current
1{
2 den.aspects.services.provides.tailscale = authKeyFileAged: {
3 nixos = {
4 config,
5 pkgs,
6 ...
7 }: {
8 environment.systemPackages = [pkgs.tailscale];
9 services.tailscale = {
10 enable = true;
11 authKeyFile = config.vaultix.secrets."tailscale-auth-key".path;
12 extraUpFlags = [
13 "--login-server=https://headscale.hpcesia.com"
14 "--accept-dns=false"
15 ];
16 };
17 systemd.services.tailscaled-autoconnect = {
18 before = ["mihomo.service"];
19 unitConfig = {
20 DynamicUser = false;
21 User = "tailscaled-autoconnect";
22 Group = "tailscaled-autoconnect";
23 };
24 };
25 users.users."tailscaled-autoconnect" = {
26 isSystemUser = true;
27 useDefaultShell = true;
28 group = "tailscaled-autoconnect";
29 };
30 users.groups."tailscaled-autoconnect" = {};
31
32 networking.firewall = {
33 trustedInterfaces = [config.services.tailscale.interfaceName];
34 allowedUDPPorts = [config.services.tailscale.port];
35 };
36
37 systemd.network.wait-online.enable = false;
38 boot.initrd.systemd.network.wait-online.enable = false;
39
40 vaultix.secrets."tailscale-auth-key" = {
41 file = authKeyFileAged;
42 owner = "tailscaled-autoconnect";
43 group = "tailscaled-autoconnect";
44 mode = "0440";
45 };
46 };
47 };
48}