feat(tailscale): Enable warwick as exit node and subnet router

machines/warwick.nix

@@ -3,8 +3,11 @@
     arch = "aarch64-linux";
     isRaspberryPi = true;
 
-    nixosModule = {
+    nixosModule = { lib, ... }: {
-      lab.monitoring.server.enable = true;
+      lab = {
+        monitoring.server.enable = true;
+        tailscale.advertiseExitNode = true;
+      };
 
       services.bird2 = {
         enable = false;

nixos-modules/networking/default.nix

@@ -2,12 +2,10 @@
   config = {
     networking = {
       domain = "dmz";
-      nftables.enable = true;
+      nftables.enable = lib.mkDefault true;
       useDHCP = false;
 
-      firewall = {
+      firewall.enable = lib.mkDefault true;
-        enable = true;
-      };
     };
 
     systemd.network = {

nixos-modules/tailscale.nix

@@ -1,12 +1,26 @@
-{ config, ... }: {
+{ lib, config, ... }:
+let
+  cfg = config.lab.tailscale;
+in
+{
+  options = {
+    lab.tailscale.advertiseExitNode = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
   config = {
     services.tailscale = {
       enable = true;
       authKeyFile = config.sops.secrets."tailscale/authKey".path;
+      useRoutingFeatures = "server";
+      openFirewall = true;
 
       extraUpFlags = [
         "--hostname=${config.networking.hostName}"
-      ];
+      ] ++ lib.lists.optional cfg.advertiseExitNode "--advertise-exit-node"
+      ++ lib.lists.optional cfg.advertiseExitNode "--advertise-routes=192.168.30.0/24";
     };
 
     sops.secrets."tailscale/authKey" = { };