infra: add tailscale to base module

monorepo-revid: c8dffdfe5a8566e29e5d7fea43f4fbf4ec4f7c6e

1 files changed, 52 insertions, 0 deletions

diff --git a/infra/modules/base/tailscale.nix b/infra/modules/base/tailscale.nix
new file mode 100644
index 0000000..4fdee80
--- /dev/null
+++ b/infra/modules/base/tailscale.nix
@@ -0,0 +1,52 @@
+{
+  flake.modules.nixos.base =
+    { config, lib, ... }:
+    {
+      options.infra.tailscale = {
+        authenticate = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Whether to enable automatic authentication with the authkey.";
+        };
+
+        ssh = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Whether to enable Tailscale SSH.";
+        };
+      };
+
+      config =
+        let
+          cfg = config.infra.tailscale;
+
+          datadir = "/var/lib/tailscale";
+        in
+        {
+          sops.secrets."services/tailscale/auth_key" = { };
+
+          infra.persist.directories = [ datadir ];
+
+          systemd.services.tailscaled = {
+            serviceConfig.StateDirectory = "tailscale";
+          };
+
+          services.tailscale = {
+            enable = true;
+            authKeyFile =
+              if cfg.authenticate then config.sops.secrets."services/tailscale/auth_key".path else null;
+            extraUpFlags = lib.lists.optional cfg.ssh "--ssh";
+            extraDaemonFlags = [
+              "--no-logs-no-support"
+              "--statedir=${datadir}"
+            ];
+          };
+
+          virtualisation.vmVariant = {
+            # Use an auth key with ephemeral nodes so they get automatically
+            # deleted.
+            sops.secrets."services/tailscale/auth_key".key = lib.mkForce "services/tailscale/nixos_vm_auth_key";
+          };
+        };
+    };
+}