+Tailscale @m3-ares

hosts/m3-ares/services/tailscale.nix

@@ -1,40 +1,12 @@
-{
+{config, ...}: {
-  config,
-  pkgs,
-  ...
-}: {
   services.tailscale = {
     enable = true;
-    useRoutingFeatures = "client";
+    authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "both";
+    extraUpFlags = [
+      "--login-server=https://va.m3tam3re.com"
+      "--accept-routes"
+      "--exit-node-allow-lan-access"
+    ];
   };
-
-  # systemd.services.tailscale-autoconnect = {
-  #   description = "Automatic connection to Tailscale";
-
-  #   # make sure tailscale is running before trying to connect to tailscale
-  #   after = ["network-pre.target" "tailscale.service"];
-  #   wants = ["network-pre.target" "tailscale.service"];
-  #   wantedBy = ["multi-user.target"];
-
-  #   # set this service as a oneshot job
-  #   serviceConfig = {
-  #     Type = "oneshot";
-  #     EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
-  #   };
-
-  #   # have the job run this shell script
-  #   script = with pkgs; ''
-  #     # wait for tailscaled to settle
-  #     sleep 2
-
-  #     # check if we are already authenticated to tailscale
-  #     status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-  #     if [ $status = "Running" ]; then # if so, then do nothing
-  #       exit 0
-  #     fi
-
-  #     # otherwise authenticate with tailscale
-  #     ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
-  #   '';
-  # };
 }

hosts/m3-atlas/services/headscale.nix

@@ -1,7 +1,7 @@
 {
-  pkgs,
   config,
   lib,
+  pkgs,
   ...
 }: {
   # Define a new option for the admin user
@@ -42,14 +42,12 @@
         routes = {
           "0.0.0.0/0" = ["${adminUser}"];
           "10.0.0.0/8" = ["${adminUser}"];
-          "172.16.0.0/12" = ["${adminUser}"];
           "192.168.0.0/16" = ["${adminUser}"];
         };
 
         exitNode = ["${adminUser}"];
       };
     };
-
     # Convert to HuJSON format with comments
     aclHuJson = ''
       // Headscale ACL Policy - Generated by NixOS
@@ -57,14 +55,13 @@
 
       ${builtins.toJSON aclConfig}
     '';
-
     aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
   in {
     services = {
       headscale = {
         enable = true;
-        port = 3009;
         adminUser = "m3tam3re";
+        port = 3009;
         settings = {
           server_url = "https://va.m3tam3re.com";
           dns = {
@@ -76,24 +73,6 @@
       };
     };
 
-    # Traefik configuration
-    services.traefik.dynamicConfigOptions.http = {
-      services.headscale.loadBalancer.servers = [
-        {
-          url = "http://localhost:3009/";
-        }
-      ];
-
-      routers.headscale = {
-        rule = "Host(`va.m3tam3re.com`)";
-        tls = {
-          certResolver = "godaddy";
-        };
-        service = "headscale";
-        entrypoints = "websecure";
-      };
-    };
-
     # Create a systemd service to ensure the admin user exists
     systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
       description = "Ensure Headscale admin user exists";
@@ -117,5 +96,23 @@
         fi
       '';
     };
+
+    # Traefik configuration for headscale
+    services.traefik.dynamicConfigOptions.http = {
+      services.headscale.loadBalancer.servers = [
+        {
+          url = "http://localhost:3009/";
+        }
+      ];
+
+      routers.headscale = {
+        rule = "Host(`va.m3tam3re.com`)";
+        tls = {
+          certResolver = "godaddy";
+        };
+        service = "headscale";
+        entrypoints = "websecure";
+      };
+    };
   };
 }

hosts/m3-atlas/services/tailscale.nix

@@ -1,45 +1,27 @@
 {
   config,
+  lib,
   pkgs,
   ...
 }: {
   services.tailscale = {
     enable = true;
-    useRoutingFeatures = "both";
     authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "both";
     extraUpFlags = [
       "--login-server=${config.services.headscale.settings.server_url}"
       "--advertise-exit-node"
       "--accept-routes"
     ];
   };
-
+  services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {
-  services.networkd-dispatcher = {
     enable = true;
     rules."50-tailscale" = {
       onState = ["routable"];
       script = ''
-        "${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
+        NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
+        ${pkgs.ethtool}/bin/ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
       '';
     };
   };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-    "net.core.gro_normal_batch" = 8;
-    "net.core.gro_flush_timeout" = 200000;
-  };
-
-  networking.firewall = {
-    trustedInterfaces = ["tailscale0"];
-    allowedUDPPorts = [41641];
-    checkReversePath = "loose";
-  };
-
-  environment.systemPackages = with pkgs; [
-    ethtool
-    tailscale
-    networkd-dispatcher
-  ];
 }

hosts/m3-kratos/secrets.nix

@@ -1,6 +1,9 @@
 {
   age = {
     secrets = {
+      tailscale-key = {
+        file = ../../secrets/tailscale-key.age;
+      };
       wg-DE = {
         file = ../../secrets/wg-DE.age;
         path = "/etc/wireguard/DE.conf";
@@ -21,7 +24,6 @@
         file = ../../secrets/wg-BR.age;
         path = "/etc/wireguard/BR.conf";
       };
-      tailscale-key.file = ../../secrets/tailscale-key.age;
       m3tam3re-secrets = {
         file = ../../secrets/m3tam3re-secrets.age;
         owner = "m3tam3re";

hosts/m3-kratos/services/tailscale.nix

@@ -1,10 +1,11 @@
-{
+{config, ...}: {
   services.tailscale = {
     enable = true;
-    useRoutingFeatures = "client";
+    authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "both";
     extraUpFlags = [
-      "--login-server https://va.m3tam3re.com"
+      "--login-server=https://va.m3tam3re.com"
-      "--exit-node=m3-atlas"
+      "--accept-routes"
       "--exit-node-allow-lan-access"
     ];
   };