fix(vpn): fix autoconnect service

2024-01-25 02:18:09 +01:00 · 2024-01-25 02:18:09 +01:00 · e29a9da526
parent 7bb4b02d52
commit e29a9da526
1 changed files with 17 additions and 11 deletions
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -11,7 +11,6 @@ in {

  services.tailscale = {
    enable = true;
-    authKeyFile = "/dummy";
    openFirewall = true;
    useRoutingFeatures = "both";
    extraUpFlags = [
@ -26,7 +25,12 @@ in {
    [ "TS_DEBUG_FIREWALL_MODE=auto" ];

  # call taiscale up without --auth-key
-  systemd.services.tailscaled-autoconnect.script = ''
+  systemd.services.tailscaled-autoconnect = lib.mkIf (cfg.authKeyFile == null) {
+    after = [ "tailscaled.service" ];
+    wants = [ "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
      status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
      if [[ $status != Connected* ]]; then
        ${cfg.package}/bin/tailscale up
@ -35,9 +39,11 @@ in {
      # some options cannot be set immediately
      ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}

+      # TODO nginx.service currently fails because it supposedly doesn't have permissions for this file
      ${cfg.package}/bin/tailscale cert ${tailnetHost}
      chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
    '';
+  };

  services.nginx.virtualHosts.${tailnetHost} = {
    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";