harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
nixcfg/modules/nixos/services/tailscale/default.nix
Harald Hoyer 45d6f4b0f3 refactor
2024-01-11 10:31:04 +00:00

70 lines
2 KiB
Nix
Raw Blame History

{ lib, pkgs, config, ... }:
with lib;
with lib.plusultra;
let cfg = config.plusultra.services.tailscale;
in
{
options.plusultra.services.tailscale = with types; {
enable = mkBoolOpt false "Whether or not to configure Tailscale";
autoconnect = {
enable = mkBoolOpt false "Whether or not to enable automatic connection to Tailscale";
key = mkOpt str "" "The authentication key to use";
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.autoconnect.enable -> cfg.autoconnect.key != "";
message = "plusultra.services.tailscale.autoconnect.key must be set";
}
];
environment.systemPackages = with pkgs; [ tailscale ];
services.tailscale = enabled;
networking = {
firewall = {
trustedInterfaces = [ config.services.tailscale.interfaceName ];
allowedUDPPorts = [ config.services.tailscale.port ];
# Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups.
checkReversePath = "loose";
};
networkmanager.unmanaged = [ "tailscale0" ];
};
systemd.services.tailscale-autoconnect = mkIf cfg.autoconnect.enable {
description = "Automatic connection to Tailscale";
# Make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# Set this service as a oneshot job
serviceConfig.Type = "oneshot";
# Have the job run this shell script
script = with pkgs; ''
# Wait for tailscaled to settle
sleep 2
# Check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# Otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey "${cfg.autoconnect.key}"
'';
};
};
}
Reference in a new issue View git blame Copy permalink