-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tailscale: services.tailscale.loginServer && services.tailscale.preAuthKey && systemd.services.tailscale-autoconnect #204622
Comments
@Xe might also be interested in this (author of https://tailscale.com/blog/nixos-minecraft/, which is where I copied my first iteration of this). I think the extra flags option is needed, at least for me to find this useful (my version). Maybe changing the |
I did actually just write another iteration of this for my blog (in an upcoming post about Terraform crimes), but I put the authkey in I would find this useful, especially because it would make it a lot easier for me to automate the creation of NixOS machines on my tailnet. I have to admit that the I'd also suggest creating a separate options.services.tailscale.autoConnect = {
enable = mkEnableOption "Enables automatic connection to your tailnet via the following options";
loginServer = mkOption {
type = types.str;
default = "https://controlplane.tailscale.com";
description = lib.mdDoc ''Base URL of the Tailscale (or Headscale) control server.'';
example = literalExpression ''"https://controlplane.example.com"'';
};
preAuthKey = mkOption {
type = types.str;
default = "/var/lib/tailscale/auth.key";
description = lib.mdDoc ''Node pre-authentication key; if it begins with "file:", then it's a path to a file containing the authkey'';
example = literalExpression ''"/var/lib/tailscale/auth.key"'';
};
} Then you could have your |
We almost certainly want to wait a beat before exploring this. Tailscale 1.34 is about to ship with user account switching, which changes the interfaces for connecting an account and specifying custom control servers. If we try to ship something now with 1.32, we'll just have to tear it out again in a week. The authkey is a secret, so per NixOS's conventions should only be specifiable as a file on disk IMO. So I would lose the file: syntax and call it Lose the sleep in the shell script. The logic you actually want there is to loop waiting for the unix socket path to exist. Once it exists, the CLI can connect to tailscaled without races. The status check also needs to be a bit more intelligent, because otherwise every time the authentication expires or the admin de-authorizes the machine in the admin panel, this logic will freak out and try to reauth, which will knock the machine offline rather than do anthing useful. Honestly, this logic is complex enough that it almost certainly wants to be a program more advanced than a shell script. Ideally we'd teach the tailscale CLI to do "only do this login if you've never been authed before" or something, because that's behavior we want all over the place, and these In general I have no objections to the idea, just ^ a bunch of thoughts about how to implement it so that it won't break constantly in future :) |
Project description
The goal is to improve operability between
services.tailscale.*
andservices.headscale.*
Metadata
Opening up GitHub issue for discussion about adjusting
services.tailscale
to enableservices.tailscale
intoservices.headscale
extraUpFlags
👇 for usage withsystemd.services.tailscale-autoconnect
Proposed API something like this but no strong feelings, I'm after the outcome here...
cc existing maintainers of both packages // @kradalby @danderson @mbaillie @twitchyliquid64
The text was updated successfully, but these errors were encountered: