tailscale

modules/nixos/services/rke2/default.nix

@@ -18,6 +18,10 @@ in
       disable = cfg.disable;
     };
 
+    # NOTE: Tailscale & K8s Calico conflict due to FWMask. You need to update the DaemonSet Env with:
+    #   - name: FELIX_IPTABLESMARKMASK
+    #     value: "0xff00ff00"
+
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
       # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
       6443 # Kubernetes API

modules/nixos/services/tailscale/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.tailscale;
+in
+{
+  options.${namespace}.services.tailscale = {
+    enable = mkEnableOption "enable tailscale service";
+    enableRouting = mkEnableOption "enable tailscale routing";
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = if cfg.enableRouting then "server" else "client";
+    };
+
+    boot.kernel.sysctl = mkIf cfg.enableRouting {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+
+    # NOTE: Tailscale & K8s Calico conflict due to FWMask. You need to update the DaemonSet Env with:
+    #   - name: FELIX_IPTABLESMARKMASK
+    #     value: "0xff00ff00"
+  };
+}

systems/x86_64-linux/lin-cloud-kube1/default.nix

@@ -12,6 +12,8 @@ in
   system.stateVersion = "25.05";
   time.timeZone = "UTC";
 
+  networking.firewall.allowedTCPPorts = [ 443 ];
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
@@ -38,6 +40,10 @@ in
 
     services = {
       openssh = enabled;
+      tailscale = {
+        enable = true;
+        enableRouting = true;
+      };
       rke2 = {
         enable = true;
         openFirewall = false;