75 lines
2 KiB
Nix
75 lines
2 KiB
Nix
|
{
|
||
|
config,
|
||
|
inputs,
|
||
|
lib,
|
||
|
pkgs,
|
||
|
...
|
||
|
}:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
cat = "${pkgs.coreutils}/bin/cat";
|
||
|
tailscale = "${config.services.tailscale.package}/bin/tailscale";
|
||
|
|
||
|
cfg = config.custom.services.tailscale;
|
||
|
in
|
||
|
{
|
||
|
# TODO: Enact recommendations
|
||
|
# https://tailscale.com/kb/1320/performance-best-practices
|
||
|
# https://github.com/tailscale/tailscale
|
||
|
#!! Configuration is imperative
|
||
|
#?? sudo tailscale up --ssh --advertise-exit-node --accept-routes --operator=$USER --reset --qr
|
||
|
options.custom.services.tailscale = {
|
||
|
enable = mkOption { default = false; };
|
||
|
cert = mkOption { default = false; };
|
||
|
};
|
||
|
|
||
|
# TODO: Use caddy plugin for provisioning when supported by NixOS
|
||
|
# https://github.com/NixOS/nixpkgs/pull/317881
|
||
|
# https://github.com/tailscale/caddy-tailscale
|
||
|
config = mkIf cfg.enable {
|
||
|
age.secrets =
|
||
|
let
|
||
|
secret = filename: {
|
||
|
file = "${inputs.self}/secrets/${filename}";
|
||
|
};
|
||
|
in
|
||
|
{
|
||
|
"common/tailscale/tailnet" = secret "common/tailscale/tailnet";
|
||
|
};
|
||
|
|
||
|
services.tailscale = {
|
||
|
enable = true;
|
||
|
#// permitCertUid = mkIf cfg.cert "caddy"; # Allow caddy to fetch TLS certificates
|
||
|
useRoutingFeatures = "both"; # Enable server/client exit nodes
|
||
|
};
|
||
|
|
||
|
# Provision Tailscale certificates in the background per machine
|
||
|
systemd =
|
||
|
let
|
||
|
hostname = config.custom.hostname;
|
||
|
in
|
||
|
mkIf cfg.cert {
|
||
|
#!! Needs to be run on the machine
|
||
|
# tailscale cert always writes to /var/lib/tailscale/certs/ regardless of flags
|
||
|
services."tailscale-cert-${hostname}".script = concatStringsSep " " [
|
||
|
"${tailscale} cert"
|
||
|
"--cert-file -"
|
||
|
"--key-file -"
|
||
|
"${hostname}.\"$(${cat} ${config.age.secrets."common/tailscale/tailnet".path})\""
|
||
|
"> /dev/null"
|
||
|
];
|
||
|
|
||
|
timers."tailscale-cert-${hostname}" = {
|
||
|
wantedBy = [ "timers.target" ];
|
||
|
|
||
|
timerConfig = {
|
||
|
OnCalendar = "daily";
|
||
|
Persistent = true; # Retry if previous timer missed
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|