{ lib, config, ... }: let cfg = config.lab.tailscale; in { options = { lab.tailscale = { enable = lib.mkEnableOption "tailscale"; advertiseExitNode = lib.mkOption { type = lib.types.bool; default = false; }; }; }; config = lib.mkIf cfg.enable { services.tailscale = { enable = true; authKeyFile = config.sops.secrets."tailscale/authKey".path; useRoutingFeatures = "server"; openFirewall = true; extraUpFlags = [ "--accept-dns=false" "--hostname=${config.networking.hostName}" ] ++ lib.lists.optional cfg.advertiseExitNode "--advertise-exit-node" ++ lib.lists.optional cfg.advertiseExitNode "--advertise-routes=192.168.30.0/24"; }; sops.secrets."tailscale/authKey" = {}; systemd.network.wait-online.ignoredInterfaces = ["tailscale0"]; }; }