feat(vpn): improve tailscale config

2023-12-27 18:03:57 +01:00 · 2023-12-27 18:03:57 +01:00 · 6ca1656297
commit 6ca1656297
parent bdbb43b09d
3 changed files with 19 additions and 5 deletions
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -1,15 +1,21 @@
 { config, pkgs, ... }:

-{
+let tailscaleInterface = config.services.tailscale.interfaceName;
+in {
  age.secrets.mullvad.file = ../secrets/mullvad.age;

  networking.wireguard.enable = true;
+  networking.firewall.trustedInterfaces = [ tailscaleInterface ];
+
+  services.tailscale = {
+    enable = true;
+    # authKeyFile = ; # TODO add this to create auto-connect systemd job
+    openFirewall = true;
+    useRoutingFeatures = "both";
+  };

-  services.tailscale.enable = true;
  services.mullvad-vpn.enable = true;

-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
-
  # set some options after every daemon start
  # to avoid accidentally leaving unsafe settings
  systemd.services."mullvad-daemon" = {
@ -52,7 +58,7 @@
          }
          chain allow-incoming {
            type filter hook input priority -100; policy accept;
-            iifname "tailscale0" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+            iifname "${tailscaleInterface}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
          }
        }
      ''