67 lines
2 KiB
Nix
67 lines
2 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cat = "${pkgs.coreutils}/bin/cat";
|
|
tailscale = "${config.services.tailscale.package}/bin/tailscale";
|
|
|
|
cfg = config.custom.services.tailscale;
|
|
in {
|
|
# TODO: Enact recommendations
|
|
# https://tailscale.com/kb/1320/performance-best-practices
|
|
# https://github.com/tailscale/tailscale
|
|
#!! Configuration is imperative
|
|
#?? sudo tailscale up --ssh --advertise-exit-node --accept-routes --operator=$USER --reset --qr
|
|
options.custom.services.tailscale = {
|
|
enable = mkOption {default = false;};
|
|
cert = mkOption {default = false;};
|
|
};
|
|
|
|
# TODO: Use caddy plugin for provisioning when supported by NixOS
|
|
# https://github.com/NixOS/nixpkgs/pull/317881
|
|
# https://github.com/tailscale/caddy-tailscale
|
|
config = mkIf cfg.enable {
|
|
age.secrets = let
|
|
secret = filename: {
|
|
file = "${inputs.self}/secrets/${filename}";
|
|
};
|
|
in {
|
|
"common/tailscale/tailnet" = secret "common/tailscale/tailnet";
|
|
};
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
#// permitCertUid = mkIf cfg.cert "caddy"; # Allow caddy to fetch TLS certificates
|
|
useRoutingFeatures = "both"; # Enable server/client exit nodes
|
|
};
|
|
|
|
# Provision Tailscale certificates in the background per machine
|
|
systemd = let
|
|
hostname = config.custom.hostname;
|
|
in
|
|
mkIf cfg.cert {
|
|
#!! Needs to be run on the machine
|
|
# tailscale cert always writes to /var/lib/tailscale/certs/ regardless of flags
|
|
services."tailscale-cert-${hostname}".script = concatStringsSep " " [
|
|
"${tailscale} cert"
|
|
"--cert-file -"
|
|
"--key-file -"
|
|
"${hostname}.\"$(${cat} ${config.age.secrets."common/tailscale/tailnet".path})\""
|
|
"> /dev/null"
|
|
];
|
|
|
|
timers."tailscale-cert-${hostname}" = {
|
|
wantedBy = ["timers.target"];
|
|
|
|
timerConfig = {
|
|
OnCalendar = "daily";
|
|
Persistent = true; # Retry if previous timer missed
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|