wiro.world
yep, more dotfiles
tailscale: allow exit node routing
+33
-1
+2
hosts/weird-row-server/default.nix
+2
hosts/weird-row-server/default.nix
+6
hosts/weird-row-server/headscale.nix
+6
hosts/weird-row-server/headscale.nix
···
32
32
metrics_listen_addr = "127.0.0.1:${config.local.ports.headscale-metrics.string}";
33
33
34
34
policy.path = json-format.generate "policy.json" {
35
+
tagOwners = {
36
+
"tag:exit-node" = [ ];
37
+
};
38
+
autoApprovers = {
39
+
exitNode = [ "tag:exit-node" ];
40
+
};
35
41
acls = [
36
42
{
37
43
action = "accept";
+21
hosts/weird-row-server/tailscale.nix
+21
hosts/weird-row-server/tailscale.nix
···
1
1
{
2
+
config,
3
+
pkgs,
2
4
globals,
3
5
...
4
6
}:
···
10
12
# age.secrets.tailscale-authkey.file = secrets/tailscale-authkey.age;
11
13
services.tailscale = {
12
14
enable = true;
15
+
useRoutingFeatures = "server";
13
16
extraSetFlags = [ "--advertise-exit-node" ];
14
17
# authKeyFile = config.age.secrets.tailscale-authkey.path;
15
18
authKeyParameters = {
···
18
21
preauthorized = true;
19
22
};
20
23
};
24
+
25
+
networking.nftables.enable = true;
26
+
networking.firewall = {
27
+
trustedInterfaces = [ config.services.tailscale.interfaceName ];
28
+
allowedUDPPorts = [ config.services.tailscale.port ];
29
+
};
30
+
31
+
systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=nftables" ];
32
+
33
+
# services.networkd-dispatcher = {
34
+
# enable = true;
35
+
# rules."50-tailscale-optimizations" = {
36
+
# onState = [ "routable" ];
37
+
# script = ''
38
+
# ${pkgs.ethtool}/bin/ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off
39
+
# '';
40
+
# };
41
+
# };
21
42
};
22
43
}