From 693e44a8fec72a65dd24c1e6ce1043fd81cd1edc Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Wed, 13 Dec 2023 17:39:14 +0100
Subject: [PATCH 1/3] base: programs: enable tmux globally

---
 base/programs.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/base/programs.nix b/base/programs.nix
index 5d69fe2..60b9f8a 100644
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -3,6 +3,7 @@
     fish.enable = true;
     less.enable = true;
     mosh.enable = true;
+    tmux.enable = true;
 
     # setcap wrapper for network permissions
     bandwhich.enable = true;

From b5e1c6c608b780f2fb11fb5f6c786500b24150cd Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Wed, 13 Dec 2023 17:39:30 +0100
Subject: [PATCH 2/3] base: programs: cleanup path

---
 base/programs.nix | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/base/programs.nix b/base/programs.nix
index 60b9f8a..f5667b0 100644
--- a/base/programs.nix
+++ b/base/programs.nix
@@ -21,12 +21,12 @@
     inherit
       (pkgs)
       # shell usage
-      
+
+      bat
       fd
       file
       ripgrep
       sd
-      tmux
       tokei
       tree
       wget
@@ -34,38 +34,25 @@
       pciutils
       usbutils
       # development
-      
+
+      agenix
       alejandra
       git
       git-crypt
       git-lfs
       gnumake
       gnupg
-      kakoune
       pinentry-qt
       python3
       vim
       # terminal utilities
       
-      bottom
       dogdns
       du-dust
       htop
       ldns # drill
-      tealdeer
       unzip
       zip
-      # nix pkgs lookup
-      
-      nix-index
-      agenix
-      cachix
-      ;
-
-    inherit
-      (pkgs.llvmPackages_16)
-      bintools
-      clang
       ;
   };
 }

From 73cb52915fa76ff0af3e22bd363774fd3ce4dcf7 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Wed, 13 Dec 2023 17:43:53 +0100
Subject: [PATCH 3/3] services: tailscale: refacto

---
 hosts/boreal/default.nix     |  5 ++++-
 hosts/hades/default.nix      |  2 +-
 hosts/hephaestus/default.nix |  6 +++++-
 hosts/thanatos/default.nix   |  5 ++++-
 services/tailscale.nix       | 22 +++++++++-------------
 5 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix
index c6d9c3f..f820f69 100644
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@@ -75,7 +75,10 @@
 
     pipewire.enable = true;
 
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
   };
 
   services = {
diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
index 0cb891b..0e4191b 100644
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@@ -133,7 +133,7 @@ in {
 
     tailscale = {
       enable = true;
-      exitNode = true;
+      useRoutingFeatures = "server";
     };
 
     transmission = {
diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix
index f5cf2e4..5d4cced 100644
--- a/hosts/hephaestus/default.nix
+++ b/hosts/hephaestus/default.nix
@@ -49,7 +49,11 @@
 
   # List services that you want to enable:
   my.services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+    };
+
     pipewire.enable = true;
 
     restic-backup = {
diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix
index 5a6711d..15cf5ce 100644
--- a/hosts/thanatos/default.nix
+++ b/hosts/thanatos/default.nix
@@ -28,7 +28,10 @@ in {
 
   # List services that you want to enable:
   my.services = {
-    tailscale.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+    };
   };
 
   services = {
diff --git a/services/tailscale.nix b/services/tailscale.nix
index 41fe9f8..6de7cc0 100644
--- a/services/tailscale.nix
+++ b/services/tailscale.nix
@@ -8,34 +8,30 @@
     (lib)
     mkEnableOption
     mkIf
+    mkOption
+    types
     ;
 
   cfg = config.my.services.tailscale;
 in {
   options.my.services.tailscale = {
     enable = mkEnableOption "Tailscale";
-
-    # NOTE: still have to do `tailscale up --advertise-exit-node`
-    exitNode = mkEnableOption "Use as exit node";
+    useRoutingFeatures = mkOption {
+      type = types.enum [ "none" "client" "server" "both" ];
+      default = "none";
+    };
   };
 
   config = mkIf cfg.enable {
     services.tailscale = {
       enable = true;
       package = pkgs.tailscale;
+      openFirewall = true;
+      useRoutingFeatures = cfg.useRoutingFeatures;
     };
 
     networking.firewall = {
-      trustedInterfaces = ["tailscale0"];
-      allowedUDPPorts = [config.services.tailscale.port];
-      # needed for exit node usage
-      checkReversePath = mkIf (!cfg.exitNode) "loose";
-    };
-
-    # enable IP forwarding to use as exit node
-    boot.kernel.sysctl = mkIf cfg.exitNode {
-      "net.ipv6.conf.all.forwarding" = true;
-      "net.ipv4.ip_forward" = true;
+      trustedInterfaces = [config.services.tailscale.interfaceName];
     };
   };
 }