Jordan Holt
ccb57f954e
All checks were successful
Check flake / build-amd64-linux (push) Successful in 2m53s
52 lines
1.1 KiB
Nix
52 lines
1.1 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.modules.services.tailscale;
|
|
headscale = "https://headscale.vimium.net";
|
|
hostname = config.networking.hostName;
|
|
in
|
|
{
|
|
options.modules.services.tailscale = {
|
|
enable = lib.mkOption {
|
|
default = false;
|
|
example = true;
|
|
};
|
|
restrictSSH = lib.mkOption {
|
|
default = true;
|
|
example = true;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
age.secrets."passwords/services/tailscale/${hostname}-authkey" = {
|
|
file = "${self.inputs.secrets}/passwords/services/tailscale/${hostname}-authkey.age";
|
|
};
|
|
|
|
environment.systemPackages = [ pkgs.tailscale ];
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
authKeyFile = config.age.secrets."passwords/services/tailscale/${hostname}-authkey".path;
|
|
|
|
extraUpFlags = [
|
|
"--login-server"
|
|
headscale
|
|
];
|
|
};
|
|
|
|
services.openssh.openFirewall = !cfg.restrictSSH;
|
|
|
|
networking.firewall = {
|
|
checkReversePath = "loose";
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
|
};
|
|
};
|
|
}
|