base/programs.nix

@@ -3,7 +3,6 @@
     fish.enable = true;
     less.enable = true;
     mosh.enable = true;
-    tmux.enable = true;
 
     # setcap wrapper for network permissions
     bandwhich.enable = true;
@@ -21,12 +20,12 @@
     inherit
       (pkgs)
       # shell usage
-
+      
-      bat
       fd
       file
       ripgrep
       sd
+      tmux
       tokei
       tree
       wget
@@ -34,25 +33,38 @@
       pciutils
       usbutils
       # development
-
+      
-      agenix
       alejandra
       git
       git-crypt
       git-lfs
       gnumake
       gnupg
+      kakoune
       pinentry-qt
       python3
       vim
       # terminal utilities
       
+      bottom
       dogdns
       du-dust
       htop
       ldns # drill
+      tealdeer
       unzip
       zip
+      # nix pkgs lookup
+      
+      nix-index
+      agenix
+      cachix
+      ;
+
+    inherit
+      (pkgs.llvmPackages_16)
+      bintools
+      clang
       ;
   };
 }

hosts/boreal/default.nix

@@ -75,10 +75,7 @@
 
     pipewire.enable = true;
 
-    tailscale = {
+    tailscale.enable = true;
-      enable = true;
-      useRoutingFeatures = "both";
-    };
   };
 
   services = {

hosts/hades/default.nix

@@ -133,7 +133,7 @@ in {
 
     tailscale = {
       enable = true;
-      useRoutingFeatures = "server";
+      exitNode = true;
     };
 
     transmission = {

hosts/hephaestus/default.nix

@@ -49,11 +49,7 @@
 
   # List services that you want to enable:
   my.services = {
-    tailscale = {
+    tailscale.enable = true;
-      enable = true;
-      useRoutingFeatures = "client";
-    };
-
     pipewire.enable = true;
 
     restic-backup = {

hosts/thanatos/default.nix

@@ -28,10 +28,7 @@ in {
 
   # List services that you want to enable:
   my.services = {
-    tailscale = {
+    tailscale.enable = true;
-      enable = true;
-      useRoutingFeatures = "both";
-    };
   };
 
   services = {

services/tailscale.nix

@@ -8,30 +8,34 @@
     (lib)
     mkEnableOption
     mkIf
-    mkOption
-    types
     ;
 
   cfg = config.my.services.tailscale;
 in {
   options.my.services.tailscale = {
     enable = mkEnableOption "Tailscale";
-    useRoutingFeatures = mkOption {
+
-      type = types.enum [ "none" "client" "server" "both" ];
+    # NOTE: still have to do `tailscale up --advertise-exit-node`
-      default = "none";
+    exitNode = mkEnableOption "Use as exit node";
-    };
   };
 
   config = mkIf cfg.enable {
     services.tailscale = {
       enable = true;
       package = pkgs.tailscale;
-      openFirewall = true;
-      useRoutingFeatures = cfg.useRoutingFeatures;
     };
 
     networking.firewall = {
-      trustedInterfaces = [config.services.tailscale.interfaceName];
+      trustedInterfaces = ["tailscale0"];
+      allowedUDPPorts = [config.services.tailscale.port];
+      # needed for exit node usage
+      checkReversePath = mkIf (!cfg.exitNode) "loose";
+    };
+
+    # enable IP forwarding to use as exit node
+    boot.kernel.sysctl = mkIf cfg.exitNode {
+      "net.ipv6.conf.all.forwarding" = true;
+      "net.ipv4.ip_forward" = true;
     };
   };
 }