From 2e8589c3fa97ec24f7de38b87cb04af33502184f Mon Sep 17 00:00:00 2001
From: Philipp Hochkamp <git@phochkamp.de>
Date: Tue, 12 Jul 2022 10:41:55 +0200
Subject: [PATCH] tailscale exit node

---
 hosts/ds9/default.nix                  |  2 ++
 nixos-modules/networking/tailscale.nix | 10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index e1c9e15d..3ef293b1 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -224,6 +224,8 @@ in
       nginx.enable = true;
       jellyfin.enable = true;
       tailscale.enable = true;
+      tailscale.exitNode = true;
+      tailscale.extraUpCommands = "--advertise-routes=10.0.0.0/16";
       grafana.enable = true;
       libvirt.enable = true;
       paperless.enable = true;
diff --git a/nixos-modules/networking/tailscale.nix b/nixos-modules/networking/tailscale.nix
index 52047305..bc1d1167 100644
--- a/nixos-modules/networking/tailscale.nix
+++ b/nixos-modules/networking/tailscale.nix
@@ -4,6 +4,8 @@ let
 in
 {
   options.ragon.services.tailscale.enable = lib.mkEnableOption "Enables tailscale";
+  options.ragon.services.tailscale.exitNode = lib.mkEnableOption "Exit Node";
+  options.ragon.services.tailscale.extraUpCommands = lib.my.mkOpt lib.types.str "";
   config = lib.mkIf cfg.enable {
     # enable the tailscale service
     ragon.persist.extraDirectories = [
@@ -11,10 +13,16 @@ in
     ];
     services.tailscale.enable = true;
     ragon.agenix.secrets.tailscaleKey = { };
+    boot.kernel.sysctl = lib.mkIf cfg.exitNode {
+      "net.ipv4.ip_forward" = 1;
+      "net.ipv6.conf.all.forwarding" = 1;
+    };
     networking.firewall = {
       # always allow traffic from your Tailscale network
       trustedInterfaces = [ "tailscale0" ];
 
+
+      checkReversePath = lib.mkDefault "loose";
       # allow the Tailscale UDP port through the firewall
       allowedUDPPorts = [ config.services.tailscale.port ];
     };
@@ -41,7 +49,7 @@ in
         fi
         key=$(<${config.age.secrets.tailscaleKey.path})
         # otherwise authenticate with tailscale
-        ${tailscale}/bin/tailscale up -authkey $key
+        ${tailscale}/bin/tailscale up -authkey $key ${lib.optionalString cfg.exitNode "--advertise-exit-node"} ${cfg.extraUpCommands}
       '';
     };
   };