hosts/m3-ares/services/tailscale.nix

@@ -1,12 +1,40 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   services.tailscale = {
     enable = true;
-    authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "client";
-    useRoutingFeatures = "both";
-    extraUpFlags = [
-      "--login-server=https://va.m3tam3re.com"
-      "--accept-routes"
-      "--exit-node-allow-lan-access"
-    ];
   };
+
+  # systemd.services.tailscale-autoconnect = {
+  #   description = "Automatic connection to Tailscale";
+
+  #   # make sure tailscale is running before trying to connect to tailscale
+  #   after = ["network-pre.target" "tailscale.service"];
+  #   wants = ["network-pre.target" "tailscale.service"];
+  #   wantedBy = ["multi-user.target"];
+
+  #   # set this service as a oneshot job
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
+  #   };
+
+  #   # have the job run this shell script
+  #   script = with pkgs; ''
+  #     # wait for tailscaled to settle
+  #     sleep 2
+
+  #     # check if we are already authenticated to tailscale
+  #     status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+  #     if [ $status = "Running" ]; then # if so, then do nothing
+  #       exit 0
+  #     fi
+
+  #     # otherwise authenticate with tailscale
+  #     ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
+  #   '';
+  # };
 }

hosts/m3-atlas/services/headscale.nix

@@ -1,7 +1,7 @@
 {
+  pkgs,
   config,
   lib,
-  pkgs,
   ...
 }: {
   # Define a new option for the admin user
@@ -42,12 +42,14 @@
         routes = {
           "0.0.0.0/0" = ["${adminUser}"];
           "10.0.0.0/8" = ["${adminUser}"];
+          "172.16.0.0/12" = ["${adminUser}"];
           "192.168.0.0/16" = ["${adminUser}"];
         };
 
         exitNode = ["${adminUser}"];
       };
     };
+
     # Convert to HuJSON format with comments
     aclHuJson = ''
       // Headscale ACL Policy - Generated by NixOS
@@ -55,13 +57,14 @@
 
       ${builtins.toJSON aclConfig}
     '';
+
     aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
   in {
     services = {
       headscale = {
         enable = true;
-        adminUser = "m3tam3re";
         port = 3009;
+        adminUser = "m3tam3re";
         settings = {
           server_url = "https://va.m3tam3re.com";
           dns = {
@@ -73,6 +76,24 @@
       };
     };
 
+    # Traefik configuration
+    services.traefik.dynamicConfigOptions.http = {
+      services.headscale.loadBalancer.servers = [
+        {
+          url = "http://localhost:3009/";
+        }
+      ];
+
+      routers.headscale = {
+        rule = "Host(`va.m3tam3re.com`)";
+        tls = {
+          certResolver = "godaddy";
+        };
+        service = "headscale";
+        entrypoints = "websecure";
+      };
+    };
+
     # Create a systemd service to ensure the admin user exists
     systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
       description = "Ensure Headscale admin user exists";
@@ -96,23 +117,5 @@
         fi
       '';
     };
-
-    # Traefik configuration for headscale
-    services.traefik.dynamicConfigOptions.http = {
-      services.headscale.loadBalancer.servers = [
-        {
-          url = "http://localhost:3009/";
-        }
-      ];
-
-      routers.headscale = {
-        rule = "Host(`va.m3tam3re.com`)";
-        tls = {
-          certResolver = "godaddy";
-        };
-        service = "headscale";
-        entrypoints = "websecure";
-      };
-    };
   };
 }

hosts/m3-atlas/services/tailscale.nix

@@ -1,27 +1,45 @@
 {
   config,
-  lib,
   pkgs,
   ...
 }: {
   services.tailscale = {
     enable = true;
-    authKeyFile = config.age.secrets.tailscale-key.path;
     useRoutingFeatures = "both";
+    authKeyFile = config.age.secrets.tailscale-key.path;
     extraUpFlags = [
       "--login-server=${config.services.headscale.settings.server_url}"
       "--advertise-exit-node"
       "--accept-routes"
     ];
   };
-  services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {
+
+  services.networkd-dispatcher = {
     enable = true;
     rules."50-tailscale" = {
       onState = ["routable"];
       script = ''
-        NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
+        "${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
-        ${pkgs.ethtool}/bin/ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
       '';
     };
   };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+    "net.core.gro_normal_batch" = 8;
+    "net.core.gro_flush_timeout" = 200000;
+  };
+
+  networking.firewall = {
+    trustedInterfaces = ["tailscale0"];
+    allowedUDPPorts = [41641];
+    checkReversePath = "loose";
+  };
+
+  environment.systemPackages = with pkgs; [
+    ethtool
+    tailscale
+    networkd-dispatcher
+  ];
 }

hosts/m3-kratos/secrets.nix

@@ -1,9 +1,6 @@
 {
   age = {
     secrets = {
-      tailscale-key = {
-        file = ../../secrets/tailscale-key.age;
-      };
       wg-DE = {
         file = ../../secrets/wg-DE.age;
         path = "/etc/wireguard/DE.conf";
@@ -24,6 +21,7 @@
         file = ../../secrets/wg-BR.age;
         path = "/etc/wireguard/BR.conf";
       };
+      tailscale-key.file = ../../secrets/tailscale-key.age;
       m3tam3re-secrets = {
         file = ../../secrets/m3tam3re-secrets.age;
         owner = "m3tam3re";

hosts/m3-kratos/services/tailscale.nix

@@ -1,11 +1,10 @@
-{config, ...}: {
+{
   services.tailscale = {
     enable = true;
-    authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "client";
-    useRoutingFeatures = "both";
     extraUpFlags = [
-      "--login-server=https://va.m3tam3re.com"
+      "--login-server https://va.m3tam3re.com"
-      "--accept-routes"
+      "--exit-node=m3-atlas"
       "--exit-node-allow-lan-access"
     ];
   };