From 7fc0e3334e183a87a749a000b8111b92b5c1245f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaros=C5=82aw=20Wygoda?= <jaroslaw@wygoda.me>
Date: Mon, 10 Jul 2023 22:31:30 +0200
Subject: [PATCH] nixos/tailscale: add authKeyFile option

Auth key registers new nodes without needing to sign in via a browser

Tailscale sends status changes with systemd-notify.
https://github.com/tailscale/tailscale/blob/v1.44.0/ipn/ipnlocal/local.go#L3670
---
 .../modules/services/networking/tailscale.nix | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix
index 384c86bd879e..fce9b5cf0e89 100644
--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@@ -49,6 +49,15 @@ in {
         When set to `server` or `both`, IP forwarding will be enabled.
       '';
     };
+
+    authKeyFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/tailscale_key";
+      description = lib.mdDoc ''
+        A file containing the auth key.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -82,6 +91,21 @@ in {
       stopIfChanged = false;
     };
 
+    systemd.services.tailscaled-autoconnect = mkIf (cfg.authKeyFile != null) {
+      after = ["tailscale.service"];
+      wants = ["tailscale.service"];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = with pkgs; ''
+        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
+        if [[ $status != Connected* ]]; then
+          ${pkgs.tailscale}/bin/tailscale up --auth-key 'file:${cfg.authKeyFile}'
+        fi
+      '';
+    };
+
     boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") {
       "net.ipv4.conf.all.forwarding" = mkOverride 97 true;
       "net.ipv6.conf.all.forwarding" = mkOverride 97 true;