chore(os): drop wireguard

1 files changed, 34 insertions, 2 deletions

diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix
index fc465d8..169ed45 100644
--- a/os/cez/modules/headscale.nix
+++ b/os/cez/modules/headscale.nix
@@ -1,9 +1,38 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   headScaleUrl = "https://headscale.${config.global.userdata.domain}";
+  user = config.global.userdata.name;
+
+  exitNode = "kay";
+  helper = pkgs.writeShellApplication {
+    name = "vpn";
+    runtimeInputs = with pkgs; [
+      libnotify
+      tailscale
+      jq
+    ];
+
+    text = ''
+      note() {
+        command -v notify-send >/dev/null &&
+          notify-send "󰒒  Headscale" "$1"
+
+        printf "\n%s\n" "$1"
+      }
+
+      if [ "$(tailscale status --peers --json | jq ".ExitNodeStatus")" = "null" ]; then
+        tailscale set --exit-node=${exitNode} &&
+          note "Now routing all traffic through ${exitNode}"
+      else
+        tailscale set --exit-node= &&
+          note "Traffic now uses default route."
+      fi
+    '';
+  };
 in
 {
   sops.secrets."misc/headscale" = { };
+  environment.systemPackages = [ helper ];
   networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
 
   services.tailscale = {
@@ -14,7 +43,10 @@ in
     authKeyFile = config.sops.secrets."misc/headscale".path;
     extraUpFlags = [
       "--login-server=${headScaleUrl}"
-      "--accept-routes"
+    ];
+    extraSetFlags = [
+      "--operator=${user}"
+      "--accept-routes=true"
     ];
   };
 }