myned/nixos
myned/nixos
1
1
Fork 0
Code Issues Activity
nixos/options/custom/services/tailscale.nix
Myned 53c8575116
git: migrate to forgejo 
Squashes 1,331 commits

Signed-off-by: Myned <dev@bjork.tech>
2024-09-12 19:41:21 -05:00

74 lines
2 KiB
Nix
Raw Blame History

{
config,
inputs,
lib,
pkgs,
...
}:
with lib;
let
cat = "${pkgs.coreutils}/bin/cat";
tailscale = "${config.services.tailscale.package}/bin/tailscale";
cfg = config.custom.services.tailscale;
in
{
# TODO: Enact recommendations
# https://tailscale.com/kb/1320/performance-best-practices
# https://github.com/tailscale/tailscale
#!! Configuration is imperative
#?? sudo tailscale up --ssh --advertise-exit-node --accept-routes --operator=$USER --reset --qr
options.custom.services.tailscale = {
enable = mkOption { default = false; };
cert = mkOption { default = false; };
};
# TODO: Use caddy plugin for provisioning when supported by NixOS
# https://github.com/NixOS/nixpkgs/pull/317881
# https://github.com/tailscale/caddy-tailscale
config = mkIf cfg.enable {
age.secrets =
let
secret = filename: {
file = "${inputs.self}/secrets/${filename}";
};
in
{
"common/tailscale/tailnet" = secret "common/tailscale/tailnet";
};
services.tailscale = {
enable = true;
#// permitCertUid = mkIf cfg.cert "caddy"; # Allow caddy to fetch TLS certificates
useRoutingFeatures = "both"; # Enable server/client exit nodes
};
# Provision Tailscale certificates in the background per machine
systemd =
let
hostname = config.custom.hostname;
in
mkIf cfg.cert {
#!! Needs to be run on the machine
# tailscale cert always writes to /var/lib/tailscale/certs/ regardless of flags
services."tailscale-cert-${hostname}".script = concatStringsSep " " [
"${tailscale} cert"
"--cert-file -"
"--key-file -"
"${hostname}.\"$(${cat} ${config.age.secrets."common/tailscale/tailnet".path})\""
"> /dev/null"
];
timers."tailscale-cert-${hostname}" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true; # Retry if previous timer missed
};
};
};
};
}
Reference in a new issue View git blame Copy permalink