net-overlay: add ability to have ssh-only hosts

configs/net-overlay.nix

@@ -16,6 +16,13 @@ with lib; {
         example = true;
         type = lib.types.bool;
       };
+      sshOnly = mkOption {
+        description =
+          "Enable TailScale with only ssh traffic to the tailnet allowed";
+        default = false;
+        example = true;
+        type = lib.types.bool;
+      };
     };
   };
 
@@ -24,6 +31,25 @@ with lib; {
       services = { tailscale = { enable = true; }; };
       networking.firewall.checkReversePath = "loose";
     })
+    (mkIf (config.tailscale.enable && config.tailscale.sshOnly) {
+      sops.secrets = {
+        ts_sshonly = {
+          sopsFile = config.xin-secrets.net-overlays;
+          owner = "root";
+          mode = "400";
+        };
+      };
+      systemd.services = {
+        "tailscale-ssh-init" = {
+          wantedBy = [ "tailscaled.service" ];
+          after = [ "tailscaled.service" ];
+          serviceConfig = {
+            ExecStart =
+              "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.ts_sshonly.path}";
+          };
+        };
+      };
+    })
     (mkIf config.zerotier.enable {
       environment.systemPackages = with pkgs; [ zerotierone ];
       services = {

flake.nix

@@ -6,7 +6,8 @@
       url = "git+ssh://xin-secrets-ro/qbit/xin-secrets.git?ref=main";
     };
 
-    unstable.url = "github:NixOS/nixpkgs/3b7f5114375d58107098f39e2b6d6e099782fc18";
+    unstable.url =
+      "github:NixOS/nixpkgs/3b7f5114375d58107098f39e2b6d6e099782fc18";
     unstableSmall.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";

hosts/h/default.nix

@@ -24,7 +24,7 @@ in {
 
   boot.kernelParams = [ "net.ifnames=0" ];
 
-  tailscale.enable = false;
+  tailscale.sshOnly = true;
 
   sops.secrets = {
     synapse_signing_key = {