SPDX-License-Identifier: MIT + +{ pkgs, ... }: +{ + systemd.services.tailscale-collabora = { + after = [ "NetworkManager-wait-online.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.StateDirectory = [ "tailscale/collabora" ]; + + script = + "${pkgs.tailscale}/bin/tailscaled" + + " -tun=userspace-networking" + + " -socks5-server=localhost:1055" + + " -socket=/var/run/tailscale/tailscaled-collabora.sock" + + " -statedir=/var/lib/tailscale/collabora"; + }; + + environment.shellAliases.tailscale-collabora = "${pkgs.tailscale}/bin/tailscale --socket /var/run/tailscale/tailscaled-collabora.sock"; +} -- 2.43.0