diff options
Diffstat (limited to 'nixos/modules/services/networking/tailscale.nix')
-rw-r--r-- | nixos/modules/services/networking/tailscale.nix | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 1f64113950a..0133874d0e0 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -2,9 +2,13 @@ with lib; -let cfg = config.services.tailscale; +let + cfg = config.services.tailscale; + firewallOn = config.networking.firewall.enable; + rpfMode = config.networking.firewall.checkReversePath; + rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { - meta.maintainers = with maintainers; [ danderson mbaillie ]; + meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; options.services.tailscale = { enable = mkEnableOption "Tailscale client daemon"; @@ -36,17 +40,34 @@ in { }; config = mkIf cfg.enable { + warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'"; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { wantedBy = [ "multi-user.target" ]; - path = [ pkgs.openresolv pkgs.procps ]; + path = [ + pkgs.openresolv # for configuring DNS in some configs + pkgs.procps # for collecting running services (opt-in feature) + pkgs.glibc # for `getent` to look up user shells + ]; serviceConfig.Environment = [ "PORT=${toString cfg.port}" ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"'' ] ++ (lib.optionals (cfg.permitCertUid != null) [ "TS_PERMIT_CERT_UID=${cfg.permitCertUid}" ]); + # Restart tailscaled with a single `systemctl restart` at the + # end of activation, rather than a `stop` followed by a later + # `start`. Activation over Tailscale can hang for tens of + # seconds in the stop+start setup, if the activation script has + # a significant delay between the stop and start phases + # (e.g. script blocked on another unit with a slow shutdown). + # + # Tailscale is aware of the correctness tradeoff involved, and + # already makes its upstream systemd unit robust against unit + # version mismatches on restart for compatibility with other + # linux distros. + stopIfChanged = false; }; }; } |