blob: 042426bfbf0223c69f79adf3fd5624bd9dbab3fb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
{
config,
lib,
pkgs,
self,
...
}: let
cfg = config.getchoo.features.tailscale;
inherit (lib) mkDefault mkEnableOption mkIf optionalString;
in {
options.getchoo.features.tailscale = {
enable = mkEnableOption "enable support for tailscale";
ssh.enable = mkEnableOption "enable support for tailscale ssh";
};
config = mkIf cfg.enable {
age.secrets = let
baseDir = "${self}/secrets/hosts/${config.networking.hostName}";
in
mkIf cfg.ssh.enable {
tailscaleAuthKey.file = "${baseDir}/tailscaleAuthKey.age";
};
networking.firewall =
{
allowedUDPPorts = [config.services.tailscale.port];
trustedInterfaces = ["tailscale0"];
}
// (mkIf cfg.ssh.enable {
allowedTCPPorts = [22];
});
services = {
tailscale.enable = mkDefault true;
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = let
inherit (pkgs) tailscale jq;
in ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up ${optionalString cfg.ssh.enable "--ssh"} \
--auth-key "file:${config.age.secrets.tailscaleAuthKey.path}"
'';
};
};
}
|
