3 files changed, 49 insertions, 2 deletions

diff --git a/modules/nixos/sils/networking.nix b/modules/nixos/sils/networking.nix
index 4f55f49..9ec34ab 100644
--- a/modules/nixos/sils/networking.nix
+++ b/modules/nixos/sils/networking.nix
@@ -8,8 +8,10 @@
 in {
   options.sils.networking.enable = lib.mkEnableOption "networking";
   config = lib.mkIf cfg.enable {
+    services.resolved.enable = true;
     networking = {
       enableIPv6 = false;
+      useNetworkd = false;
       #useDHCP = true;
       networkmanager = {
         enable = true;
@@ -17,6 +19,10 @@ in {
           networkmanager-openvpn
         ];
       };
+      nftables.enable = true;
+      firewall = {
+        enable = true;
+      };
       #nameservers = ["2620:fe::fe" "2620:fe::9" "9.9.9.9" "149.112.112.112"];
       #wireless = {
       #  enable = false; # TODO: Reenable
diff --git a/modules/nixos/sils/roles.nix b/modules/nixos/sils/roles.nix
index db16577..8488db2 100644
--- a/modules/nixos/sils/roles.nix
+++ b/modules/nixos/sils/roles.nix
@@ -29,7 +29,10 @@ in {
       sound.enable = lib.mkDefault true;
       sway.enable = lib.mkDefault false;
       theming.enable = lib.mkDefault true;
-      tailscale.enable = lib.mkDefault true;
+      tailscale = {
+        enable = lib.mkDefault true;
+        role = "client";
+      };
       tor.enable = lib.mkDefault true;
     }
     else if roleCmp "laptop-light"
diff --git a/modules/nixos/sils/tailscale.nix b/modules/nixos/sils/tailscale.nix
index 16db2da..e1f49a4 100644
--- a/modules/nixos/sils/tailscale.nix
+++ b/modules/nixos/sils/tailscale.nix
@@ -5,10 +5,48 @@
 }: let
   cfg = config.sils.tailscale;
 in {
-  options.sils.tailscale.enable = lib.mkEnableOption "Tailscale";
+  options.sils.tailscale = {
+    enable = lib.mkEnableOption "Tailscale";
+    openFirewall = true;
+    role = lib.mkOption {
+      type = lib.types.enum [
+        "client"
+        "server"
+      ];
+    };
+  };
   config = lib.mkIf cfg.enable {
     services.tailscale = {
       enable = true;
+      authKeyFile = config.age.secrets.tailscale.path;
+      useRoutingFeatures = cfg.role;
+      extraDaemonFlags = [
+        "--no-logs-no-support"
+      ];
+      extraSetFlags = [
+        "--accept-routes"
+      ];
+    };
+    networking.firewall = {
+      trustedInterfaces = ["tailscale0"];
+      allowedUDPPorts = [config.services.tailscale.port];
+      checkReversePath = "loose";
+    };
+    systemd = {
+      services.tailscaled.serviceConfig.Environment = [
+        "TS_DEBUG_FIREWALL_MODE=nftables"
+      ];
+      network.wait-online.enable = false;
     };
+    boot.initrd.systemd.network.wait-online.enable = false;
+
+    environment.persistence."/srv".directories = [
+      {
+        directory = "/var/lib/tailscale";
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
   };
 }