nixos-config/system/vpn.nix

{
  config,
  pkgs,
  lib,
  ...
}:

let
  cfg = config.services.tailscale;
  tailscaleInterface = cfg.interfaceName;
  inherit (config.networking) hostName;
  tailnetHost = "${hostName}.tail05275.ts.net";
in
{
  networking.wireguard.enable = true;
  networking.firewall.trustedInterfaces = [ tailscaleInterface ];

  systemd.network = {
    # Fixes issues with other systemd networks when tailscale exist nodes are used
    config.networkConfig = {
      ManageForeignRoutes = false;
      ManageForeignRoutingPolicyRules = false;
    };
    wait-online.ignoredInterfaces = [ "tailscale0" ];
  };

  services.networkd-dispatcher = {
    enable = true;
    rules = {
      # exclude LANs from tailscale subnet routes (when using `--accept-routes`)
      "50-tailscale-exclude-lan-routes" = {
        onState = [ "routable" ];
        script = ''
          #!${pkgs.runtimeShell}
          # shellcheck disable=SC2010

          lan_interfaces=$(ls /sys/class/net | grep -E '^(enp|eth|wlp)')
          if [[ "$lan_interfaces" == "" ]]; then exit 0; fi
          echo "$lan_interfaces" | while IFS= read -r lan_if; do
            for ipv in 4 6; do
              subnets=$(${pkgs.iproute2}/bin/ip -"$ipv" route show dev "$lan_if" proto kernel | cut -f1 -d' ' | grep '/')
              if [[ "$subnets" == "" ]]; then break; fi
              echo "$subnets" | while IFS= read -r subnet; do
                if ${pkgs.iproute2}/bin/ip -"$ipv" route show table 52 | grep -q "$subnet dev tailscale0"; then
                  ${pkgs.iproute2}/bin/ip -"$ipv" route del "$subnet" dev tailscale0 table 52
                  ${pkgs.iproute2}/bin/ip -"$ipv" route add throw "$subnet" table 52
                fi
              done
            done
          done
        '';
      };
      # UDP throughput improvements
      # https://tailscale.com/kb/1320/performance-best-practices?q=gro#linux-optimizations-for-subnet-routers-and-exit-nodes
      "50-tailscale-rx-udp-gro-forwarding" = {
        onState = [ "routable" ];
        script = ''
          for dev in $(${pkgs.iproute2}/bin/ip route show 0/0 | cut -f5 -d' '); do
            ${lib.getExe pkgs.ethtool} -K "$dev" rx-udp-gro-forwarding on rx-gro-list off
          done
        '';
      };
    };
  };

  services.tailscale = {
    enable = true;
    package = pkgs.unstable.tailscale;
    openFirewall = true;
    useRoutingFeatures = lib.mkDefault "client";
    extraUpFlags = [
      "--reset"
      "--exit-node-allow-lan-access"
      "--exit-node=de-fra-wg-106.mullvad.ts.net"
    ];
  };

  systemd.services.tailscaled = {
    serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=auto" ];
    after = [
      "network-online.target"
      "systemd-resolved.service"
    ];
  };

  # call taiscale up without --auth-key
  systemd.services.tailscaled-autoconnect = lib.mkIf (cfg.authKeyFile == null) {
    after = [ "tailscaled.service" ];
    wants = [ "tailscaled.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig.Type = "oneshot";
    script =
      ''
        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
        if [[ $status != Connected* ]]; then
          ${cfg.package}/bin/tailscale up
        fi

        # some options cannot be set immediately
        ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}

        ${cfg.package}/bin/tailscale cert ${tailnetHost}
      ''
      + lib.optionalString config.services.nginx.enable ''
        chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
      '';
  };

  services.nginx.virtualHosts.${tailnetHost} = {
    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
  };

  # TODO Tailscale Mullvad exit nodes currently don't support IPv6 and this is
  # causing issues with nginx (proxy pass) requests timing out and high CPU load.
  # Until Mullvad exit nodes support IPv6, we'll just disable IPv6 for nginx.
  services.nginx.resolver.ipv6 = false;
}
No results found.