System/modules/linux/services/tailscale.nix

51 lines
1.5 KiB
Nix
Raw Normal View History

2022-06-23 02:57:41 -04:00
{ config, lib, pkgs, ... }:
let nathan = config.nathan;
in with lib; {
2022-06-23 02:57:41 -04:00
config = mkIf nathan.services.tailscale.enable {
environment.systemPackages = with pkgs; [ tailscale ];
2022-06-23 02:57:41 -04:00
# Enable the service
services.tailscale = { enable = true; };
2022-06-23 02:57:41 -04:00
# Setup sops
sops.secrets."tailscale-auth" = {
2022-09-04 01:59:56 -04:00
sopsFile = ../../../secrets/all/tailscale.yaml;
2022-06-23 02:57:41 -04:00
format = "yaml";
};
# Oneshot job to authenticate to tailscale
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat ${
config.sops.secrets."tailscale-auth".path
})
2022-06-23 02:57:41 -04:00
'';
};
# Configure firewall for tailscale
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
};
};
}