profiles/homeserver/tailscale.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

{ machine, config, pkgs, ... }: {
  environment.systemPackages = [ pkgs.tailscale ];
  services.tailscale = {
    enable = true;
    useRoutingFeatures = "server";
    extraUpFlags = ["--advertise-exit-node" "--advertise-routes=${builtins.head machine.ipv4}/32"];
    extraDaemonFlags = ["--statedir=/data/tailscaled"];
    authKeyFile = config.secrets.tailscale.path;
  };

  networking.firewall = {
    trustedInterfaces = [ "tailscale0" ];
    allowedUDPPorts = [ config.services.tailscale.port ];
  };
}