+tailscale age

hosts/lkk-nix-1/default.nix

@@ -31,6 +31,7 @@
     secrets = {
       mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
       mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
+      tailscale-key.file = ../../secrets/tailscale-key.age;
 
       n8n-env = {
         file = ../../secrets/n8n-env.age;

hosts/lkk-nix-1/services/tailscale.nix

@@ -29,7 +29,7 @@
       fi
 
       # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up --advertise-exit-node -authkey tskey-auth-kwmqT37CNTRL-AxiaTDedQJ6YZts2deRtH6PEBDwh9PxXK
+      ${tailscale}/bin/tailscale up --advertise-exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key)
     '';
   };
 }

hosts/m3-nix/default.nix

@@ -106,6 +106,13 @@ in {
   };
   programs.fish.enable = true;
 
+  age = {
+    secrets = {
+      tailscale-key.file = ../../secrets/tailscale-key.age;
+    };
+    identityPaths = [ "/home/m3tam3re/.ssh/lkk-nix-1" ];
+  };
+  
   time.timeZone = "Europe/Berlin";
   i18n.defaultLocale = "de_DE.utf8";
   console.keyMap = "de";

hosts/m3-nix/services/#tailscale.nix#

@@ -0,0 +1,30 @@
+{ pkgs, ... }: {
+  services.tailscale = { enable = true; };
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey $(cat /run/agenix/tskey-reusable)
+    '';
+  };
+}

hosts/m3-nix/services/tailscale.nix

@@ -1,5 +1,8 @@
 { pkgs, ... }: {
-  services.tailscale = { enable = true; };
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
 
   systemd.services.tailscale-autoconnect = {
     description = "Automatic connection to Tailscale";
@@ -24,7 +27,7 @@
       fi
 
       # otherwise authenticate with tailscale
-      ${tailscale}/bin/tailscale up -authkey tskey-auth-kwmqT37CNTRL-AxiaTDedQJ6YZts2deRtH6PEBDwh9PxXK
+      ${tailscale}/bin/tailscale up --exit-node lkk-nix-1 -authkey $(cat /run/agenix/tailscale-key)
     '';
   };
 }

secrets.nix

@@ -11,7 +11,7 @@ in {
 
   "searx-environmentFile.age".publicKeys = [ root ];
 
-  "wg-easy-environmentFile.age".publicKeys = [ root ];
+  "tailscale-key.age".publicKeys = [ root ];
   
   "briefkasten-env.age".publicKeys = [ root ];