pederbs/config
2
1
Fork 0
Code Issues Pull Requests Releases Activity

ts

Browse Source
This commit is contained in:
Peder Bergebakken Sundt
2025-08-10 00:45:47 +02:00
parent a255fed1ae
commit 88c2c9d1ee
3 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
profiles/sshd/ts-only.nix
View File

@@ -1,6 +1,11 @@
{ config, ... }:
let
inherit (config.services.tailscale) interfaceName;
in
{
imports = [ ./default.nix ];
services.openssh.openFirewall = false;
networking.firewall.interfaces.tailscale0.allowedTCPPorts = config.services.openssh.ports;
networking.firewall.interfaces.${interfaceName}.allowedTCPPorts = config.services.openssh.ports;
}

22
profiles/tailscale-inner.nix
View File

@@ -1,4 +1,8 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
inherit (config.services.tailscale) interfaceName;
in
lib.mkIf (!config.virtualisation.isVmVariant)
@@ -12,4 +16,20 @@ lib.mkIf (!config.virtualisation.isVmVariant)
# https://tailscale.com/kb/1085/auth-keys
services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
# Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
# https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
networking.firewall.checkReversePath = "loose";
# done in profiles/sshd/ts-only.nix:
# networking.firewall.interfaces.${interfaceName} = {
# allowedTCPPorts = [ 22 ];
# };
# environment.systemPackages = lib.mkMerge [
# (lib.mkIf config.services.desktopManager.gnome.enable [
# pkgs.ktailctl
# ])
# ];
}

22
profiles/tailscale-outer.nix
View File

@@ -1,4 +1,8 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
inherit (config.services.tailscale) interfaceName;
in
lib.mkIf (!config.virtualisation.isVmVariant)
@@ -12,4 +16,20 @@ lib.mkIf (!config.virtualisation.isVmVariant)
# https://tailscale.com/kb/1085/auth-keys
services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;
# Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
# https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
networking.firewall.checkReversePath = "loose";
# done in profiles/sshd/ts-only.nix:
# networking.firewall.interfaces.${interfaceName} = {
# allowedTCPPorts = [ 22 ];
# };
# environment.systemPackages = lib.mkMerge [
# (lib.mkIf config.services.desktopManager.gnome.enable [
# pkgs.ktailctl
# ])
# ];
}