ljasdjklasdljasdljk

profiles/tailscale/exit-node.nix

@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+
+let
+  exitNodeFlags = [
+    "--advertise-exit-node"
+    # "--exit-node-allow-lan-access"
+    # "--exit-node-allow-incoming-wan-access"
+  ];
+in
+
+{
+  # exit nodes must be approved in admin interface
+  # https://login.tailscale.com/admin/machines
+  /* imports = [ ./inner.nix ]; */
+
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {
+
+    # if host is _upgraded_ to exit node, reload with
+    #     sudo systemctl start tailscaled-autoconnect
+    # or maybe even
+    #     sudo systemctl start tailscaled-set
+    services.tailscale.useRoutingFeatures = "both";
+    services.tailscale.extraSetFlags = exitNodeFlags;
+    services.tailscale.extraUpFlags = exitNodeFlags;
+
+    # # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
+    # # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
+    # networking.firewall.checkReversePath = "loose";
+
+  };
+}

profiles/tailscale/inner.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+{
+  # https://login.tailscale.com/admin/machines
+
+  imports = [ ./shared.nix ];
+
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {
+
+    # https://tailscale.com/kb/1085/auth-keys
+    services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
+    sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
+
+    # systemd-resolved will by default read /etc/hosts
+    networking.extraHosts = [
+      # "100.113.27.44 cache-proxy.pbsds.net" # noximilien over tailscale
+    ];
+
+  };
+}

profiles/tailscale/outer.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+{
+  # https://login.tailscale.com/admin/machines
+
+  imports = [ ./shared.nix ];
+
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {
+
+    # https://tailscale.com/kb/1085/auth-keys
+    services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
+    sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;
+
+  };
+}

profiles/tailscale/shared.nix

@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (config.services.tailscale) interfaceName; # "tailscale0"
+in
+
+# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
+# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+
+{
+  # https://login.tailscale.com/admin/machines
+
+  options.pbsds.tailscale.fqdn = lib.mkOption {
+    visible = false; internal = true; readOnly = true;
+    default = "${config.networking.hostName}.tail9aac63.ts.net";
+  };
+
+  config = lib.mkIf (!config.virtualisation.isVmVariant) {
+
+    services.tailscale.enable = true;
+
+    networking.extraHosts = [
+      "127.0.0.2 ${config.pbsds.tailscale.fqdn}" # the entire 127.0.0.0/8 is loopback
+    ];
+
+    # # https://tailscale.com/kb/1085/auth-keys
+    # services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-inner.path; # also enables autoconnect
+    # sops.secrets.tailscale-authkey-inner.sopsFile = ../secrets/tailscale-inner.yaml;
+
+    # https://wiki.nixos.org/wiki/Tailscale#DNS
+    services.resolved.enable = lib.mkDefault config.networking.networkmanager.enable;
+
+    # Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups
+    # https://wiki.nixos.org/wiki/Tailscale#No_internet_when_using_exit_node
+    # https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111
+    networking.firewall.checkReversePath = lib.mkDefault "loose";
+
+    # TODO: why do people do this?
+    # networking.firewall.trustedInterfaces = [ interfaceName ];
+
+    # done in profiles/sshd/ts-only.nix:
+    # networking.firewall.interfaces.${interfaceName} = {
+    #   allowedTCPPorts = [ 22 ];
+    # };
+
+    # environment.systemPackages = lib.mkMerge [
+    #   (lib.mkIf config.services.desktopManager.gnome.enable [
+    #     pkgs.ktailctl
+    #   ])
+    # ];
+
+  };
+}