nixos: remove root password

1 files changed, 27 insertions, 22 deletions

diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix
index b432ced..a7d8c06 100644
--- a/modules/nixos/traits/tailscale.nix
+++ b/modules/nixos/traits/tailscale.nix
@@ -16,33 +16,38 @@ in {
       };
   };
 
-  config = lib.mkIf cfg.enable (lib.mkMerge [
-    {
-      networking.firewall =
-        {
-          trustedInterfaces = ["tailscale0"];
-        }
-        // lib.optionalAttrs cfg.ssh.enable {
-          allowedTCPPorts = [22];
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        networking.firewall = {
+          trustedInterfaces = [config.services.tailscale.interfaceName];
         };
 
-      services.tailscale =
-        {
+        services.tailscale = {
           enable = true;
           openFirewall = true;
-        }
-        // lib.optionalAttrs cfg.ssh.enable {
+        };
+      }
+
+      (lib.mkIf cfg.ssh.enable {
+        networking.firewall = {
+          allowedTCPPorts = [22];
+        };
+
+        services.tailscale = {
           extraUpFlags = ["--ssh"];
-        }
-        // lib.optionalAttrs cfg.manageSecrets {
-          authKeyFile = config.age.secrets.tailscaleAuthKey.path;
         };
-    }
+      })
 
-    (lib.mkIf cfg.manageSecrets {
-      age.secrets = lib.mkIf cfg.manageSecrets {
-        tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age";
-      };
-    })
-  ]);
+      (lib.mkIf cfg.manageSecrets {
+        age.secrets = lib.mkIf cfg.manageSecrets {
+          tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age";
+        };
+
+        services.tailscale = {
+          authKeyFile = config.age.secrets.tailscaleAuthKey.path;
+        };
+      })
+    ]
+  );
 }