diff options
author | Michael Hoang <enzime@users.noreply.github.com> | 2022-11-14 13:23:43 +1100 |
---|---|---|
committer | Michael Hoang <enzime@users.noreply.github.com> | 2022-12-17 22:38:14 +1100 |
commit | 68e514ed1cf55451901e8d0edd3e8ee5102d3565 (patch) | |
tree | f53f232c29ff46762d510b6d38f9484eb239c634 /nixos/modules | |
parent | e738da1f9508f58555223ef881f5778b3af51db0 (diff) |
nixos/tailscale: Add `useRoutingFeatures` option
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/tailscale.nix | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 26997dd96013c..233bfdf9ebf57 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -4,10 +4,7 @@ with lib; let cfg = config.services.tailscale; - firewallOn = config.networking.firewall.enable; - rpfMode = config.networking.firewall.checkReversePath; isNetworkd = config.networking.useNetworkd; - rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; @@ -38,14 +35,23 @@ in { defaultText = literalExpression "pkgs.tailscale"; description = lib.mdDoc "The package to use for tailscale"; }; + + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + example = "server"; + description = lib.mdDoc '' + Enables settings required for Tailscale's routing features like subnet routers and exit nodes. + + To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. + + When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. + When set to `server` or `both`, IP forwarding will be enabled. + ''; + }; }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) '' - Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting: - - networking.firewall.checkReversePath = "loose"; - ''; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { @@ -75,6 +81,13 @@ in { stopIfChanged = false; }; + boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") { + "net.ipv4.conf.all.forwarding" = mkDefault true; + "net.ipv6.conf.all.forwarding" = mkDefault true; + }; + + networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose"; + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; systemd.network.networks."50-tailscale" = mkIf isNetworkd { |