diff --git a/build-rootfs.sh b/build-rootfs.sh index 0c5c8f2..1271c36 100755 --- a/build-rootfs.sh +++ b/build-rootfs.sh @@ -3,7 +3,10 @@ source $stdenv/setup set -o pipefail # basic file system layout -mkdir -p $out/etc $out/proc $out/sys $out/dev $out/run $out/tmp $out/var/tmp $out/var/lib $out/var/log +mkdir -p $out/etc $out/proc $out/sys $out/dev $out/run $out/tmp $out/var/tmp $out/var/lib/private/$serviceName $out/var/log $out/var/cache/private/$serviceName + +ln -sf /var/cache/private/$serviceName $out/var/cache/$serviceName +ln -sf /var/lib/private/$serviceName $out/var/lib/$serviceName # empty files to mount over with host's version touch $out/etc/resolv.conf $out/etc/machine-id diff --git a/default.nix b/default.nix index 2d1aa6c..94ce4ef 100644 --- a/default.nix +++ b/default.nix @@ -52,6 +52,7 @@ let rootfs = stdenv.mkDerivation { name = "rootfs"; + serviceName = name; builder = ./build-rootfs.sh; inherit units; unitNames = map getUnitName units; diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..2362728 --- /dev/null +++ b/flake.lock @@ -0,0 +1,26 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1650161686, + "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 9daf31e..d6ef8d7 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,32 @@ { description = "Nix tools to help you build portable services"; - outputs = { self }: { + inputs.nixpkgs.url = "nixpkgs/nixos-unstable"; + + outputs = { self, nixpkgs, ... }: { overlay = final: prev: { portableService = prev.pkgs.callPackage ./. { }; }; + + packages.x86_64-linux.default = let + pkgs = import nixpkgs { + overlays = [ self.overlay ]; + system = "x86_64-linux"; + }; + + service = pkgs.substituteAll { + name = "tailscaled.service"; + src = ./ts/tailscaled.service.in; + inherit (pkgs) tailscale; + }; + in pkgs.portableService { + name = "tailscale"; + version = pkgs.tailscale.version; + homepage = "https://tailscale.com"; + units = [ service ]; + + symlinks = [{ + object = "${pkgs.cacert}/etc/ssl"; + symlink = "/etc/ssl"; + }]; + }; }; } diff --git a/ts/tailscaled.service.in b/ts/tailscaled.service.in new file mode 100644 index 0000000..f44a855 --- /dev/null +++ b/ts/tailscaled.service.in @@ -0,0 +1,26 @@ +[Unit] +Description=Tailscale node agent +Documentation=https://tailscale.com/kb/ +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +ExecStartPre=@tailscale@/bin/tailscaled --cleanup +ExecStart=@tailscale@/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --tun=userspace-networking +ExecStopPost=@tailscale@/bin/tailscaled --cleanup +AmbientCapabilities=CAP_NET_ADMIN +Restart=on-failure +User=root +BindPaths=/dev/net +BindPaths=/etc/resolv.conf +BindPaths=/run/tailscale +RuntimeDirectory=tailscale +RuntimeDirectoryMode=0755 +StateDirectory=tailscale +StateDirectoryMode=0700 +CacheDirectory=tailscale +CacheDirectoryMode=0750 +Type=notify + +[Install] +WantedBy=multi-user.target \ No newline at end of file