current
 1{
 2  den.aspects.services.provides.tailscale = authKeyFileAged: {
 3    nixos = {
 4      config,
 5      pkgs,
 6      ...
 7    }: {
 8      environment.systemPackages = [pkgs.tailscale];
 9      services.tailscale = {
10        enable = true;
11        authKeyFile = config.vaultix.secrets."tailscale-auth-key".path;
12        extraUpFlags = [
13          "--login-server=https://headscale.hpcesia.com"
14          "--accept-dns=false"
15        ];
16      };
17      systemd.services.tailscaled-autoconnect = {
18        before = ["mihomo.service"];
19        unitConfig = {
20          DynamicUser = false;
21          User = "tailscaled-autoconnect";
22          Group = "tailscaled-autoconnect";
23        };
24      };
25      users.users."tailscaled-autoconnect" = {
26        isSystemUser = true;
27        useDefaultShell = true;
28        group = "tailscaled-autoconnect";
29      };
30      users.groups."tailscaled-autoconnect" = {};
31
32      networking.firewall = {
33        trustedInterfaces = [config.services.tailscale.interfaceName];
34        allowedUDPPorts = [config.services.tailscale.port];
35      };
36
37      systemd.network.wait-online.enable = false;
38      boot.initrd.systemd.network.wait-online.enable = false;
39
40      vaultix.secrets."tailscale-auth-key" = {
41        file = authKeyFileAged;
42        owner = "tailscaled-autoconnect";
43        group = "tailscaled-autoconnect";
44        mode = "0440";
45      };
46    };
47  };
48}