movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/modules/services/networking/tailscale.nix
Silvan Mosberger 374e6bcc40 treewide: Format all Nix files 
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:

  nix-build ci -A fmt.check

This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).

This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).

Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).

If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
2025-04-01 20:10:43 +02:00

237 lines
7.8 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.tailscale;
isNetworkd = config.networking.useNetworkd;
in
{
meta.maintainers = with maintainers; [
mbaillie
mfrw
];
options.services.tailscale = {
enable = mkEnableOption "Tailscale client daemon";
port = mkOption {
type = types.port;
default = 41641;
description = "The port to listen on for tunnel traffic (0=autoselect).";
};
interfaceName = mkOption {
type = types.str;
default = "tailscale0";
description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.'';
};
permitCertUid = mkOption {
type = types.nullOr types.nonEmptyStr;
default = null;
description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.";
};
disableTaildrop = mkOption {
default = false;
type = types.bool;
description = "Whether to disable the Taildrop feature for sending files between nodes.";
};
package = lib.mkPackageOption pkgs "tailscale" { };
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
useRoutingFeatures = mkOption {
type = types.enum [
"none"
"client"
"server"
"both"
];
default = "none";
example = "server";
description = ''
Enables settings required for Tailscale's routing features like subnet routers and exit nodes.
To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`.
When set to `client` or `both`, reverse path filtering will be set to loose instead of strict.
When set to `server` or `both`, IP forwarding will be enabled.
'';
};
authKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/secrets/tailscale_key";
description = ''
A file containing the auth key.
Tailscale will be automatically started if provided.
'';
};
authKeyParameters = mkOption {
type = types.submodule {
options = {
ephemeral = mkOption {
type = types.nullOr types.bool;
default = null;
description = "Whether to register as an ephemeral node.";
};
preauthorized = mkOption {
type = types.nullOr types.bool;
default = null;
description = "Whether to skip manual device approval.";
};
baseURL = mkOption {
type = types.nullOr types.str;
default = null;
description = "Base URL for the Tailscale API.";
};
};
};
default = { };
description = ''
Extra parameters to pass after the auth key.
See https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials
'';
};
extraUpFlags = mkOption {
description = ''
Extra flags to pass to {command}`tailscale up`. Only applied if `authKeyFile` is specified.";
'';
type = types.listOf types.str;
default = [ ];
example = [ "--ssh" ];
};
extraSetFlags = mkOption {
description = "Extra flags to pass to {command}`tailscale set`.";
type = types.listOf types.str;
default = [ ];
example = [ "--advertise-exit-node" ];
};
extraDaemonFlags = mkOption {
description = "Extra flags to pass to {command}`tailscaled`.";
type = types.listOf types.str;
default = [ ];
example = [ "--no-logs-no-support" ];
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ]; # for the CLI
systemd.packages = [ cfg.package ];
systemd.services.tailscaled = {
after = lib.mkIf (config.networking.networkmanager.enable) [ "NetworkManager-wait-online.service" ];
wantedBy = [ "multi-user.target" ];
path = [
(builtins.dirOf config.security.wrapperDir) # for `su` to use taildrive with correct access rights
pkgs.procps # for collecting running services (opt-in feature)
pkgs.getent # for `getent` to look up user shells
pkgs.kmod # required to pass tailscale's v6nat check
] ++ lib.optional config.networking.resolvconf.enable config.networking.resolvconf.package;
serviceConfig.Environment =
[
"PORT=${toString cfg.port}"
''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} ${lib.concatStringsSep " " cfg.extraDaemonFlags}"''
]
++ (lib.optionals (cfg.permitCertUid != null) [
"TS_PERMIT_CERT_UID=${cfg.permitCertUid}"
])
++ (lib.optionals (cfg.disableTaildrop) [
"TS_DISABLE_TAILDROP=true"
]);
# Restart tailscaled with a single `systemctl restart` at the
# end of activation, rather than a `stop` followed by a later
# `start`. Activation over Tailscale can hang for tens of
# seconds in the stop+start setup, if the activation script has
# a significant delay between the stop and start phases
# (e.g. script blocked on another unit with a slow shutdown).
#
# Tailscale is aware of the correctness tradeoff involved, and
# already makes its upstream systemd unit robust against unit
# version mismatches on restart for compatibility with other
# linux distros.
stopIfChanged = false;
};
systemd.services.tailscaled-autoconnect = mkIf (cfg.authKeyFile != null) {
after = [ "tailscaled.service" ];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
};
# https://github.com/tailscale/tailscale/blob/v1.72.1/ipn/backend.go#L24-L32
script =
let
statusCommand = "${lib.getExe cfg.package} status --json --peers=false | ${lib.getExe pkgs.jq} -r '.BackendState'";
paramToString = v: if (builtins.isBool v) then (lib.boolToString v) else (toString v);
params = lib.pipe cfg.authKeyParameters [
(lib.filterAttrs (_: v: v != null))
(lib.mapAttrsToList (k: v: "${k}=${paramToString v}"))
(builtins.concatStringsSep "&")
(params: if params != "" then "?${params}" else "")
];
in
''
while [[ "$(${statusCommand})" == "NoState" ]]; do
sleep 0.5
done
status=$(${statusCommand})
if [[ "$status" == "NeedsLogin" || "$status" == "NeedsMachineAuth" ]]; then
${lib.getExe cfg.package} up --auth-key "$(cat ${cfg.authKeyFile})${params}" ${escapeShellArgs cfg.extraUpFlags}
fi
'';
};
systemd.services.tailscaled-set = mkIf (cfg.extraSetFlags != [ ]) {
after = [ "tailscaled.service" ];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
${lib.getExe cfg.package} set ${escapeShellArgs cfg.extraSetFlags}
'';
};
boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {
"net.ipv4.conf.all.forwarding" = mkOverride 97 true;
"net.ipv6.conf.all.forwarding" = mkOverride 97 true;
};
networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.port ];
networking.firewall.checkReversePath = mkIf (
cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both"
) "loose";
networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ];
systemd.network.networks."50-tailscale" = mkIf isNetworkd {
matchConfig = {
Name = cfg.interfaceName;
};
linkConfig = {
Unmanaged = true;
ActivationPolicy = "manual";
};
};
};
}
Reference in a new issue View git blame Copy permalink