tailscale exit nodes

flake.nix

@@ -272,6 +272,7 @@
       p1005       = ./hardware/printer/hp-laserjet-p1005.nix;
       au          = ./profiles/auto-upgrade.nix;
       ts          = ./profiles/tailscale.nix;
+      tse         = ./profiles/tailscale-exit-node.nix;
       #rb          = ./profiles/known-hosts.nix; # TODO
       nixld       = ./profiles/nix-ld.nix;
       dns64       = { config, ... }: {
@@ -282,13 +283,13 @@
       };
     in builtins.mapAttrs (hostname: curried: curried hostname) {
       #hostname        "domain"    "system"        inputs      "state" [ modules ... ]
-      noximilien  = mk "pbsds.net" "x86_64-linux"  inputs-2405 "23.11" [ au ts intel ];
+      noximilien  = mk "pbsds.net" "x86_64-linux"  inputs-2405 "23.11" [ au tse intel ];
       brumlebasse = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au     amd nspawn ];
       nord        = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au ts  intel-novga hw.common-gpu-intel-sandy-bridge rocm hidpi ];
       sopp        = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au ts  nixld intel cuda p1005 ];
       bjarte      = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [    ts  nixld intel hw.lenovo-thinkpad-x1-7th-gen ];
       bolle       = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au     dns64 intel ];
-      eple        = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au ts dns64 intel rocm ];
+      eple        = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au tse dns64 intel rocm ];
       garp        = mk "pbsds.net" "x86_64-linux"  inputs-2405 "24.05" [ au     dns64 intel-novga cuda ];
       hasselknippe= mk "pbsds.net" "aarch64-linux" inputs-2405 "24.05" [    ts  hw.pine64-pinebook-pro ];
       #gomperud smattkuken skrytebiffen skalkesnerken balleby bingus skjrlaltatjlstad

profiles/tailscale-exit-node.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+
+{
+  # exit nodes must be approved in admin interface
+  # https://login.tailscale.com/admin/machines
+  imports = [ ./tailscale.nix ];
+
+  # if host is _upgraded_ to exit node, reload with
+  #     sudo systemctl start tailscaled-autoconnect
+  # or maybe even
+  #     sudo systemctl start tailscaled-set
+  services.tailscale.useRoutingFeatures = "both";
+  services.tailscale.extraSetFlags = [ "--advertise-exit-node" ];
+}