configure rivendell to be an exit node for tailscale

author: Franck Cuny <franck@fcuny.net> 2025-10-24 09:52:19 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-10-24 09:52:19 -0700
commit: 49e44fb20ca693f5dd9ba5f804b29b019105e3aa (patch)
tree: aa6b10fd41ecdb59867924b0fb5e650a2cd73871 /machines/nixos/x86_64-linux/rivendell.nix
parent: simplify hosts management (diff)
download: infra-49e44fb20ca693f5dd9ba5f804b29b019105e3aa.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index dc0205d..271da7f 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -23,6 +23,9 @@
       wireguard = {
         file = ../../../secrets/rivendell/wireguard.age;
       };
+      ts = {
+        file = ../../../secrets/rivendell/ts.age;
+      };
     };
   };
 
@@ -79,6 +82,17 @@
 
   networking.firewall.allowedUDPPorts = [ 51871 ];
 
+  services.tailscale = {
+    useRoutingFeatures = "both";
+    authKeyFile = config.age.secrets.ts.path;
+    extraSetFlags = [
+      "--accept-dns=true"
+      "--accept-routes=true"
+      "--advertise-exit-node=true"
+      "--ssh"
+    ];
+  };
+
   my.modules.hardware.baremetal.enable = true;
   my.modules.remote-unlock.enable = true;
author	Franck Cuny <franck@fcuny.net>	2025-10-24 09:52:19 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-10-24 09:52:19 -0700
commit	49e44fb20ca693f5dd9ba5f804b29b019105e3aa (patch)
tree	aa6b10fd41ecdb59867924b0fb5e650a2cd73871 /machines/nixos/x86_64-linux/rivendell.nix
parent	simplify hosts management (diff)
download	infra-49e44fb20ca693f5dd9ba5f804b29b019105e3aa.tar.gz