diff options
Diffstat (limited to 'modules/nixos')
| -rw-r--r-- | modules/nixos/features/tailscale.nix | 57 |
1 files changed, 51 insertions, 6 deletions
diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix index 5f68175..042426b 100644 --- a/modules/nixos/features/tailscale.nix +++ b/modules/nixos/features/tailscale.nix @@ -1,22 +1,67 @@ { config, lib, + pkgs, + self, ... }: let cfg = config.getchoo.features.tailscale; - inherit (lib) mkDefault mkEnableOption mkIf; + inherit (lib) mkDefault mkEnableOption mkIf optionalString; in { - options.getchoo.features.tailscale.enable = mkEnableOption "enable support for tailscale"; + options.getchoo.features.tailscale = { + enable = mkEnableOption "enable support for tailscale"; + ssh.enable = mkEnableOption "enable support for tailscale ssh"; + }; config = mkIf cfg.enable { + age.secrets = let + baseDir = "${self}/secrets/hosts/${config.networking.hostName}"; + in + mkIf cfg.ssh.enable { + tailscaleAuthKey.file = "${baseDir}/tailscaleAuthKey.age"; + }; + + networking.firewall = + { + allowedUDPPorts = [config.services.tailscale.port]; + trustedInterfaces = ["tailscale0"]; + } + // (mkIf cfg.ssh.enable { + allowedTCPPorts = [22]; + }); + services = { tailscale.enable = mkDefault true; }; - networking.firewall = { - allowedUDPPorts = [config.services.tailscale.port]; - checkReversePath = "loose"; - trustedInterfaces = mkDefault ["tailscale0"]; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = let + inherit (pkgs) tailscale jq; + in '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up ${optionalString cfg.ssh.enable "--ssh"} \ + --auth-key "file:${config.age.secrets.tailscaleAuthKey.path}" + ''; }; }; } |