32 lines
1.0 KiB
Nix
32 lines
1.0 KiB
Nix
{ config, lib, namespace, ... }:
|
|
let
|
|
inherit (lib) mkIf mkEnableOption;
|
|
cfg = config.${namespace}.services.tailscale;
|
|
rkeCfg = config.${namespace}.services.rke2;
|
|
in
|
|
{
|
|
options.${namespace}.services.tailscale = {
|
|
enable = mkEnableOption "enable tailscale service";
|
|
enableRouting = mkEnableOption "enable tailscale routing";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
services.tailscale = {
|
|
enable = true;
|
|
useRoutingFeatures = if cfg.enableRouting then "server" else "client";
|
|
};
|
|
|
|
boot.kernel.sysctl = mkIf cfg.enableRouting {
|
|
"net.ipv4.ip_forward" = 1;
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
};
|
|
|
|
# Move Tailscale PostRouting First - In situations where Calico is enabled, this is needed
|
|
# to ensure that Tailscale routes traffic correctly as an exit node.
|
|
networking.firewall.extraCommands = mkIf (rkeCfg.enable && cfg.enableRouting) ''
|
|
iptables -t nat -D POSTROUTING -j ts-postrouting 2>/dev/null || true
|
|
iptables -t nat -I POSTROUTING 1 -j ts-postrouting
|
|
'';
|
|
};
|
|
}
|