replace wireguard with tailscale

2025-11-29 17:53:36 +01:00 · 2025-11-29 17:53:36 +01:00 · f29fd6cd0d
commit f29fd6cd0d
parent f5fff0f4c3
5 changed files with 64 additions and 51 deletions
--- a/modules/homebrew.nix
+++ b/modules/homebrew.nix
@ -37,6 +37,7 @@
      "calibre"
      "linearmouse"
      "omnigraffle"
+      "tailscale"
    ];
    taps = [
      # Additional repositories if needed
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -0,0 +1,54 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tailscale-custom;
+  isRouter = cfg.exitNode || cfg.subnetRoutes != [];
+in
+
+{
+  # NOTE: Auth key file: /etc/tailscale/authkey
+  # Generate at https://login.tailscale.com/admin/settings/keys
+  # Place on host with mode 0600
+
+  options.services.tailscale-custom = {
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Advertise this node as an exit node";
+    };
+
+    subnetRoutes = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [ "10.1.1.0/24" "192.168.1.0/24" ];
+      description = "Subnets to advertise to the Tailscale network";
+    };
+
+    acceptRoutes = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Accept subnet routes advertised by other nodes";
+    };
+  };
+
+  config = {
+    services.tailscale = {
+      enable = true;
+      authKeyFile = "/etc/tailscale/authkey";
+      useRoutingFeatures = if isRouter then "server" else "client";
+      extraUpFlags =
+        optional cfg.exitNode "--advertise-exit-node"
+        ++ optional (cfg.subnetRoutes != []) "--advertise-routes=${concatStringsSep "," cfg.subnetRoutes}"
+        ++ optional cfg.acceptRoutes "--accept-routes";
+    };
+
+    boot.kernel.sysctl = mkIf isRouter {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  };
+}