)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000034,"name":"sterni","email":"sternenseemann@systemli.org","username":"sterni"},"change_message_id":"86019a4a1208d547c283663b745a28f3d60323c5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5fe082a7_41360914","updated":"2023-06-20 12:15:09.000000000","message":"I don\u0027t quite get what the use case is for this?","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"},{"author":{"_account_id":1000001,"name":"tazjin","email":"tazjin@tvl.su","username":"tazjin"},"change_message_id":"33c42287b71908082c89aa281eb98007534a84a4","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a63b14eb_c1f7da46","in_reply_to":"5fe082a7_41360914","updated":"2023-06-20 12:21:02.000000000","message":"1. Possibility to host \"internal\" services if we want to.\n2. Very easy administration of exit-nodes for VPN use, i.e. it can act as a VPN network for TVL members who need an endpoint in a specific place for something (we\u0027re quite distributed so that can be useful, the original idea was because I needed a UK endpoint and sanduny is in the UK)","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"},{"author":{"_account_id":1000001,"name":"tazjin","email":"tazjin@tvl.su","username":"tazjin"},"change_message_id":"ff6a666362746bcf7a78fc6607c39f89749eea1d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"598f08cd_e1d65465","in_reply_to":"89e3444c_8608d9e5","updated":"2023-06-22 13:23:08.000000000","message":"Ack","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"},{"author":{"_account_id":1000001,"name":"tazjin","email":"tazjin@tvl.su","username":"tazjin"},"change_message_id":"63dab89e28251b989396a0a397c9cc2991cdbc3c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d2f352d2_c1cac0c0","in_reply_to":"a63b14eb_c1f7da46","updated":"2023-06-20 12:32:48.000000000","message":"3. It\u0027s also just TVL infrastructure tbh, people can use it for whatever they want.","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"},{"author":{"_account_id":1000036,"name":"flokli","email":"flokli@flokli.de","username":"flokli"},"change_message_id":"a014034df4b04f648f880ebd8f88018ca71b7164","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"89e3444c_8608d9e5","in_reply_to":"d2f352d2_c1cac0c0","updated":"2023-06-22 13:16:45.000000000","message":"I\u0027d personally always favor having stuff publicly reachable behind SSO login, rather than using source IPs as a security mechanism. No matter what IP(v4 at least) ranges you pick, they\u0027ll most likely conflict with some ranges others have, and \"being connected to that network is a hazzle\".\n\nSo please consider this as some overlay network across machines, but not a \"internal network\" that i need to join to access some services.","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"}],"ops/machines/sanduny/default.nix":[{"author":{"_account_id":1000036,"name":"flokli","email":"flokli@flokli.de","username":"flokli"},"change_message_id":"a014034df4b04f648f880ebd8f88018ca71b7164","unresolved":true,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"  # Run tailscale for the TVL net.tvl.fyi network."},{"line_number":76,"context_line":"  # tailscale up --login-server https://net.tvl.fyi --accept-dns\u003dfalse --advertise-exit-node"},{"line_number":77,"context_line":"  services.tailscale \u003d {"},{"line_number":78,"context_line":"    enable \u003d true;"},{"line_number":79,"context_line":"    useRoutingFeatures \u003d \"server\"; # for exit-node usage"},{"line_number":80,"context_line":"  };"}],"source_content_type":"text/x-nix","patch_set":2,"id":"e18502e4_f526d229","line":77,"updated":"2023-06-22 13:16:45.000000000","message":"this line is already in tvl-headscale.nix, and similar lines are not in other machine configs.\n\nfor consistency reasons I\u0027d probably only put it all in tvl-headscale.nix.","commit_id":"21d2cc0eb67e2134f16e9190493c16bbff20c871"},{"author":{"_account_id":1000001,"name":"tazjin","email":"tazjin@tvl.su","username":"tazjin"},"change_message_id":"ff6a666362746bcf7a78fc6607c39f89749eea1d","unresolved":false,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"  # Run tailscale for the TVL net.tvl.fyi network."},{"line_number":76,"context_line":"  # tailscale up --login-server https://net.tvl.fyi --accept-dns\u003dfalse --advertise-exit-node"},{"line_number":77,"context_line":"  services.tailscale \u003d {"},{"line_number":78,"context_line":"    enable \u003d true;"},{"line_number":79,"context_line":"    useRoutingFeatures \u003d \"server\"; # for exit-node usage"},{"line_number":80,"context_line":"  };"}],"source_content_type":"text/x-nix","patch_set":2,"id":"04faadb5_7e37304a","line":77,"in_reply_to":"e18502e4_f526d229","updated":"2023-06-22 13:23:08.000000000","message":"No, this is the client setup block, not the server setup block. It does not belong in the headscale config file. \n\nThis is also in whitby and koptevo machine configs. Since only two settings are set, I don\u0027t think extracting it into a separate module makes sense.","commit_id":"21d2cc0eb67e2134f16e9190493c16bbff20c871"}],"ops/modules/tvl-headscale.nix":[{"author":{"_account_id":1000034,"name":"sterni","email":"sternenseemann@systemli.org","username":"sterni"},"change_message_id":"86019a4a1208d547c283663b745a28f3d60323c5","unresolved":true,"context_lines":[{"line_number":41,"context_line":"    enableACME \u003d true;"},{"line_number":42,"context_line":"    forceSSL \u003d true;"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"    # See https://github.com/juanfont/headscale/blob/v0.22.3/docs/reverse-proxy.md#nginx"},{"line_number":45,"context_line":"    extraConfig \u003d \u0027\u0027"},{"line_number":46,"context_line":"      location / {"},{"line_number":47,"context_line":"        proxy_pass http://localhost:${toString config.services.headscale.port};"}],"source_content_type":"text/x-nix","patch_set":1,"id":"0dcfedb9_f73eb37b","line":44,"updated":"2023-06-20 12:15:09.000000000","message":"no Strict-Transport-Security?","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"},{"author":{"_account_id":1000001,"name":"tazjin","email":"tazjin@tvl.su","username":"tazjin"},"change_message_id":"33c42287b71908082c89aa281eb98007534a84a4","unresolved":false,"context_lines":[{"line_number":41,"context_line":"    enableACME \u003d true;"},{"line_number":42,"context_line":"    forceSSL \u003d true;"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"    # See https://github.com/juanfont/headscale/blob/v0.22.3/docs/reverse-proxy.md#nginx"},{"line_number":45,"context_line":"    extraConfig \u003d \u0027\u0027"},{"line_number":46,"context_line":"      location / {"},{"line_number":47,"context_line":"        proxy_pass http://localhost:${toString config.services.headscale.port};"}],"source_content_type":"text/x-nix","patch_set":1,"id":"af65d967_f7f3e198","line":44,"in_reply_to":"0dcfedb9_f73eb37b","updated":"2023-06-20 12:21:02.000000000","message":"I think base already adds that, but set it anyways.","commit_id":"25d1208d5580440e26331dd6afee6ea60cb161d5"}]}