From 9e24c1800e16c85c32c95f948cfec496fd34c72a Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Sun, 7 Sep 2025 10:47:49 -0400
Subject: [PATCH] tailscal

---
 modules/nixos/services/tailscale/default.nix  | 23 +++++++++++++++++++
 .../x86_64-linux/lin-cloud-kube1/default.nix  |  6 +++++
 2 files changed, 29 insertions(+)
 create mode 100644 modules/nixos/services/tailscale/default.nix

diff --git a/modules/nixos/services/tailscale/default.nix b/modules/nixos/services/tailscale/default.nix
new file mode 100644
index 0000000..8e15d00
--- /dev/null
+++ b/modules/nixos/services/tailscale/default.nix
@@ -0,0 +1,23 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.tailscale;
+in
+{
+  options.${namespace}.services.tailscale = {
+    enable = mkEnableOption "enable tailscale service";
+    enableRouting = mkEnableOption "enable tailscale routing";
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = if cfg.enableRouting then "server" else "client";
+    };
+
+    boot.kernel.sysctl = mkIf cfg.enableRouting {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
+  };
+}
diff --git a/systems/x86_64-linux/lin-cloud-kube1/default.nix b/systems/x86_64-linux/lin-cloud-kube1/default.nix
index ebbe460..36674a5 100755
--- a/systems/x86_64-linux/lin-cloud-kube1/default.nix
+++ b/systems/x86_64-linux/lin-cloud-kube1/default.nix
@@ -12,6 +12,8 @@ in
   system.stateVersion = "25.05";
   time.timeZone = "UTC";
 
+  networking.firewall.allowedTCPPorts = [ 443 ];
+
   boot.loader.grub = {
     efiSupport = true;
     efiInstallAsRemovable = true;
@@ -38,6 +40,10 @@ in
 
     services = {
       openssh = enabled;
+      tailscale = {
+        enable = true;
+        enableRouting = true;
+      };
       rke2 = {
         enable = true;
         openFirewall = false;