modules/server/tailscale.nix at main · kitten.sh/system

kitten.sh / system
Personal Nix setup
system / modules / server / tailscale.nix
at main 1.7 kB view raw
 1{ lib, config, pkgs, user, helpers, hostname, ... }:
 2
 3with lib;
 4let
 5  cfgRoot = config.modules.server;
 6  cfgRouter = config.modules.router;
 7  cfg = config.modules.server.tailscale;
 8in {
 9  options.modules.server.tailscale = {
10    enable = mkOption {
11      default = false;
12      example = true;
13      description = "Whether to enable Tailscale.";
14      type = types.bool;
15    };
16  };
17
18  config = mkIf (cfg.enable && cfgRoot.enable) (helpers.linuxAttrs {
19    networking = {
20      domain = mkIf cfgRouter.enable "fable-pancake.ts.net";
21      search = [ "fable-pancake.ts.net" ];
22      firewall.trustedInterfaces = [ "tailscale0" ];
23      hosts."${cfgRouter.address}" = mkIf cfgRouter.enable [ "${hostname}.fable-pancake.ts.net" hostname ];
24    };
25
26    age.secrets."tailscale" = {
27      symlink = true;
28      path = "/run/secrets/tailscale";
29      file = ./encrypt/tailscale.age;
30    };
31
32    services.tailscale = {
33      enable = true;
34      useRoutingFeatures = if cfgRouter.enable then "server" else "none";
35      extraUpFlags = if cfgRouter.enable
36        then [ "--advertise-exit-node" "--ssh" "--accept-dns=false" ]
37        else [ "--ssh" "--accept-dns=true" "--operator=${user}" ];
38      extraDaemonFlags = [ "--no-logs-no-support" ];
39      authKeyFile = "/run/secrets/tailscale";
40    };
41
42    systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_DISABLE_PORTLIST=true" ];
43
44    environment.systemPackages = mkIf config.modules.desktop.enable [ pkgs.tail-tray ];
45  } // helpers.darwinAttrs {
46    networking.search = [ "fable-pancake.ts.net" ];
47
48    services.tailscale = {
49      enable = true;
50      overrideLocalDns = true;
51    };
52  });
53}