-
-
Save al3xtjames/51f42344b54bdd34fd550a78f818066e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Based on https://gist.github.com/antifuchs/e30d58a64988907f282c82231dde2cbc | |
| { config, lib, pkgs, ... }: | |
| let | |
| cfg = config.boot.initrd.network.tailscale; | |
| # TODO: This uses old-style non-nftables iptables; ideally, we wouldn't have to opt out of that. | |
| # Enabling nftables compat means having to shuffle the list of | |
| # modules down in availableKernelModules; that's a bunch of work | |
| # (deploying to a linux machine & rebooting to see what doesn't | |
| # work this time), so I'm a bit too lazy for that now. | |
| iptables-static = (pkgs.iptables.override { nftablesCompat = false; }).overrideAttrs (old: { | |
| dontDisableStatic = true; | |
| configureFlags = (lib.remove "--enable-shared" old.configureFlags) ++ [ | |
| "--enable-static" | |
| "--disable-shared" | |
| ]; | |
| }); | |
| in { | |
| options = { | |
| boot.initrd.network.tailscale = with lib; { | |
| enable = mkEnableOption "a connection to Tailscale during initrd boot"; | |
| stateFile = mkOption { | |
| type = types.path; | |
| description = lib.mdDoc '' | |
| Path to a pre-initialized Tailscale state file. This is needed to authenticate the | |
| connection to Tailscale. | |
| This can be generated by manually connecting to Tailscale: | |
| ```bash | |
| sudo systemctl stop tailscaled.service # if Tailscale is already running | |
| tailscaled -port 9993 -state tailscaled-initrd.state -tun userspace-networking -socket ./tailscaled.sock & | |
| TAILSCALED_PID=$! | |
| tailscale -socket ./tailscaled.sock up -hostname "$HOST-initrd" | |
| tailscale -socket ./tailscaled.sock down | |
| kill $TAILSCALED_PID | |
| sudo systemctl start tailscaled.service # if Tailscale was already running | |
| ``` | |
| It is recommended to disable key expiry for this host in the Tailscale admin interface. | |
| Otherwise, authentication with the state file will fail once it expires. | |
| ::: {.warning} | |
| Unless your bootloader supports initrd secrets, this configuration is stored insecurely in | |
| the global Nix store. | |
| ::: | |
| ''; | |
| }; | |
| }; | |
| }; | |
| config = lib.mkIf cfg.enable { | |
| boot.initrd = { | |
| availableKernelModules = [ | |
| "ip6_tables" | |
| "ip6table_filter" | |
| "ip6table_nat" | |
| "ip6table_raw" | |
| "ip_tables" | |
| "iptable_filter" | |
| "iptable_nat" | |
| "iptable_raw" | |
| "nf_conntrack" | |
| "nf_nat" | |
| "tun" | |
| "xt_comment" | |
| "xt_conntrack" | |
| "xt_mark" | |
| "xt_MASQUERADE" | |
| "xt_LOG" | |
| "xt_tcpudp" | |
| ]; | |
| extraUtilsCommands = '' | |
| copy_bin_and_libs ${pkgs.tailscale}/bin/.tailscaled-wrapped | |
| copy_bin_and_libs ${pkgs.iproute}/bin/ip | |
| copy_bin_and_libs ${iptables-static}/bin/iptables | |
| copy_bin_and_libs ${iptables-static}/bin/xtables-legacy-multi | |
| ln -s $out/bin/.tailscaled-wrapped $out/bin/tailscaled | |
| ln -s $out/bin/.tailscaled-wrapped $out/bin/tailscale | |
| ''; | |
| secrets = { | |
| "/var/lib/tailscale/tailscaled.state" = cfg.stateFile; | |
| "/etc/ssl/certs/ca-certificates.crt" = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; | |
| "/etc/ssl/certs/ca-bundle.crt" = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; | |
| }; | |
| network = { | |
| postCommands = '' | |
| # Bring up tailscaled and dial in | |
| mkdir /dev/net | |
| mknod /dev/net/tun c 10 200 | |
| tailscaled 2>/dev/null & | |
| tailscale up | |
| ''; | |
| }; | |
| postMountCommands = '' | |
| # Tear down tailscale | |
| pkill tailscaled | |
| tailscaled -cleanup | |
| ''; | |
| }; | |
| }; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment