tailscale: automate connection
HEAD main6 files changed, 67 insertions, 2 deletions
diff --git a/modules/nixos/sils/networking.nix b/modules/nixos/sils/networking.nix
index 4f55f49..9ec34ab 100644
--- a/modules/nixos/sils/networking.nix
+++ b/modules/nixos/sils/networking.nix
@@ -8,8 +8,10 @@
in {
options.sils.networking.enable = lib.mkEnableOption "networking";
config = lib.mkIf cfg.enable {
+ services.resolved.enable = true;
networking = {
enableIPv6 = false;
+ useNetworkd = false;
#useDHCP = true;
networkmanager = {
enable = true;
@@ -17,6 +19,10 @@ in {
networkmanager-openvpn
];
};
+ nftables.enable = true;
+ firewall = {
+ enable = true;
+ };
#nameservers = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
#wireless = {
# enable = false; # TODO: Reenable
diff --git a/modules/nixos/sils/roles.nix b/modules/nixos/sils/roles.nix
index db16577..8488db2 100644
--- a/modules/nixos/sils/roles.nix
+++ b/modules/nixos/sils/roles.nix
@@ -29,7 +29,10 @@ in {
sound.enable = lib.mkDefault true;
sway.enable = lib.mkDefault false;
theming.enable = lib.mkDefault true;
- tailscale.enable = lib.mkDefault true;
+ tailscale = {
+ enable = lib.mkDefault true;
+ role = "client";
+ };
tor.enable = lib.mkDefault true;
}
else if roleCmp "laptop-light"
diff --git a/modules/nixos/sils/tailscale.nix b/modules/nixos/sils/tailscale.nix
index 16db2da..e1f49a4 100644
--- a/modules/nixos/sils/tailscale.nix
+++ b/modules/nixos/sils/tailscale.nix
@@ -5,10 +5,48 @@
}: let
cfg = config.sils.tailscale;
in {
- options.sils.tailscale.enable = lib.mkEnableOption "Tailscale";
+ options.sils.tailscale = {
+ enable = lib.mkEnableOption "Tailscale";
+ openFirewall = true;
+ role = lib.mkOption {
+ type = lib.types.enum [
+ "client"
+ "server"
+ ];
+ };
+ };
config = lib.mkIf cfg.enable {
services.tailscale = {
enable = true;
+ authKeyFile = config.age.secrets.tailscale.path;
+ useRoutingFeatures = cfg.role;
+ extraDaemonFlags = [
+ "--no-logs-no-support"
+ ];
+ extraSetFlags = [
+ "--accept-routes"
+ ];
+ };
+ networking.firewall = {
+ trustedInterfaces = ["tailscale0"];
+ allowedUDPPorts = [config.services.tailscale.port];
+ checkReversePath = "loose";
+ };
+ systemd = {
+ services.tailscaled.serviceConfig.Environment = [
+ "TS_DEBUG_FIREWALL_MODE=nftables"
+ ];
+ network.wait-online.enable = false;
};
+ boot.initrd.systemd.network.wait-online.enable = false;
+
+ environment.persistence."/srv".directories = [
+ {
+ directory = "/var/lib/tailscale";
+ user = "root";
+ group = "root";
+ mode = "0700";
+ }
+ ];
};
}
diff --git a/secrets/default.nix b/secrets/default.nix
index a8d410a..21d5a28 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -15,5 +15,8 @@
pamu2f-mappings = {
file = ./pamu2f-mappings.age;
};
+ tailscale = {
+ file = ./tailscale.age;
+ };
};
}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 760ef5d..86c7324 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,4 +13,5 @@ in {
"resticssh.age".publicKeys = allSecrets;
"resticpass.age".publicKeys = allSecrets;
"pamu2f-mappings.age".publicKeys = allSecrets;
+ "tailscale.age".publicKeys = allSecrets;
}
diff --git a/secrets/tailscale.age b/secrets/tailscale.age
new file mode 100644
index 0000000..06c8da1
--- /dev/null
+++ b/secrets/tailscale.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVlo2RzZQVG5XaVRHRGpa
+OUg2ZHV2Wlg4L0xRd3hFN093bC9wT2RaQm5BCmtIR2dSeVBPMTAvS20zU3gwQjZJ
+SDZVWUU3VEJ6a0xrdEN4V28xWlRtN00KLT4gc3NoLWVkMjU1MTkgL1BReS9BIEdn
+RW5ET1J3Q3pweDRtOTZUYkVJOUdzU0Jmcy9CNVlkeWdFT1R3T1JaUzAKYVpIbjZu
+TmtkNHVFNzlIS2w4NUVQbWxtZlhjWFpTTFNMaS9JY3J0M1NqOAotPiBzc2gtZWQy
+NTUxOSBqY2E2SVEgVm9QeDgwOFAwNjZJNFdBajRiM1VoMURzN0Y5YVdvSzRFK0R2
+M1VBT0NrMAp4VUU2MlF3WkRLbm4zQnN2T3NUb21YN2NiVFFCNGRVZ041OEJTdkRZ
+QW9jCi0+IGYtZ3JlYXNlIHk8dVFyWm0gSSE2CnRrYk1MMFdaNExTM0MyMmduU1gz
+YWZXVkVpV1NIdwotLS0gZ0V1cXV4NzBKYXVmRG9EaWV6aU9FRlhSSUwwdVNqbVY3
+RkFTN05IdTYrZwoh+p+Fg7kPB6IEhwNjzldB9K2gQT6w+0iFcYah6S45NJKMcxqV
+2f2+R6B9s3KQmP9PQc5AB0eqgwBWScE62DVVXat4dtPX8O6ywsUSvDBSDzSvcK2V
+unKytDoKdkGVCQ==
+-----END AGE ENCRYPTED FILE-----
|
