From bad90c81796554ae9441a2b8e0df0d93b65e39f2 Mon Sep 17 00:00:00 2001
From: Francis Begyn <francis@begyn.be>
Date: Tue, 9 Jan 2024 11:40:48 +0100
Subject: [PATCH] (tailscale) migrate back to upstream module for testing

---
 hosts/ania/configuration.nix |  2 +-
 hosts/bia/configuration.nix  |  9 ++-------
 hosts/eos/configuration.nix  | 22 +++++++++++-----------
 services/tailscale.nix       |  5 ++++-
 4 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/hosts/ania/configuration.nix b/hosts/ania/configuration.nix
index 15558d3d..809e94e7 100644
--- a/hosts/ania/configuration.nix
+++ b/hosts/ania/configuration.nix
@@ -114,7 +114,7 @@
   programs.gnupg.package = pkgs.unstable.gnupg;
   services.tailscale = {
     enable = true;
-    package = pkgs.unstable.tailscale;
+    useRoutingFeatures = "client";
   };
 
   home-manager.users.francis.home.stateVersion = "23.05";
diff --git a/hosts/bia/configuration.nix b/hosts/bia/configuration.nix
index 01465468..c9f7d9ed 100644
--- a/hosts/bia/configuration.nix
+++ b/hosts/bia/configuration.nix
@@ -105,14 +105,9 @@
   fbegyn.x.xautolock = false;
 
   # tailscale machine specific
-  fbegyn.services.tailscale = let
-    hosts = import ../../secrets/hosts.nix;
-  in {
+  services.tailscale = {
     enable = true;
-    autoprovision = {
-      enable = false;
-      key = "${hosts.bia.tailscale.oneoffkey}";
-    };
+    useRoutingFeatures = "client";
   };
 
   # configure the systems wake on lan settings
diff --git a/hosts/eos/configuration.nix b/hosts/eos/configuration.nix
index 60fa5063..a605f01f 100644
--- a/hosts/eos/configuration.nix
+++ b/hosts/eos/configuration.nix
@@ -98,18 +98,18 @@ in {
   };
 
   # VPN settings
-  fbegyn.services.tailscale = {
+  services.tailscale = {
     enable = true;
-    routingFeature = "server";
-    autoprovision = {
-      enable = true;
-      key = "${hosts.tailscale.tempkey}";
-      options = [
-        "--advertise-routes=${hosts.eos.tailscale.routes}"
-        "--advertise-exit-node"
-        "--advertise-tags=tag:prod,tag:dcf,tag:hass"
-      ];
-    };
+    useRoutingFeatures = "server";
+    # autoprovision = {
+    #   enable = true;
+    #   key = "${hosts.tailscale.tempkey}";
+    #   options = [
+    #     "--advertise-routes=${hosts.eos.tailscale.routes}"
+    #     "--advertise-exit-node"
+    #     "--advertise-tags=tag:prod,tag:dcf,tag:hass"
+    #   ];
+    # };
   };
 
   # Web/ingress
diff --git a/services/tailscale.nix b/services/tailscale.nix
index bb5102f8..c310d2c8 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.fbegyn.services.tailscale;
+  isNetworkd = config.networking.useNetworkd;
 in
 with lib; {
   options.fbegyn.services.tailscale = {
@@ -89,12 +90,14 @@ with lib; {
       "net.ipv6.conf.all.forwarding" = mkOverride 97 true;
     };
 
+    networking.firewall.checkReversePath = mkIf (cfg.routingFeature == "client" || cfg.routingFeature == "both") "loose";
+
     systemd.services.tailscale = {
       enable = true;
       description = "Tailscale node agent";
       documentation = [ "https://tailscale.com/kb/" ];
       path = [
-	config.networking.resolvconf.package # for configuring DNS in some configs
+        config.networking.resolvconf.package # for configuring DNS in some configs
         pkgs.procps     # for collecting running services (opt-in feature)
         pkgs.glibc
       ];