Refactor modules into nixos and home-manager
All checks were successful
Check flake / build-amd64-linux (push) Successful in 3m14s
All checks were successful
Check flake / build-amd64-linux (push) Successful in 3m14s
This commit is contained in:
44
modules/nixos/services/tailscale.nix
Normal file
44
modules/nixos/services/tailscale.nix
Normal file
@ -0,0 +1,44 @@
|
||||
{ config, lib, pkgs, self, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.tailscale;
|
||||
headscale = "https://headscale.vimium.net";
|
||||
hostname = config.networking.hostName;
|
||||
in {
|
||||
options.modules.services.tailscale = {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
example = true;
|
||||
};
|
||||
restrictSSH = lib.mkOption {
|
||||
default = true;
|
||||
example = true;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
|
||||
file = "${self.inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.tailscale ];
|
||||
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
|
||||
|
||||
extraUpFlags = [
|
||||
"--login-server"
|
||||
headscale
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh.openFirewall = !cfg.restrictSSH;
|
||||
|
||||
networking.firewall = {
|
||||
checkReversePath = "loose";
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user