refactor: centrally manage the network configuration of all hosts in homelab

feat: new host - tailscalw-gw

modules/base.nix

@@ -25,9 +25,9 @@
     #    2. Never leave the device and never sent over the network.
     # 2. Or just use hardware security keys like Yubikey/CanoKey.
     openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
-      ""
     ];
   };
 

modules/nixos/desktop/remote-desktop/tailscale.nix

@@ -16,8 +16,8 @@
 # How to use:
 #  1. Create a Tailscale account at https://login.tailscale.com
 #  2. Login via `tailscale login`
-#  3. join into your Tailscale network via `tailscale up`
-#  4. If you prefer automatic connection to Tailscale, then generate a authkey, and uncomment the systemd service below.
+#  3. join into your Tailscale network via `tailscale up --accept-routes`
+#  4. If you prefer automatic connection to Tailscale, use the `authKeyFile` option` in the config below.
 #
 # Status Data:
 #   `journalctl -u tailscaled` shows tailscaled's logs
@@ -25,7 +25,7 @@
 #   which is already persistent across reboots(via impermanence.nix)
 #
 # References:
-#   https://tailscale.com/blog/nixos-minecraft
+# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/tailscale.nix
 #
 # =============================================================
 {
@@ -33,44 +33,14 @@
   environment.systemPackages = [pkgs.tailscale];
 
   # enable the tailscale service
-  services.tailscale.enable = true;
-
-  # create a oneshot job to authenticate to Tailscale
-  # systemd.services.tailscale-autoconnect = {
-  #   description = "Automatic connection to Tailscale";
-  #
-  #   # make sure tailscale is running before trying to connect to tailscale
-  #   after = ["network-pre.target" "tailscale.service"];
-  #   wants = ["network-pre.target" "tailscale.service"];
-  #   wantedBy = ["multi-user.target"];
-  #
-  #   # set this service as a oneshot job
-  #   serviceConfig.Type = "oneshot";
-  #
-  #   # have the job run this shell script
-  #   script = with pkgs; ''
-  #     # wait for tailscaled to settle
-  #     sleep 2
-  #
-  #     # check if we are already authenticated to tailscale
-  #     status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
-  #     if [ $status = "Running" ]; then # if so, then do nothing
-  #       exit 0
-  #     fi
-  #
-  #     # otherwise authenticate with tailscale
-  #     ${tailscale}/bin/tailscale up -authkey file:${config.age.secrets.tailscale-authkey.path}
-  #   '';
-  # };
-
-  networking.firewall = {
-    # always allow traffic from your Tailscale network
-    trustedInterfaces = ["tailscale0"];
-
+  services.tailscale = {
+    enable = true;
+    port = 41641;
+    interfaceName = "tailscale0";
     # allow the Tailscale UDP port through the firewall
-    allowedUDPPorts = [config.services.tailscale.port];
-
-    # allow you to SSH in over the public internet
-    allowedTCPPorts = [22];
+    openFirewall = true;
+    useRoutingFeatures = "client";
+    extraUpFlags = "--accept-routes";
+    # authKeyFile = "/var/lib/tailscale/authkey";
   };
 }