diff options
| -rw-r--r-- | modules/nixos/tailscale.nix | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/modules/nixos/tailscale.nix b/modules/nixos/tailscale.nix new file mode 100644 index 0000000..9cba982 --- /dev/null +++ b/modules/nixos/tailscale.nix @@ -0,0 +1,25 @@ +{ config, ... }: + +{ + # 1. Enable the service and the firewall + services.tailscale.enable = true; + networking.nftables.enable = true; + networking.firewall = { + enable = true; + # Always allow traffic from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + # Allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + + # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems) + # This avoids the "iptables-compat" translation layer issues. + systemd.services.tailscaled.serviceConfig.Environment = [ + "TS_DEBUG_FIREWALL_MODE=nftables" + ]; + + # 3. Optimization: Prevent systemd from waiting for network online + # (Optional but recommended for faster boot with VPNs) + systemd.network.wait-online.enable = false; + boot.initrd.systemd.network.wait-online.enable = false; + } |