fix(tailscale): Disable SSH
This change is analogous to Iac7039db42da8c05be192d555776f37150195214 on
our infra repo.
Tailscale ssh isn't properly supported on the currently released version
of headscale, so while it's an excellent idea in theory it doesn't
currently make much sense for us to have it on, and breaks SSHing to our
openssh ssh servers over the tailnet
Change-Id: I3cb5ef7997b12d3b2a9feb6a1aed4ad06ac5c152
Reviewed-on: https://git.clicks.codes/c/Chimera/NixFiles/+/746
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/nixos/tailscale/default.nix b/modules/nixos/tailscale/default.nix
index 4ae39d9..8c6dded 100644
--- a/modules/nixos/tailscale/default.nix
+++ b/modules/nixos/tailscale/default.nix
@@ -3,9 +3,11 @@
lib,
pkgs,
...
-}: let
+}:
+let
cfg = config.chimera.networking.tailscale;
-in {
+in
+{
options.chimera.networking.tailscale = {
enable = lib.mkOption {
description = "Enable tailscale for this system";
@@ -28,15 +30,21 @@
config = lib.mkIf cfg.enable {
services.tailscale = {
enable = true;
- useRoutingFeatures = if cfg.runExitNode.enable then "server" else "client";
- extraUpFlags = [
- "--login-server=${cfg.server}"
- "--accept-routes"
- "--ssh"
- ] ++ (if cfg.runExitNode.enable then [
- "--advertise-exit-node"
- "--exit-node-allow-lan-access"
- ] else []);
+ useRoutingFeatures = if cfg.runExitNode.enable then "both" else "client";
+ extraUpFlags =
+ [
+ "--login-server=${cfg.server}"
+ "--accept-routes"
+ ]
+ ++ (
+ if cfg.runExitNode.enable then
+ [
+ "--advertise-exit-node"
+ "--exit-node-allow-lan-access"
+ ]
+ else
+ [ ]
+ );
authKeyFile = lib.mkIf (cfg.authKeyFile != null) cfg.authKeyFile;
};
};