From 6ca1656297b95eb8780d6c636bcf0907b2680120 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Wed, 27 Dec 2023 18:03:57 +0100
Subject: [PATCH] feat(vpn): improve tailscale config

---
 hosts/home-pc.nix     |  2 ++
 hosts/home-server.nix |  6 ++++++
 system/vpn.nix        | 16 +++++++++++-----
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/hosts/home-pc.nix b/hosts/home-pc.nix
index 246ba91..f73d4ae 100644
--- a/hosts/home-pc.nix
+++ b/hosts/home-pc.nix
@@ -40,6 +40,8 @@
     };
   };
 
+  services.tailscale.extraUpFlags = [ "--advertise-routes=192.168.1.0/24" ];
+
   networking.firewall.allowedUDPPorts = [
     24727 # AusweisApp2
   ];
diff --git a/hosts/home-server.nix b/hosts/home-server.nix
index 17eaae2..1e8f727 100644
--- a/hosts/home-server.nix
+++ b/hosts/home-server.nix
@@ -113,6 +113,12 @@ in {
     inherit hostKeys;
   };
 
+  services.tailscale.extraUpFlags = [
+    "--advertise-routes=192.168.1.0/24"
+    "--advertise-tags=tag:felschr-com"
+    "--advertise-connector"
+  ];
+
   # ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
   boot.initrd.availableKernelModules = [ "igb" ];
   boot.initrd.network = {
diff --git a/system/vpn.nix b/system/vpn.nix
index 63fd1ee..43291f9 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -1,15 +1,21 @@
 { config, pkgs, ... }:
 
-{
+let tailscaleInterface = config.services.tailscale.interfaceName;
+in {
   age.secrets.mullvad.file = ../secrets/mullvad.age;
 
   networking.wireguard.enable = true;
+  networking.firewall.trustedInterfaces = [ tailscaleInterface ];
+
+  services.tailscale = {
+    enable = true;
+    # authKeyFile = ; # TODO add this to create auto-connect systemd job
+    openFirewall = true;
+    useRoutingFeatures = "both";
+  };
 
-  services.tailscale.enable = true;
   services.mullvad-vpn.enable = true;
 
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
-
   # set some options after every daemon start
   # to avoid accidentally leaving unsafe settings
   systemd.services."mullvad-daemon" = {
@@ -52,7 +58,7 @@
           }
           chain allow-incoming {
             type filter hook input priority -100; policy accept;
-            iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            iifname "${tailscaleInterface}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
           }
         }
       ''