diff options
author | Michael Hoang <enzime@users.noreply.github.com> | 2022-11-14 13:23:43 +1100 |
---|---|---|
committer | Michael Hoang <enzime@users.noreply.github.com> | 2022-12-17 22:38:14 +1100 |
commit | 68e514ed1cf55451901e8d0edd3e8ee5102d3565 (patch) | |
tree | f53f232c29ff46762d510b6d38f9484eb239c634 /nixos | |
parent | e738da1f9508f58555223ef881f5778b3af51db0 (diff) | |
download | nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.gz nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.bz2 nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.lz nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.xz nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.tar.zst nixpkgs-68e514ed1cf55451901e8d0edd3e8ee5102d3565.zip |
nixos/tailscale: Add `useRoutingFeatures` option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2305.section.xml | 14 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/tailscale.nix | 29 |
3 files changed, 37 insertions, 8 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index aded38b4f72..2b9110e15a2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -282,6 +282,20 @@ to match upstream. </para> </listitem> + <listitem> + <para> + The new option + <literal>services.tailscale.useRoutingFeatures</literal> + controls various settings for using Tailscale features like + exit nodes and subnet routers. If you wish to use your machine + as an exit node, you can set this setting to + <literal>server</literal>, otherwise if you wish to use an + exit node you can set this setting to + <literal>client</literal>. The strict RPF warning has been + removed as the RPF will be loosened automatically based on the + value of this setting. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 7aff655f441..fb8e856490c 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -81,3 +81,5 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)). - The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. + +- The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix index 26997dd9601..233bfdf9ebf 100644 --- a/nixos/modules/services/networking/tailscale.nix +++ b/nixos/modules/services/networking/tailscale.nix @@ -4,10 +4,7 @@ with lib; let cfg = config.services.tailscale; - firewallOn = config.networking.firewall.enable; - rpfMode = config.networking.firewall.checkReversePath; isNetworkd = config.networking.useNetworkd; - rpfIsStrict = rpfMode == true || rpfMode == "strict"; in { meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ]; @@ -38,14 +35,23 @@ in { defaultText = literalExpression "pkgs.tailscale"; description = lib.mdDoc "The package to use for tailscale"; }; + + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + example = "server"; + description = lib.mdDoc '' + Enables settings required for Tailscale's routing features like subnet routers and exit nodes. + + To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. + + When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. + When set to `server` or `both`, IP forwarding will be enabled. + ''; + }; }; config = mkIf cfg.enable { - warnings = optional (firewallOn && rpfIsStrict) '' - Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting: - - networking.firewall.checkReversePath = "loose"; - ''; environment.systemPackages = [ cfg.package ]; # for the CLI systemd.packages = [ cfg.package ]; systemd.services.tailscaled = { @@ -75,6 +81,13 @@ in { stopIfChanged = false; }; + boot.kernel.sysctl = mkIf (cfg.useRoutingFeatures == "server" || cfg.useRoutingFeatures == "both") { + "net.ipv4.conf.all.forwarding" = mkDefault true; + "net.ipv6.conf.all.forwarding" = mkDefault true; + }; + + networking.firewall.checkReversePath = mkIf (cfg.useRoutingFeatures == "client" || cfg.useRoutingFeatures == "both") "loose"; + networking.dhcpcd.denyInterfaces = [ cfg.interfaceName ]; systemd.network.networks."50-tailscale" = mkIf isNetworkd { |