From 0a862d59a258f17aa2713a446d99a29cadcb1a46 Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Sat, 10 Sep 2022 09:34:50 -0600
Subject: [PATCH] net-overlay: add ability to have ssh-only hosts

---
 configs/net-overlay.nix | 26 ++++++++++++++++++++++++++
 flake.nix               |  3 ++-
 hosts/h/default.nix     |  2 +-
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/configs/net-overlay.nix b/configs/net-overlay.nix
index 9791710..86f07c6 100644
--- a/configs/net-overlay.nix
+++ b/configs/net-overlay.nix
@@ -16,6 +16,13 @@ with lib; {
         example = true;
         type = lib.types.bool;
       };
+      sshOnly = mkOption {
+        description =
+          "Enable TailScale with only ssh traffic to the tailnet allowed";
+        default = false;
+        example = true;
+        type = lib.types.bool;
+      };
     };
   };
 
@@ -24,6 +31,25 @@ with lib; {
       services = { tailscale = { enable = true; }; };
       networking.firewall.checkReversePath = "loose";
     })
+    (mkIf (config.tailscale.enable && config.tailscale.sshOnly) {
+      sops.secrets = {
+        ts_sshonly = {
+          sopsFile = config.xin-secrets.net-overlays;
+          owner = "root";
+          mode = "400";
+        };
+      };
+      systemd.services = {
+        "tailscale-ssh-init" = {
+          wantedBy = [ "tailscaled.service" ];
+          after = [ "tailscaled.service" ];
+          serviceConfig = {
+            ExecStart =
+              "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.ts_sshonly.path}";
+          };
+        };
+      };
+    })
     (mkIf config.zerotier.enable {
       environment.systemPackages = with pkgs; [ zerotierone ];
       services = {
diff --git a/flake.nix b/flake.nix
index 1549708..f3983b8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,8 @@
       url = "git+ssh://xin-secrets-ro/qbit/xin-secrets.git?ref=main";
     };
 
-    unstable.url = "github:NixOS/nixpkgs/3b7f5114375d58107098f39e2b6d6e099782fc18";
+    unstable.url =
+      "github:NixOS/nixpkgs/3b7f5114375d58107098f39e2b6d6e099782fc18";
     unstableSmall.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
diff --git a/hosts/h/default.nix b/hosts/h/default.nix
index 0e55229..e5197a2 100644
--- a/hosts/h/default.nix
+++ b/hosts/h/default.nix
@@ -24,7 +24,7 @@ in {
 
   boot.kernelParams = [ "net.ifnames=0" ];
 
-  tailscale.enable = false;
+  tailscale.sshOnly = true;
 
   sops.secrets = {
     synapse_signing_key = {