tailscale

modules/default.nix

@@ -6,12 +6,14 @@
     ./deploy.nix
     ./keys.nix
     ./secret.nix
+    ./tailscale.nix
   ];
   sharedModules = with nixosModules; [
     nix
     hm
     boot
     deploy
+    tailscale
     secret
   ];
 in {inherit nixosModules sharedModules;}

modules/deploy.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.services.remote-deploy;
+  cfg = config.c.services.remote-deploy;
 in {
-  options.services.remote-deploy = {
+  options.c.services.remote-deploy = {
     enable = mkEnableOption "Enable remote deployment with nixinate.";
     host = mkOption {
       type = types.str;

modules/tailscale.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.c.services.mesh;
+in {
+  options.c.services.mesh = {
+    enable = mkEnableOption "Enable tailscale daemon.";
+    exitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable advertising as an exit node.";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      description = "Path to key file.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      #authKeyFile = config.age.secrets.mesh-conf.path;
+      authKeyFile = cfg.keyFile;
+      extraUpFlags = ["--login-server" "https://mesh.cleslie.uk"];
+      extraSetFlags = [(mkIf cfg.exitNode "--advertise-exit-node")];
+    };
+    networking.firewall = {
+      #checkReversePath = "loose";
+      trustedInterfaces = [config.services.tailscale.interfaceName];
+    };
+  };
+}