38 lines
1,023 B
Nix
38 lines
1,023 B
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
cfg = config.ooknet.host.networking.tailscale;
|
|
inherit (config.services) tailscale;
|
|
inherit (lib) mkIf mkDefault mkBefore;
|
|
in {
|
|
config = mkIf cfg.enable {
|
|
services.tailscale = {
|
|
enable = true;
|
|
useRoutingFeatures = mkDefault "both";
|
|
permitCertUid = "root";
|
|
extraUpFlags = cfg.flags.final;
|
|
authKeyFile = "${config.age.secrets.tailscale-auth.path}";
|
|
};
|
|
networking.firewall = {
|
|
allowedUDPPorts = [tailscale.port];
|
|
trustedInterfaces = ["${tailscale.interfaceName}"];
|
|
checkReversePath = "loose";
|
|
};
|
|
users = {
|
|
groups.tailscaled = {};
|
|
users.tailscaled = {
|
|
group = "tailscaled";
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
|
|
|
|
environment.systemPackages = [pkgs.tailscale];
|
|
|
|
# disable tailscale logging
|
|
systemd.services.tailscaled.serviceConfig.Environment = mkBefore ["TS_NO_LOGS_NO_SUPPORT"];
|
|
};
|
|
}
|