harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixcfg/systems/x86_64-linux
History
Harald Hoyer 67b7c3a9fd feat(headscale): add ACL policy, isolate mx, make mx an exit node 
Introduces a headscale ACL policy (file-mode) plus matching client config:

- New systems/x86_64-linux/attic/headscale-policy.hujson:
  * tag:llm restricts a node to talking only to halo:8000
  * all other harald@ nodes have full mesh access to each other
  * harald@ nodes can route internet traffic via approved exit nodes
  * autoApprovers.exitNode = [tag:llm] auto-approves the exit route
    advertised by any tag:llm node (currently mx)

- attic headscale.nix: wire policy.mode = "file" / policy.path to
  the .hujson above.

- mx default.nix: enable useRoutingFeatures = "server" (needed for IP
  forwarding) and add extraSetFlags = ["--advertise-exit-node"] so the
  flag is reapplied on every activation, not just initial login.

Operational steps after deploy:
  headscale nodes tag -i 10 -t tag:llm
2026-05-13 09:06:40 +02:00
..
amd refactor(opencode): extract serve service into shared NixOS module 2026-05-05 13:43:27 +02:00
attic feat(headscale): add ACL policy, isolate mx, make mx an exit node 2026-05-13 09:06:40 +02:00
halo feat(halo): llama-server-27B-MTP.nix 2026-05-12 16:16:15 +02:00
mx feat(headscale): add ACL policy, isolate mx, make mx an exit node 2026-05-13 09:06:40 +02:00
nixtee1 refactor(nix): extract common system configs into reusable modules 2026-01-30 10:42:09 +01:00
sgx refactor(opencode): extract serve service into shared NixOS module 2026-05-05 13:43:27 +02:00
t15 refactor(nix): extract common system configs into reusable modules 2026-01-30 10:42:09 +01:00
x1 chore: nix fmt 2026-05-03 14:57:49 +02:00