diff options
| author | Ryan Lahfa <masterancpp@gmail.com> | 2022-12-17 15:44:07 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-17 15:44:07 +0100 |
| commit | af6ea430f4b58c5f70ff3e3ad0513eeec591a629 (patch) | |
| tree | 9989c349b12b38e31f66592b8f78d5ff8ede2877 /nixos/modules | |
| parent | 326212e2c8d960122285670f2f0e9c4ba6f40253 (diff) | |
| parent | 68e514ed1cf55451901e8d0edd3e8ee5102d3565 (diff) | |
Merge pull request #201119 from Enzime/remove-tailscale-warning
nixos/tailscale: Add `useRoutingFeatures` option
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/tailscale.nix | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 26997dd96013c..233bfdf9ebf57 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -4,10 +4,7 @@ with lib; let cfg = config.services.tailscale; - firewallOn = config.networking.firewall.enable; - rpfMode = config.networking.firewall.checkReversePath; isNetworkd = config.networking.useNetworkd; - rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; @@ -38,14 +35,23 @@ in { defaultText = literalExpression "pkgs.tailscale"; description = lib.mdDoc "The package to use for tailscale"; }; + + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + example = "server"; + description = lib.mdDoc '' + Enables settings required for Tailscale's routing features like subnet routers and exit nodes. + + To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. + + When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. + When set to `server` or `both`, IP forwarding will be enabled. + ''; + }; }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) '' - Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting: - - networking.firewall.checkReversePath = "loose"; - ''; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { @@ -75,6 +81,13 @@ in { stopIfChanged = false; }; + boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") { + "net.ipv4.conf.all.forwarding" = mkDefault true; + "net.ipv6.conf.all.forwarding" = mkDefault true; + }; + + networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose"; + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; systemd.network.networks."50-tailscale" = mkIf isNetworkd { |