Added tailscale config

This commit is contained in:
Alejandro Angulo 2023-03-25 09:58:31 -07:00
parent c1adac59c4
commit 954d01d4fe
Signed by: alejandro-angulo
GPG key ID: 75579581C74554B6
5 changed files with 59 additions and 53 deletions

View file

@ -0,0 +1,50 @@
{
options,
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.aa.services.tailscale;
in {
options.aa.services.tailscale = with types; {
enable = mkEnableOption "tailscale";
configureClientRouting = mkOption {
type = bool;
default = false;
description = mdDoc ''
Configures tailscale as a client.
See `options.services.tailscale.useRoutingFeatures` for more information.
'';
};
configureServerRouting = mkOption {
type = bool;
default = false;
description = mdDoc ''
Configures tailscale as a server.
See `options.services.tailscale.useRoutingFeatures` for more information.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [pkgs.tailscale];
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
services.tailscale = {
enable = true;
useRoutingFeatures = mkIf (cfg.configureClientRouting || cfg.configureServerRouting) (
if (cfg.configureClientRouting && cfg.configureServerRouting)
then "both"
else
(
if cfg.configureClientRouting
then "client"
else "server"
)
);
};
};
}

View file

@ -10,7 +10,6 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration-zfs.nix ./hardware-configuration-zfs.nix
./zfs.nix ./zfs.nix
./vpn.nix
]; ];
aa = { aa = {
@ -27,6 +26,10 @@
apps.tmux.enable = true; apps.tmux.enable = true;
services.printing.enable = true; services.printing.enable = true;
services.tailscale = {
enable = true;
configureClientRouting = true;
};
hardware.audio.enable = true; hardware.audio.enable = true;
}; };

View file

@ -1,28 +0,0 @@
{
config,
pkgs,
...
}: {
# enable the tailscale daemon; this will do a
# variety of tasks:
# 1. create the TUN network device
# 2. setup some IP routes to route through the TUN
services.tailscale = {
enable = true;
useRoutingFeatures = "client"; # Make sure to pass `--accept-routes` to `tailscale up`
};
# Let's open the UDP port with which the network is tunneled through
networking.firewall.allowedUDPPorts = [41641];
# Disable SSH access through the firewall Only way into the machine will be
# through This may cause a chicken & egg problem since you need to register
# a machine first using `tailscale up`
# Better to rely on EC2 SecurityGroups
# services.openssh.openFirewall = false;
# Let's make the tailscale binary avilable to all users
environment.systemPackages = [pkgs.tailscale];
# TODO: Enable SSH via tailscale
}

View file

@ -10,7 +10,6 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./zfs.nix ./zfs.nix
./vpn.nix
]; ];
aa = { aa = {
@ -33,6 +32,11 @@
subdomain_name = "gospel"; subdomain_name = "gospel";
}; };
services.printing.enable = true; services.printing.enable = true;
services.tailscale = {
enable = true;
configureClientRouting = true;
configureServerRouting = true;
};
hardware.audio.enable = true; hardware.audio.enable = true;
}; };

View file

@ -1,23 +0,0 @@
{
config,
pkgs,
...
}: {
# enable the tailscale daemon; this will do a
# variety of tasks:
# 1. create the TUN network device
# 2. setup some IP routes to route through the TUN
services.tailscale = {enable = true;};
# Let's open the UDP port with which the network is tunneled through
networking.firewall.allowedUDPPorts = [41641];
# Disable SSH access through the firewall Only way into the machine will be
# through This may cause a chicken & egg problem since you need to register
# a machine first using `tailscale up`
# Better to rely on EC2 SecurityGroups
# services.openssh.openFirewall = false;
# Let's make the tailscale binary avilable to all users
environment.systemPackages = [pkgs.tailscale];
}