nixos-servers/modules/tailscale.nix

{
  lib,
  config,
  ...
}: let
  cfg = config.lab.tailscale;
in {
  options = {
    lab.tailscale = {
      enable = lib.mkEnableOption "tailscale";

      advertiseExitNode = lib.mkOption {
        type = lib.types.bool;
        default = false;
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services.tailscale = {
      enable = true;
      authKeyFile = config.sops.secrets."tailscale/authKey".path;
      useRoutingFeatures = "server";
      openFirewall = true;

      extraUpFlags =
        [
          "--accept-dns=false"
          "--hostname=${config.networking.hostName}"
        ]
        ++ lib.lists.optional cfg.advertiseExitNode "--advertise-exit-node"
        ++ lib.lists.optional cfg.advertiseExitNode "--advertise-routes=192.168.30.0/24";
    };

    sops.secrets."tailscale/authKey" = {};

    systemd.network.wait-online.ignoredInterfaces = ["tailscale0"];
  };
}