blob: 169ed457f0efed07d4b48722f2ad74c370f3faf6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
{ config, pkgs, ... }:
let
headScaleUrl = "https://headscale.${config.global.userdata.domain}";
user = config.global.userdata.name;
exitNode = "kay";
helper = pkgs.writeShellApplication {
name = "vpn";
runtimeInputs = with pkgs; [
libnotify
tailscale
jq
];
text = ''
note() {
command -v notify-send >/dev/null &&
notify-send " Headscale" "$1"
printf "\n%s\n" "$1"
}
if [ "$(tailscale status --peers --json | jq ".ExitNodeStatus")" = "null" ]; then
tailscale set --exit-node=${exitNode} &&
note "Now routing all traffic through ${exitNode}"
else
tailscale set --exit-node= &&
note "Traffic now uses default route."
fi
'';
};
in
{
sops.secrets."misc/headscale" = { };
environment.systemPackages = [ helper ];
networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
services.tailscale = {
enable = true;
interfaceName = "headscale";
openFirewall = true;
authKeyFile = config.sops.secrets."misc/headscale".path;
extraUpFlags = [
"--login-server=${headScaleUrl}"
];
extraSetFlags = [
"--operator=${user}"
"--accept-routes=true"
];
};
}
|
