32 lines
644 B
Nix
32 lines
644 B
Nix
{
|
|
config,
|
|
hostMeta,
|
|
...
|
|
}:
|
|
{
|
|
age.secrets.tailscale-auth = {
|
|
file = ../secrets/tailscale-auth.age;
|
|
owner = "root";
|
|
mode = "0400";
|
|
};
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
authKeyFile = config.age.secrets.tailscale-auth.path;
|
|
extraUpFlags = [ "--hostname=${hostMeta.tailscaleName}" ];
|
|
};
|
|
|
|
networking.firewall.interfaces.tailscale0.allowedTCPPorts =
|
|
if hostMeta.role == "primary" then
|
|
[
|
|
22
|
|
3306
|
|
]
|
|
else
|
|
[
|
|
22
|
|
873
|
|
];
|
|
networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
|
|
networking.firewall.checkReversePath = "loose";
|
|
}
|