diff --git a/common/fragments/tailscale.nix b/common/fragments/tailscale.nix new file mode 100644 index 0000000..9dd6cfe --- /dev/null +++ b/common/fragments/tailscale.nix @@ -0,0 +1,51 @@ +{ config, pkgs, ... }: + +{ + # make the tailscale command usable to users + environment.systemPackages = [ pkgs.tailscale ]; + + # enable the tailscale service + services.tailscale.enable = true; + + # create a oneshot job to authenticate to Tailscale + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey file:/root/tailscaleauth + ''; + }; + networking.firewall = { + # enable the firewall + enable = true; + + # always allow traffic from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + checkReversePath = "loose"; + + # allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + + # allow you to SSH in over the public internet + allowedTCPPorts = [ 22 ]; + }; +} diff --git a/hosts/felonyspork/configuration.nix b/hosts/felonyspork/configuration.nix index e29af28..5010abf 100644 --- a/hosts/felonyspork/configuration.nix +++ b/hosts/felonyspork/configuration.nix @@ -19,6 +19,7 @@ ../../common/fragments/fail2ban.nix ../../common/fragments/vaapi-jellyfin.nix ../../common/fragments/infrared-reverse-proxy.nix + ../../common/fragments/tailscale.nix ]; # Use the systemd-boot EFI boot loader.