All checks were successful
		
		
	
	Check flake / build-amd64-linux (push) Successful in 1m23s
				
			
		
			
				
	
	
		
			65 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			65 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| {
 | |
|   inputs,
 | |
|   config,
 | |
|   lib,
 | |
|   pkgs,
 | |
|   ...
 | |
| }:
 | |
| 
 | |
| let
 | |
|   cfg = config.modules.services.tailscale;
 | |
|   headscale = "https://headscale.vimium.net";
 | |
|   hostname = config.networking.hostName;
 | |
| in
 | |
| {
 | |
|   options.modules.services.tailscale = {
 | |
|     enable = lib.mkOption {
 | |
|       default = false;
 | |
|       example = true;
 | |
|     };
 | |
|     isExitNode = lib.mkOption {
 | |
|       default = false;
 | |
|       example = true;
 | |
|     };
 | |
|     useExitNode = lib.mkOption {
 | |
|       default = false;
 | |
|       example = true;
 | |
|     };
 | |
|     restrictSSH = lib.mkOption {
 | |
|       default = true;
 | |
|       example = true;
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   config = lib.mkIf cfg.enable {
 | |
|     age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
 | |
|       file = "${inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
 | |
|     };
 | |
| 
 | |
|     environment.systemPackages = [ pkgs.tailscale ];
 | |
| 
 | |
|     services.tailscale = {
 | |
|       enable = true;
 | |
|       authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
 | |
| 
 | |
|       extraUpFlags = [
 | |
|         "--login-server"
 | |
|         headscale
 | |
|       ]
 | |
|       ++ (if cfg.isExitNode then [ "--advertise-exit-node" ] else [ ]);
 | |
|     };
 | |
| 
 | |
|     services.openssh.openFirewall = !cfg.restrictSSH;
 | |
| 
 | |
|     networking.firewall = {
 | |
|       checkReversePath = "loose";
 | |
|       trustedInterfaces = [ "tailscale0" ];
 | |
|       allowedUDPPorts = [ config.services.tailscale.port ];
 | |
|     };
 | |
| 
 | |
|     environment.persistence."/state".directories = [
 | |
|       "/var/lib/tailscale"
 | |
|     ];
 | |
|   };
 | |
| }
 |