tailscale on felonyspork

common/fragments/tailscale.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, ... }:
+
+{
+  # make the tailscale command usable to users
+  environment.systemPackages = [ pkgs.tailscale ];
+
+  # enable the tailscale service
+  services.tailscale.enable = true;
+
+  # create a oneshot job to authenticate to Tailscale
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey file:/root/tailscaleauth
+    '';
+  };
+  networking.firewall = {
+    # enable the firewall
+    enable = true;
+
+    # always allow traffic from your Tailscale network
+    trustedInterfaces = [ "tailscale0" ];
+    checkReversePath = "loose";
+
+    # allow the Tailscale UDP port through the firewall
+    allowedUDPPorts = [ config.services.tailscale.port ];
+
+    # allow you to SSH in over the public internet
+    allowedTCPPorts = [ 22 ];
+  };
+}

hosts/felonyspork/configuration.nix

@@ -19,6 +19,7 @@
       ../../common/fragments/fail2ban.nix
       ../../common/fragments/vaapi-jellyfin.nix
       ../../common/fragments/infrared-reverse-proxy.nix
+      ../../common/fragments/tailscale.nix
     ];
 
   # Use the systemd-boot EFI boot loader.