From 38991d53565055e46f2f9c606dacb6cad776c4b9 Mon Sep 17 00:00:00 2001
From: Silas Schöffel <sils@sils.li>
Date: Wed, 11 Mar 2026 15:10:02 +0100
Subject: tailscale: automate connection

---
 modules/nixos/sils/tailscale.nix | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

(limited to 'modules/nixos/sils/tailscale.nix')

diff --git a/modules/nixos/sils/tailscale.nix b/modules/nixos/sils/tailscale.nix
index 16db2da..e1f49a4 100644
--- a/modules/nixos/sils/tailscale.nix
+++ b/modules/nixos/sils/tailscale.nix
@@ -5,10 +5,48 @@
 }: let
   cfg = config.sils.tailscale;
 in {
-  options.sils.tailscale.enable = lib.mkEnableOption "Tailscale";
+  options.sils.tailscale = {
+    enable = lib.mkEnableOption "Tailscale";
+    openFirewall = true;
+    role = lib.mkOption {
+      type = lib.types.enum [
+        "client"
+        "server"
+      ];
+    };
+  };
   config = lib.mkIf cfg.enable {
     services.tailscale = {
       enable = true;
+      authKeyFile = config.age.secrets.tailscale.path;
+      useRoutingFeatures = cfg.role;
+      extraDaemonFlags = [
+        "--no-logs-no-support"
+      ];
+      extraSetFlags = [
+        "--accept-routes"
+      ];
+    };
+    networking.firewall = {
+      trustedInterfaces = ["tailscale0"];
+      allowedUDPPorts = [config.services.tailscale.port];
+      checkReversePath = "loose";
+    };
+    systemd = {
+      services.tailscaled.serviceConfig.Environment = [
+        "TS_DEBUG_FIREWALL_MODE=nftables"
+      ];
+      network.wait-online.enable = false;
     };
+    boot.initrd.systemd.network.wait-online.enable = false;
+
+    environment.persistence."/srv".directories = [
+      {
+        directory = "/var/lib/tailscale";
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
   };
 }
-- 
cgit v1.3.1