2025-05-05 11:44:32 +02:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}: {
|
2025-02-21 14:07:29 +01:00
|
|
|
services.tailscale = {
|
|
|
|
|
enable = true;
|
|
|
|
|
useRoutingFeatures = "both";
|
2025-05-05 11:44:32 +02:00
|
|
|
authKeyFile = config.age.secrets.tailscale-key.path;
|
2025-04-29 13:36:01 +02:00
|
|
|
extraUpFlags = [
|
2025-05-05 11:44:32 +02:00
|
|
|
"--login-server=${config.services.headscale.settings.server_url}"
|
2025-04-29 13:36:01 +02:00
|
|
|
"--advertise-exit-node"
|
|
|
|
|
"--accept-routes"
|
|
|
|
|
];
|
2025-02-21 14:07:29 +01:00
|
|
|
};
|
2025-04-29 13:36:01 +02:00
|
|
|
|
2025-05-05 11:44:32 +02:00
|
|
|
services.networkd-dispatcher = {
|
|
|
|
|
enable = true;
|
|
|
|
|
rules."50-tailscale" = {
|
|
|
|
|
onState = ["routable"];
|
|
|
|
|
script = ''
|
|
|
|
|
"${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
|
|
|
|
|
'';
|
2025-04-29 13:36:01 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
boot.kernel.sysctl = {
|
|
|
|
|
"net.ipv4.ip_forward" = 1;
|
|
|
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
|
|
|
"net.core.gro_normal_batch" = 8;
|
|
|
|
|
"net.core.gro_flush_timeout" = 200000;
|
|
|
|
|
};
|
|
|
|
|
|
2025-02-21 14:07:29 +01:00
|
|
|
networking.firewall = {
|
|
|
|
|
trustedInterfaces = ["tailscale0"];
|
2025-04-29 13:36:01 +02:00
|
|
|
allowedUDPPorts = [41641];
|
|
|
|
|
checkReversePath = "loose";
|
2025-02-21 14:07:29 +01:00
|
|
|
};
|
2025-04-29 13:36:01 +02:00
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
ethtool
|
|
|
|
|
tailscale
|
2025-05-05 11:44:32 +02:00
|
|
|
networkd-dispatcher
|
2025-04-29 13:36:01 +02:00
|
|
|
];
|
2025-02-21 14:07:29 +01:00
|
|
|
}
|
