nixos-config/system/vpn.nix

{
  config,
  pkgs,
  lib,
  ...
}:

let
  cfg = config.services.tailscale;
  tailscaleInterface = cfg.interfaceName;
  inherit (config.networking) hostName;
  tailnetHost = "${hostName}.tail05275.ts.net";
in
{
  networking.wireguard.enable = true;
  networking.firewall.trustedInterfaces = [ tailscaleInterface ];

  services.tailscale = {
    enable = true;
    package = pkgs.unstable.tailscale;
    openFirewall = true;
    useRoutingFeatures = "both";
    extraUpFlags = [
      "--reset"
      "--accept-routes"
      "--exit-node-allow-lan-access"
      "--exit-node=de-dus-wg-001.mullvad.ts.net"
    ];
  };

  systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=auto" ];

  # call taiscale up without --auth-key
  systemd.services.tailscaled-autoconnect = lib.mkIf (cfg.authKeyFile == null) {
    after = [ "tailscaled.service" ];
    wants = [ "tailscaled.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig.Type = "oneshot";
    script =
      ''
        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
        if [[ $status != Connected* ]]; then
          ${cfg.package}/bin/tailscale up
        fi

        # some options cannot be set immediately
        ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}

        ${cfg.package}/bin/tailscale cert ${tailnetHost}
      ''
      + lib.optionalString config.services.nginx.enable ''
        chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
      '';
  };

  services.nginx.virtualHosts.${tailnetHost} = {
    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
  };
}
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
feat: add mullvad 2020-05-22 18:16:21 +02:00
feat(vpn): fully replace Mullvad VPN with Tailscale 2024-01-06 03:06:53 +01:00			`let`
			`cfg = config.services.tailscale;`
			`tailscaleInterface = cfg.interfaceName;`
fix(vpn): fix autoconnect issues 2024-01-21 21:40:27 +01:00			`inherit (config.networking) hostName;`
			`tailnetHost = "${hostName}.tail05275.ts.net";`
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`in`
			`{`
feat(vpn): enable wireguard kernel module 2020-11-14 11:20:59 +01:00			`networking.wireguard.enable = true;`
feat(vpn): improve tailscale config 2023-12-27 18:03:57 +01:00			`networking.firewall.trustedInterfaces = [ tailscaleInterface ];`
fix(vpn): add workaround for mullvad issues 2021-06-10 12:14:30 +02:00
feat(vpn): improve tailscale config 2023-12-27 18:03:57 +01:00			`services.tailscale = {`
			`enable = true;`
feat: switch to tailscale from nixpkgs-unstable 2024-03-07 20:07:03 +01:00			`package = pkgs.unstable.tailscale;`
feat(vpn): improve tailscale config 2023-12-27 18:03:57 +01:00			`openFirewall = true;`
			`useRoutingFeatures = "both";`
feat(vpn): fully replace Mullvad VPN with Tailscale 2024-01-06 03:06:53 +01:00			`extraUpFlags = [`
			`"--reset"`
			`"--accept-routes"`
fix(vpn): fix tailscale config 2024-01-12 20:46:03 +01:00			`"--exit-node-allow-lan-access"`
chore(vpn): switch exit node 2024-04-30 23:13:50 +02:00			`"--exit-node=de-dus-wg-001.mullvad.ts.net"`
feat(vpn): fully replace Mullvad VPN with Tailscale 2024-01-06 03:06:53 +01:00			`];`
feat(vpn): improve tailscale config 2023-12-27 18:03:57 +01:00			`};`
feat(vpn): add mullvad configuration service 2022-08-08 22:58:02 +02:00
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=auto" ];`
fix(vpn): fix tailscale config 2024-01-12 20:46:03 +01:00
feat(vpn): fully replace Mullvad VPN with Tailscale 2024-01-06 03:06:53 +01:00			`# call taiscale up without --auth-key`
fix(vpn): fix autoconnect service 2024-01-25 02:18:09 +01:00			`systemd.services.tailscaled-autoconnect = lib.mkIf (cfg.authKeyFile == null) {`
			`after = [ "tailscaled.service" ];`
			`wants = [ "tailscaled.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig.Type = "oneshot";`
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`script =`
			`''`
			`status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)`
			`if [[ $status != Connected* ]]; then`
			`${cfg.package}/bin/tailscale up`
			`fi`
fix(vpn): fix autoconnect issues 2024-01-21 21:40:27 +01:00
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`# some options cannot be set immediately`
			`${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}`
fix(vpn): generate certificate & configure nginx for tailnet 2024-01-21 21:41:21 +01:00
style: reformat with nixfmt-rfc-style 2024-05-26 16:45:38 +02:00			`${cfg.package}/bin/tailscale cert ${tailnetHost}`
			`''`
			`+ lib.optionalString config.services.nginx.enable ''`
			`chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}`
			`'';`
fix(vpn): fix autoconnect service 2024-01-25 02:18:09 +01:00			`};`
fix(vpn): generate certificate & configure nginx for tailnet 2024-01-21 21:41:21 +01:00
			`services.nginx.virtualHosts.${tailnetHost} = {`
fix: allow incoming traffic to web server to bypass tailscale 2024-01-25 02:15:35 +01:00			`sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";`
			`sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";`
fix(vpn): generate certificate & configure nginx for tailnet 2024-01-21 21:41:21 +01:00			`};`
feat: add mullvad 2020-05-22 18:16:21 +02:00			`}`