diff --git a/hosts/default.nix b/hosts/default.nix index a649c56..a90d04c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -88,7 +88,7 @@ let nord = mk "pbsds.net" "x86_64-linux" input-views.inputs-2505 "24.11" [ ts1 au ]; sopp = mk "pbsds.net" "x86_64-linux" input-views.inputs-edge "24.11" [ ts1 au nixld p1005 ]; bjarte = mk "pbsds.net" "x86_64-linux" input-views.inputs-edge "24.11" [ ts1 nixld ]; - bolle = mk "pbsds.net" "x86_64-linux" input-views.inputs-edge "24.11" [ ts2 au ]; + bolle = mk "pbsds.net" "x86_64-linux" input-views.inputs-edge "24.11" [ ts2 au tse ]; eple = mk "pbsds.net" "x86_64-linux" input-views.inputs-2505 "24.11" [ ts1 au tse dns64 ]; garp = mk "pbsds.net" "x86_64-linux" input-views.inputs-2505 "24.11" [ ts2 au ]; # hasselknippe= mk "pbsds.net" "aarch64-linux" input-views.inputs-2405 "24.05" [ ts1 hw.pine64-pinebook-pro ]; diff --git a/profiles/tailscale-exit-node.nix b/profiles/tailscale-exit-node.nix index b63193c..4d867f4 100644 --- a/profiles/tailscale-exit-node.nix +++ b/profiles/tailscale-exit-node.nix @@ -12,4 +12,8 @@ services.tailscale.useRoutingFeatures = "both"; services.tailscale.extraSetFlags = [ "--advertise-exit-node" ]; services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; + + # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups + # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 + # networking.firewall.checkReversePath = "loose"; } diff --git a/profiles/tailscale-inner.nix b/profiles/tailscale-inner.nix index ae2b258..2b29a3f 100644 --- a/profiles/tailscale-inner.nix +++ b/profiles/tailscale-inner.nix @@ -17,9 +17,12 @@ lib.mkIf (!config.virtualisation.isVmVariant) services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml; - # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups - # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 - networking.firewall.checkReversePath = "loose"; + # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups + # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 + # networking.firewall.checkReversePath = "loose"; + + # TODO: why do people do this? + # networking.firewall.trustedInterfaces = [ interfaceName ]; # done in profiles/sshd/ts-only.nix: # networking.firewall.interfaces.${interfaceName} = { diff --git a/profiles/tailscale-outer.nix b/profiles/tailscale-outer.nix index c5d6623..8c18445 100644 --- a/profiles/tailscale-outer.nix +++ b/profiles/tailscale-outer.nix @@ -17,9 +17,12 @@ lib.mkIf (!config.virtualisation.isVmVariant) services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml; - # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups - # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 - networking.firewall.checkReversePath = "loose"; + # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups + # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 + # networking.firewall.checkReversePath = "loose"; + + # TODO: why do people do this? + # networking.firewall.trustedInterfaces = [ interfaceName ]; # done in profiles/sshd/ts-only.nix: # networking.firewall.interfaces.${interfaceName} = {