From 7bb4b02d526f299dc9b3c342646b2839ff6f1dc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Thu, 25 Jan 2024 02:15:35 +0100
Subject: [PATCH] fix: allow incoming traffic to web server to bypass tailscale

---
 system/server.nix | 18 ++++++++++++++++++
 system/vpn.nix    |  5 +++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/system/server.nix b/system/server.nix
index 1001014..bdb5894 100644
--- a/system/server.nix
+++ b/system/server.nix
@@ -5,4 +5,22 @@
 
   # use xserver without display manager
   services.xserver.displayManager.startx.enable = true;
+
+  # Allow web server to be accessible when running Tailscale with exit node
+  networking.nftables.enable = true;
+  networking.nftables.ruleset = ''
+    table inet allow-incoming-traffic {
+      chain allow-incoming {
+        type filter hook input priority -100; policy accept;
+        tcp dport {80, 443} meta mark set 0x80000;
+        udp dport {80, 443} meta mark set 0x80000;
+      }
+
+      chain allow-outgoing {
+        type route hook output priority -100; policy accept;
+        tcp sport {80, 443} meta mark set 0x80000;
+        udp sport {80, 443} meta mark set 0x80000;
+      }
+    }
+  '';
 }
diff --git a/system/vpn.nix b/system/vpn.nix
index 22c6928..7ed7e81 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -36,10 +36,11 @@ in {
     ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
 
     ${cfg.package}/bin/tailscale cert ${tailnetHost}
+    chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
   '';
 
   services.nginx.virtualHosts.${tailnetHost} = {
-    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.key";
-    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
   };
 }