From c646bff54d5681265a2fbf6c9c55251edd585d87 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sat, 29 Apr 2023 13:53:11 -0700
Subject: [PATCH] tailscale-autoconnect.service

---
 modules/nixos/network.nix | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix
index 7983bd63..300aab87 100644
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -2,7 +2,6 @@
   config,
   lib,
   pkgs,
-  meta,
   ...
 }:
 with lib; {
@@ -16,11 +15,42 @@ with lib; {
     networking.domain = "inskip.me";
 
     networking.firewall = {
-      trustedInterfaces = ["tailscale0"];
-      allowedTCPPorts = [5200];
+      trustedInterfaces = [config.services.tailscale.interfaceName];
       allowedUDPPorts = [config.services.tailscale.port];
     };
 
     services.tailscale.enable = true;
+
+    sops.secrets.tailscale-key = { };
+    systemd.services.tailscale-autoconnect = mkIf config.services.tailscale.enable rec {
+      description = "Automatic connection to Tailscale";
+
+      # make sure tailscale is running before trying to connect to tailscale
+      after = wants ++ wantedBy;
+      wants = [ "network-pre.target" ];
+      wantedBy = [ "tailscaled.service" ];
+
+      # set this service as a oneshot job
+      serviceConfig = {
+        Type = "oneshot";
+      };
+
+      # have the job run this shell script
+      script = with pkgs; ''
+        # wait for tailscaled to settle
+        sleep 2
+
+        # check if we are already authenticated to tailscale
+        status="$(${getExe tailscale} status -json | ${getExe jq} -r .BackendState)"
+        if [[ $status = Running ]]; then
+          # if so, then do nothing
+          exit 0
+        fi
+
+        # otherwise authenticate with tailscale
+        # to-do: --advertise-exit-node
+        ${getExe tailscale} up -authkey $(cat ${config.sops.secrets.tailscale-key.path})
+      '';
+    };
   };
 }