feat: Better tailscale module

Make it into a proper module with options, add shortcut for setting the trusted ACL tag
lpchaim · Oct 11, 2024 · ba9178e · ba9178e
1 parent fe7d5fc
commit ba9178e
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 19 deletions.
diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix
@@ -185,25 +185,6 @@ in {
     };
     power-profiles-daemon.enable = true;
     printing.enable = true;
-    tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets."tailscale/oauth/secret".path;
-      authKeyParameters = {
-        ephemeral = false;
-        preauthorized = true;
-      };
-      extraUpFlags = [
-        "--accept-dns"
-        "--accept-routes"
-        "--advertise-exit-node"
-        "--advertise-tags=tag:nixos"
-        "--operator=${shared.defaults.name.user}"
-        "--reset" # Forces unspecified arguments to default values
-        "--ssh"
-      ];
-      openFirewall = true;
-      useRoutingFeatures = "both";
-    };
     udisks2.enable = true;
   };
   services.xserver.enable = lib.mkDefault true;

diff --git a/modules/nixos/tailscale/default.nix b/modules/nixos/tailscale/default.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  options,
+  ...
+}: let
+  inherit (lib.lpchaim) shared;
+in
+  lib.lpchaim.mkModule {
+    inherit config;
+    namespace = "my.networking.tailscale";
+    options = {
+      enable = lib.mkEnableOption "tailscale" // {default = true;};
+      authKeyParameters =
+        options.services.tailscale.authKeyParameters
+        // {
+          default.ephemeral = false;
+          default.preauthorized = true;
+        };
+      trusted = lib.mkOption {
+        description = "Whether to tag this device as trusted";
+        type = lib.types.bool;
+        default = false;
+      };
+      advertise.exitNode = lib.mkOption {
+        description = "Whether to advertise an exit node";
+        default = false;
+        type = lib.types.bool;
+      };
+      advertise.tags = lib.mkOption {
+        description = "ACL tags to advertise";
+        default = ["nixos"];
+        type = with lib.types; listOf str;
+      };
+    };
+    configBuilder = cfg:
+      lib.mkIf cfg.enable {
+        services.tailscale = let
+          tags =
+            cfg.advertise.tags
+            ++ lib.optionals cfg.trusted ["trusted"];
+          formattedTags = lib.pipe tags [
+            (map (it: "tag:${it}"))
+            (builtins.concatStringsSep ",")
+          ];
+        in {
+          inherit (cfg) authKeyParameters;
+          enable = true;
+          authKeyFile = config.sops.secrets."tailscale/oauth/secret".path;
+          extraUpFlags =
+            [
+              "--accept-dns"
+              "--accept-routes"
+              "--advertise-tags=${formattedTags}"
+              "--operator=${shared.defaults.name.user}"
+              "--reset" # Forces unspecified arguments to default values
+              "--ssh"
+            ]
+            ++ lib.optionals cfg.advertise.exitNode [
+              "--advertise-exit-node"
+            ];
+          openFirewall = true;
+          useRoutingFeatures = "both";
+        };
+      };
+  }
diff --git a/systems/x86_64-linux/desktop/default.nix b/systems/x86_64-linux/desktop/default.nix
@@ -22,6 +22,7 @@ in {
 
   system.stateVersion = "23.11";
   my.gaming.enable = true;
+  my.networking.tailscale.trusted = true;
   my.security.secureboot.enable = true;
 
   fileSystems."/run/media/lpchaim/storage" = {

diff --git a/systems/x86_64-linux/laptop/default.nix b/systems/x86_64-linux/laptop/default.nix
@@ -21,5 +21,6 @@ in {
   networking.hostName = "laptop";
   system.stateVersion = "23.11";
   my.gaming.steam.enable = true;
+  my.networking.tailscale.trusted = true;
   my.security.secureboot.enable = true;
 }