diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix index b0290cc..0d74dd2 100644 --- a/modules/nixos/base/default.nix +++ b/modules/nixos/base/default.nix @@ -185,25 +185,6 @@ in { }; power-profiles-daemon.enable = true; printing.enable = true; - tailscale = { - enable = true; - authKeyFile = config.sops.secrets."tailscale/oauth/secret".path; - authKeyParameters = { - ephemeral = false; - preauthorized = true; - }; - extraUpFlags = [ - "--accept-dns" - "--accept-routes" - "--advertise-exit-node" - "--advertise-tags=tag:nixos" - "--operator=${shared.defaults.name.user}" - "--reset" # Forces unspecified arguments to default values - "--ssh" - ]; - openFirewall = true; - useRoutingFeatures = "both"; - }; udisks2.enable = true; }; services.xserver.enable = lib.mkDefault true; diff --git a/modules/nixos/tailscale/default.nix b/modules/nixos/tailscale/default.nix new file mode 100644 index 0000000..6c6ed97 --- /dev/null +++ b/modules/nixos/tailscale/default.nix @@ -0,0 +1,66 @@ +{ + config, + lib, + options, + ... +}: let + inherit (lib.lpchaim) shared; +in + lib.lpchaim.mkModule { + inherit config; + namespace = "my.networking.tailscale"; + options = { + enable = lib.mkEnableOption "tailscale" // {default = true;}; + authKeyParameters = + options.services.tailscale.authKeyParameters + // { + default.ephemeral = false; + default.preauthorized = true; + }; + trusted = lib.mkOption { + description = "Whether to tag this device as trusted"; + type = lib.types.bool; + default = false; + }; + advertise.exitNode = lib.mkOption { + description = "Whether to advertise an exit node"; + default = false; + type = lib.types.bool; + }; + advertise.tags = lib.mkOption { + description = "ACL tags to advertise"; + default = ["nixos"]; + type = with lib.types; listOf str; + }; + }; + configBuilder = cfg: + lib.mkIf cfg.enable { + services.tailscale = let + tags = + cfg.advertise.tags + ++ lib.optionals cfg.trusted ["trusted"]; + formattedTags = lib.pipe tags [ + (map (it: "tag:${it}")) + (builtins.concatStringsSep ",") + ]; + in { + inherit (cfg) authKeyParameters; + enable = true; + authKeyFile = config.sops.secrets."tailscale/oauth/secret".path; + extraUpFlags = + [ + "--accept-dns" + "--accept-routes" + "--advertise-tags=${formattedTags}" + "--operator=${shared.defaults.name.user}" + "--reset" # Forces unspecified arguments to default values + "--ssh" + ] + ++ lib.optionals cfg.advertise.exitNode [ + "--advertise-exit-node" + ]; + openFirewall = true; + useRoutingFeatures = "both"; + }; + }; + } diff --git a/systems/x86_64-linux/desktop/default.nix b/systems/x86_64-linux/desktop/default.nix index e1f7605..a6b7262 100644 --- a/systems/x86_64-linux/desktop/default.nix +++ b/systems/x86_64-linux/desktop/default.nix @@ -22,6 +22,7 @@ in { system.stateVersion = "23.11"; my.gaming.enable = true; + my.networking.tailscale.trusted = true; my.security.secureboot.enable = true; fileSystems."/run/media/lpchaim/storage" = { diff --git a/systems/x86_64-linux/laptop/default.nix b/systems/x86_64-linux/laptop/default.nix index b592fbe..7197be9 100644 --- a/systems/x86_64-linux/laptop/default.nix +++ b/systems/x86_64-linux/laptop/default.nix @@ -21,5 +21,6 @@ in { networking.hostName = "laptop"; system.stateVersion = "23.11"; my.gaming.steam.enable = true; + my.networking.tailscale.trusted = true; my.security.secureboot.enable = true; }