about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilas Schöffel <sils@sils.li>2026-03-11 15:10:02 +0100
committerSilas Schöffel <sils@sils.li>2026-03-11 15:10:02 +0100
commit38991d53565055e46f2f9c606dacb6cad776c4b9 (patch)
tree184c25229c5bb4a4b475187cae80c6f617f49077
parenttailscale: add (diff)
downloadnix-config-38991d53565055e46f2f9c606dacb6cad776c4b9.zip
tailscale: automate connection HEAD main
Diffstat (limited to '')
-rw-r--r--modules/nixos/sils/networking.nix6


-rw-r--r--modules/nixos/sils/roles.nix5


-rw-r--r--modules/nixos/sils/tailscale.nix40


-rw-r--r--secrets/default.nix3


-rw-r--r--secrets/secrets.nix1


-rw-r--r--secrets/tailscale.age14


6 files changed, 67 insertions, 2 deletions
diff --git a/modules/nixos/sils/networking.nix b/modules/nixos/sils/networking.nix
index 4f55f49..9ec34ab 100644
--- a/modules/nixos/sils/networking.nix
+++ b/modules/nixos/sils/networking.nix
@@ -8,8 +8,10 @@
 in {
   options.sils.networking.enable = lib.mkEnableOption "networking";
   config = lib.mkIf cfg.enable {
+    services.resolved.enable = true;
     networking = {
       enableIPv6 = false;
+      useNetworkd = false;
       #useDHCP = true;
       networkmanager = {
         enable = true;
@@ -17,6 +19,10 @@ in {
           networkmanager-openvpn
         ];
       };
+      nftables.enable = true;
+      firewall = {
+        enable = true;
+      };
       #nameservers = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
       #wireless = {
       #  enable = false; # TODO: Reenable
diff --git a/modules/nixos/sils/roles.nix b/modules/nixos/sils/roles.nix
index db16577..8488db2 100644
--- a/modules/nixos/sils/roles.nix
+++ b/modules/nixos/sils/roles.nix
@@ -29,7 +29,10 @@ in {
       sound.enable = lib.mkDefault true;
       sway.enable = lib.mkDefault false;
       theming.enable = lib.mkDefault true;
-      tailscale.enable = lib.mkDefault true;
+      tailscale = {
+        enable = lib.mkDefault true;
+        role = "client";
+      };
       tor.enable = lib.mkDefault true;
     }
     else if roleCmp "laptop-light"
diff --git a/modules/nixos/sils/tailscale.nix b/modules/nixos/sils/tailscale.nix
index 16db2da..e1f49a4 100644
--- a/modules/nixos/sils/tailscale.nix
+++ b/modules/nixos/sils/tailscale.nix
@@ -5,10 +5,48 @@
 }: let
   cfg = config.sils.tailscale;
 in {
-  options.sils.tailscale.enable = lib.mkEnableOption "Tailscale";
+  options.sils.tailscale = {
+    enable = lib.mkEnableOption "Tailscale";
+    openFirewall = true;
+    role = lib.mkOption {
+      type = lib.types.enum [
+        "client"
+        "server"
+      ];
+    };
+  };
   config = lib.mkIf cfg.enable {
     services.tailscale = {
       enable = true;
+      authKeyFile = config.age.secrets.tailscale.path;
+      useRoutingFeatures = cfg.role;
+      extraDaemonFlags = [
+        "--no-logs-no-support"
+      ];
+      extraSetFlags = [
+        "--accept-routes"
+      ];
+    };
+    networking.firewall = {
+      trustedInterfaces = ["tailscale0"];
+      allowedUDPPorts = [config.services.tailscale.port];
+      checkReversePath = "loose";
+    };
+    systemd = {
+      services.tailscaled.serviceConfig.Environment = [
+        "TS_DEBUG_FIREWALL_MODE=nftables"
+      ];
+      network.wait-online.enable = false;
     };
+    boot.initrd.systemd.network.wait-online.enable = false;
+
+    environment.persistence."/srv".directories = [
+      {
+        directory = "/var/lib/tailscale";
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
   };
 }
diff --git a/secrets/default.nix b/secrets/default.nix
index a8d410a..21d5a28 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -15,5 +15,8 @@
     pamu2f-mappings = {
       file = ./pamu2f-mappings.age;
     };
+    tailscale = {
+      file = ./tailscale.age;
+    };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 760ef5d..86c7324 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,4 +13,5 @@ in {
   "resticssh.age".publicKeys = allSecrets;
   "resticpass.age".publicKeys = allSecrets;
   "pamu2f-mappings.age".publicKeys = allSecrets;
+  "tailscale.age".publicKeys = allSecrets;
 }
diff --git a/secrets/tailscale.age b/secrets/tailscale.age
new file mode 100644
index 0000000..06c8da1
--- /dev/null
+++ b/secrets/tailscale.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVlo2RzZQVG5XaVRHRGpa
+OUg2ZHV2Wlg4L0xRd3hFN093bC9wT2RaQm5BCmtIR2dSeVBPMTAvS20zU3gwQjZJ
+SDZVWUU3VEJ6a0xrdEN4V28xWlRtN00KLT4gc3NoLWVkMjU1MTkgL1BReS9BIEdn
+RW5ET1J3Q3pweDRtOTZUYkVJOUdzU0Jmcy9CNVlkeWdFT1R3T1JaUzAKYVpIbjZu
+TmtkNHVFNzlIS2w4NUVQbWxtZlhjWFpTTFNMaS9JY3J0M1NqOAotPiBzc2gtZWQy
+NTUxOSBqY2E2SVEgVm9QeDgwOFAwNjZJNFdBajRiM1VoMURzN0Y5YVdvSzRFK0R2
+M1VBT0NrMAp4VUU2MlF3WkRLbm4zQnN2T3NUb21YN2NiVFFCNGRVZ041OEJTdkRZ
+QW9jCi0+IGYtZ3JlYXNlIHk8dVFyWm0gSSE2CnRrYk1MMFdaNExTM0MyMmduU1gz
+YWZXVkVpV1NIdwotLS0gZ0V1cXV4NzBKYXVmRG9EaWV6aU9FRlhSSUwwdVNqbVY3
+RkFTN05IdTYrZwoh+p+Fg7kPB6IEhwNjzldB9K2gQT6w+0iFcYah6S45NJKMcxqV
+2f2+R6B9s3KQmP9PQc5AB0eqgwBWScE62DVVXat4dtPX8O6ywsUSvDBSDzSvcK2V
+unKytDoKdkGVCQ==
+-----END AGE ENCRYPTED FILE-----

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-03-12 06:12:15 +0000