ncc/modules/tailscale/tailscale.mod.nix at 5cc405502b712e76e1882fd0aa0c1343226c6648 · RGBCube/ncc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
{
  flake.commonModules.tailscale =
    { lib, ... }:
    let
      inherit (lib.lists) singleton;
    in
    {
      services.hickory-dns.settings.zones = singleton {
        zone = "warthog-major.ts.net.";
        zone_type = "External";

        stores.type = "forward";
        stores.name_servers = singleton {
          ip = "100.100.100.100";
          trust_negative_responses = true;
          connections = singleton {
            port = 53;
            protocol.type = "udp";
          };
        };
      };
    };

  flake.nixosModules.tailscale =
    {
      config,
      lib,
      pkgs,
      ...
    }:
    let
      inherit (lib.lists) singleton;
      inherit (lib.meta) getExe;
      inherit (lib.modules) mkAfter mkIf;
    in
    {
      persist.subvolumes = singleton "/var/lib/tailscale";

      secrets.tailscaleAuthKey = {
        file = ./tailscale.secret.age;
        owner = "root";
        mode = "0400";
      };

      services.tailscale = {
        enable = true;

        interfaceName = "ts0";
        useRoutingFeatures = "both";
        authKeyFile = config.secrets.tailscaleAuthKey.path;
        extraUpFlags = mkAfter [
          "--login-server=https://controlplane.tailscale.com"
          "--accept-dns=false" # hickory-dns handles DNS.
        ];
      };

      networking.firewall.trustedInterfaces = singleton config.services.tailscale.interfaceName;

      # NFTABLES
      systemd.services.tailscaled.serviceConfig.Environment = mkIf config.networking.nftables.enable [
        "TS_DEBUG_FIREWALL_MODE=nftables"
      ];

      # TODO
      # UDP GRO FORWARDING OPTIMIZATION
      services.networkd-dispatcher = mkIf (config.networking.defaultGateway != null) {
        enable = true;
        rules."50-tailscale-optimizations" = {
          onState = singleton "routable";
          script = /* sh */ ''
            ${getExe pkgs.ethtool} --features ${config.networking.defaultGateway.interface} rx-udp-gro-forwarding on rx-gro-list off
          '';
        };
      };

      # WAIT-ONLINE
      systemd.network.wait-online.enable = false;
      boot.initrd.systemd.network.wait-online.enable = false;
    };

  flake.darwinModules.tailscale =
    { lib, ... }:
    let
      inherit (lib.lists) singleton;
    in
    {
      homebrew.casks = singleton "tailscale-app";
    };

  flake.homeModules.tailscale =
    {
      lib,
      osConfig,
      pkgs,
      ...
    }:
    let
      inherit (lib.meta) getExe;
      inherit (lib.modules) mkIf;

      package = pkgs.tailscale;
    in
    {
      programs.nushell.aliases.ts =
        if osConfig.nixpkgs.hostPlatform.isDarwin then "tailscale" else getExe pkgs.tailscale;

      packages = mkIf osConfig.nixpkgs.hostPlatform.isLinux [
        package
      ];
    };
}