2 files changed, 58 insertions, 2 deletions
diff --git a/infra/modules/base/secrets.yaml b/infra/modules/base/secrets.yaml
index 361d835..12ddd13 100644
--- a/infra/modules/base/secrets.yaml
+++ b/infra/modules/base/secrets.yaml
@@ -1,3 +1,7 @@
+services:
+    tailscale:
+        auth_key: ENC[AES256_GCM,data:QF/BuwVIxmvq2fpu0j8AvmkRUs7LdzetP/iRJO59b+/pcIVcpAbE9RPU4Jr2mPI0KmrluR2lUSnha46sIg==,iv:zIrrqshSKl+c6xKJm+60+nhFW5ZIVckZ6Uv8Meq42KY=,tag:b8DuWv6OPIt57vF1JVP35g==,type:str]
+        nixos_vm_auth_key: ENC[AES256_GCM,data:xXnpn4rAl4AMMxs9B9eMRoMtqCc6eudwh0Kb5WvQNUQ+DCWGzA4OpP4IhGDI94ldFkyiiFnW2vgV9qRRE+0=,iv:LppvzOqpIXJl1BHHF7BMKb0rcJC2c4JFPMjOFO5I7aM=,tag:RrMePFIN40oD8M250541Tg==,type:str]
 hosts:
     indra:
         users:
@@ -13,7 +17,7 @@ sops:
             X1SHrCHKm6P6QD5Nminy6tVZWP1BpGC+jcXas2lWq6URovNdMKSdPg==
             -----END AGE ENCRYPTED FILE-----
           recipient: age1jtl0m9t7rtfmh674zres8pecmcugv7yxamv8hkvlf3tk2g8p25nsnccslh
-    lastmodified: "2026-06-01T06:57:19Z"
-    mac: ENC[AES256_GCM,data:DZig1NCkYssUXxrGmKau2BpRr4l/Sap2XwyMwwvoZGj6oedS1oQyQnxSc5nitkNCW7xlkk4OgUYPiHqtxeFVIQ5hnfHdR8+rlkD64RcsPVWq+oyiTe8toWXbzpa9mHG6+XQp3iPybMVHfFrdRP0IZ6hNvbSS54ejH8CFDfZ9pYY=,iv:A1xBgPxWQrlmChD7qF/TpwknrjckuI6Fd/0pgHdM2+g=,tag:WK5kHak7ClTetpwqmollog==,type:str]
+    lastmodified: "2026-06-01T10:29:54Z"
+    mac: ENC[AES256_GCM,data:Kz6OH0IQ7qfH7CfRbt6Zs1W5Dy2Yb1rvngUA7EinsDvceRT8QJKLzmJQmWhFAK63mG9APTSInnljQrugLb9jzmjjJ7+L1S9hNfCzYrl4CTT3wr0D+7cc7c3y3LcEkLoDwNlAtDHlmXFxlx6IfDdxPuHGBc/IkP6eqPKU54R1fwA=,iv:gbNKaUCvnGrM5UabHETSJwzGspRXz5kfDjnWZrdDL4Q=,tag:oDNm+TKtur9py5xlwdtdiA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.13.1
diff --git a/infra/modules/base/tailscale.nix b/infra/modules/base/tailscale.nix
new file mode 100644
index 0000000..4fdee80
--- /dev/null
+++ b/infra/modules/base/tailscale.nix
@@ -0,0 +1,52 @@
+{
+  flake.modules.nixos.base =
+    { config, lib, ... }:
+    {
+      options.infra.tailscale = {
+        authenticate = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Whether to enable automatic authentication with the authkey.";
+        };
+
+        ssh = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Whether to enable Tailscale SSH.";
+        };
+      };
+
+      config =
+        let
+          cfg = config.infra.tailscale;
+
+          datadir = "/var/lib/tailscale";
+        in
+        {
+          sops.secrets."services/tailscale/auth_key" = { };
+
+          infra.persist.directories = [ datadir ];
+
+          systemd.services.tailscaled = {
+            serviceConfig.StateDirectory = "tailscale";
+          };
+
+          services.tailscale = {
+            enable = true;
+            authKeyFile =
+              if cfg.authenticate then config.sops.secrets."services/tailscale/auth_key".path else null;
+            extraUpFlags = lib.lists.optional cfg.ssh "--ssh";
+            extraDaemonFlags = [
+              "--no-logs-no-support"
+              "--statedir=${datadir}"
+            ];
+          };
+
+          virtualisation.vmVariant = {
+            # Use an auth key with ephemeral nodes so they get automatically
+            # deleted.
+            sops.secrets."services/tailscale/auth_key".key = lib.mkForce "services/tailscale/nixos_vm_auth_key";
+          };
+        };
+    };
+}