mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2025-01-07 14:00:59 +03:00
nixos/tailscale: Add useRoutingFeatures
option
This commit is contained in:
parent
e738da1f95
commit
68e514ed1c
@ -282,6 +282,20 @@
|
||||
to match upstream.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The new option
|
||||
<literal>services.tailscale.useRoutingFeatures</literal>
|
||||
controls various settings for using Tailscale features like
|
||||
exit nodes and subnet routers. If you wish to use your machine
|
||||
as an exit node, you can set this setting to
|
||||
<literal>server</literal>, otherwise if you wish to use an
|
||||
exit node you can set this setting to
|
||||
<literal>client</literal>. The strict RPF warning has been
|
||||
removed as the RPF will be loosened automatically based on the
|
||||
value of this setting.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -81,3 +81,5 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).
|
||||
|
||||
- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.
|
||||
|
||||
- The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.
|
||||
|
@ -4,10 +4,7 @@ with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.tailscale;
|
||||
firewallOn = config.networking.firewall.enable;
|
||||
rpfMode = config.networking.firewall.checkReversePath;
|
||||
isNetworkd = config.networking.useNetworkd;
|
||||
rpfIsStrict = rpfMode == true || rpfMode == "strict";
|
||||
in {
|
||||
meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
|
||||
|
||||
@ -38,14 +35,23 @@ in {
|
||||
defaultText = literalExpression "pkgs.tailscale";
|
||||
description = lib.mdDoc "The package to use for tailscale";
|
||||
};
|
||||
|
||||
useRoutingFeatures = mkOption {
|
||||
type = types.enum [ "none" "client" "server" "both" ];
|
||||
default = "none";
|
||||
example = "server";
|
||||
description = lib.mdDoc ''
|
||||
Enables settings required for Tailscale's routing features like subnet routers and exit nodes.
|
||||
|
||||
To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`.
|
||||
|
||||
When set to `client` or `both`, reverse path filtering will be set to loose instead of strict.
|
||||
When set to `server` or `both`, IP forwarding will be enabled.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings = optional (firewallOn && rpfIsStrict) ''
|
||||
Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting:
|
||||
|
||||
networking.firewall.checkReversePath = "loose";
|
||||
'';
|
||||
environment.systemPackages = [ cfg.package ]; # for the CLI
|
||||
systemd.packages = [ cfg.package ];
|
||||
systemd.services.tailscaled = {
|
||||
@ -75,6 +81,13 @@ in {
|
||||
stopIfChanged = false;
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {
|
||||
"net.ipv4.conf.all.forwarding" = mkDefault true;
|
||||
"net.ipv6.conf.all.forwarding" = mkDefault true;
|
||||
};
|
||||
|
||||
networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose";
|
||||
|
||||
networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ];
|
||||
|
||||
systemd.network.networks."50-tailscale" = mkIf isNetworkd {
|
||||
|
Loading…
Reference in New Issue
Block a user