From 93c04e83d3211187da176442dd49d2ad5d5cf5a2 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Fri, 17 May 2024 23:12:51 +0100
Subject: [PATCH] Add authkey to tailscale module

---
 modules/networking/tailscale.nix | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/modules/networking/tailscale.nix b/modules/networking/tailscale.nix
index 550d2e7..237a810 100644
--- a/modules/networking/tailscale.nix
+++ b/modules/networking/tailscale.nix
@@ -1,6 +1,9 @@
-{ config, lib, pkgs, ... }:
+{ config, inputs, lib, pkgs, ... }:
 
-let cfg = config.modules.networking.tailscale;
+let
+  cfg = config.modules.networking.tailscale;
+  headscale = "https://headscale.vimium.net";
+  hostname = config.networking.hostName;
 in {
   options.modules.networking.tailscale = {
     enable = lib.mkOption {
@@ -14,8 +17,24 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    services.tailscale.enable = true;
+    age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
+      file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
+    };
+
+    environment.systemPackages = [ pkgs.tailscale ];
+
+    services.tailscale = {
+      enable = true;
+      authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
+
+      extraUpFlags = [
+        "--login-server"
+        headscale
+      ];
+    };
+
     services.openssh.openFirewall = !cfg.restrictSSH;
+
     networking.firewall = {
       checkReversePath = "loose";
       trustedInterfaces = [ "tailscale0" ];