diff options
Diffstat (limited to 'modules/nixos')
| -rw-r--r-- | modules/nixos/features/tailscale.nix | 38 |
1 files changed, 8 insertions, 30 deletions
diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix index 59dabf1..22168f3 100644 --- a/modules/nixos/features/tailscale.nix +++ b/modules/nixos/features/tailscale.nix @@ -1,7 +1,6 @@ { config, lib, - pkgs, secretsDir, ... }: let @@ -19,41 +18,20 @@ in { networking.firewall = { - allowedUDPPorts = [config.services.tailscale.port]; trustedInterfaces = ["tailscale0"]; } // lib.optionalAttrs cfg.ssh.enable { allowedTCPPorts = [22]; }; - services.tailscale.enable = true; - - # https://tailscale.com/kb/1096/nixos-minecraft/ - systemd.services = lib.mkIf cfg.ssh.enable { - tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - after = ["network-pre.target" "tailscale.service"]; - wants = ["network-pre.target" "tailscale.service"]; - wantedBy = ["multi-user.target"]; - - serviceConfig.Type = "oneshot"; - - script = '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${lib.getExe pkgs.tailscale} status -json | ${lib.getExe pkgs.jq} -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${lib.getExe pkgs.tailscale} up --ssh \ - --auth-key "file:${config.age.secrets.tailscaleAuthKey.path}" - ''; + services.tailscale = + { + enable = true; + openFirewall = true; + } + // lib.optionalAttrs cfg.ssh.enable { + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + extraUpFlags = ["--ssh"]; }; - }; }; } |