diff options
| author | Domen Kožar <domen@dev.si> | 2023-07-02 15:17:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-02 15:17:20 +0100 |
| commit | b06bab83bdf285ea0ae3c8e145a081eb95959047 (patch) | |
| tree | cf7a15bdab5dcd0af1c14f8b6849f870c0842025 /modules | |
| parent | 43587cdb726f73b962f12028055520dbd1d7233f (diff) | |
| parent | d2b70c61bf5555df5f81bfa9b05c341cf68463b9 (diff) | |
Merge pull request #711 from Enzime/fix/magicdns
tailscale: improve MagicDNS setup
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/nix/default.nix | 2 | ||||
| -rw-r--r-- | modules/services/tailscale.nix | 67 |
2 files changed, 41 insertions, 28 deletions
diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 6a05159..7445b30 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -140,7 +140,7 @@ in in [ # Only ever in NixOS - (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivilant to this NixOS option.") + (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivalent to this NixOS option.") (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType")) (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority")) diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix index da319eb..6603f53 100644 --- a/modules/services/tailscale.nix +++ b/modules/services/tailscale.nix @@ -7,13 +7,12 @@ let in { - options.services.tailscale = { - domain = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc "The Tailscale domain. This is displayed at the top left of https://login.tailscale.com/admin, next to the Tailscale logo."; - }; + imports = [ + (mkRemovedOptionModule [ "services" "tailscale" "domain" ] "Tailscale no longer requires setting the search domain manually.") + (mkRemovedOptionModule [ "services" "tailscale" "magicDNS" ] "MagicDNS no longer requires overriding the DNS servers, if this is necessary you can use `services.tailscale.overrideLocalDns`.") + ]; + options.services.tailscale = { enable = mkEnableOption (lib.mdDoc "Tailscale client daemon"); package = mkOption { @@ -23,26 +22,32 @@ in description = lib.mdDoc "The package to use for tailscale"; }; - magicDNS = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc "Whether to configure networking to work with Tailscale's MagicDNS."; - }; + overrideLocalDns = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + This option implements `Override local DNS` as it is not yet implemented in Tailscaled-on-macOS. + + To use this option, in the Tailscale control panel: + 1. at least one DNS server is added + 2. `Override local DNS` is enabled + + As this option sets 100.100.100.100 as your sole DNS server, if the requirements above are not met, + all non-MagicDNS queries WILL fail. + ''; }; }; config = mkIf cfg.enable { - assertions = [ { - assertion = !cfg.magicDNS.enable || config.networking.dns != [ "100.100.100.100" ]; + assertions = [{ + assertion = !cfg.overrideLocalDns || config.networking.dns == [ "100.100.100.100" ]; message = '' - When MagicDNS is enabled, fallback DNS servers need to be set with `networking.dns`. + DNS servers should be configured on the Tailscale control panel when `services.tailscale.overrideLocalDns` is enabled. - Otherwise, Tailscale will take a long time to connect and all DNS queries - will fail until Tailscale has connected. + A race condition can occur when DNS servers are set locally, leading to MagicDNS to not work. ''; - } ]; + }]; environment.systemPackages = [ cfg.package ]; @@ -59,13 +64,21 @@ in }; }; - networking = mkIf cfg.magicDNS.enable { - dns = [ "100.100.100.100" ]; - search = - if cfg.domain == "" then - [ ] - else - [ "${cfg.domain}.beta.tailscale.net" ]; - }; + networking.dns = mkIf cfg.overrideLocalDns [ "100.100.100.100" ]; + + # Ensures Tailscale MagicDNS always works even without adding 100.100.100.100 to DNS servers + environment.etc."resolver/ts.net".text = "nameserver 100.100.100.100"; + + # This file gets created by tailscaled when `Override local DNS` is turned off + environment.etc."resolver/ts.net".knownSha256Hashes = [ + "2c28f4fe3b4a958cd86b120e7eb799eee6976daa35b228c885f0630c55ef626c" + ]; + + # Cleaning up the .orig file is necessary as any files in /etc/resolver will be used. + system.activationScripts.etc.text = mkAfter '' + if [ -e /etc/resolver/ts.net.orig ]; then + rm /etc/resolver/ts.net.orig + fi + ''; }; } |