config/profiles/tailscale-outer.nix

{ config, lib, ... }:

lib.mkIf (!config.virtualisation.isVmVariant)

# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

{
  # https://login.tailscale.com/admin/machines

  services.tailscale.enable = true;
  # https://tailscale.com/kb/1085/auth-keys
  services.tailscale.authKeyFile = config.sops.secrets.tailscale-authkey-outer.path; # also enables autoconnect
  sops.secrets.tailscale-authkey-outer.sopsFile = ../secrets/tailscale-outer.yaml;
}