all repos — nixfiles @ e7947c75afedc750bf4aa97a1d8e32957dbdfedb

System and user configuration, managed by nix and home-manager

nano: allow tailscale forwarding and SSH
Alan Pearce alan@alanpearce.eu
Sun, 16 Feb 2025 20:27:07 +0100
commit

e7947c75afedc750bf4aa97a1d8e32957dbdfedb

parent

cde930a37f8cc9298d53be24703a165aab1e27ea

1 files changed, 10 insertions(+), 6 deletions(-)

jump to
M system/nano.nixsystem/nano.nix
@@ -71,12 +71,19 @@ lan         "tailscale0"
       ];
       filterForward = true;
+      extraForwardRules = ''
+        iifname "tailscale0" oifname "${lan}" accept
+        iifname "${lan}" oifname "tailscale0" accept
+      '';
     };
     nftables.enable = true;
     nat = {
       enable = true;
       externalInterface = wan;
-      internalInterfaces = [ lan ];
+      internalInterfaces = [
+        lan
+        "tailscale0"
+      ];
     };
   };
   systemd.network = {
@@ -188,6 +195,8 @@ MulticastDNS = true     '';
   };
 
+  services.openssh.openFirewall = false;
+
   services.dnsmasq = {
     enable = dnsmasqEnable;
     alwaysKeepRunning = true;
@@ -273,7 +282,6 @@   services.tailscale = {
     enable = true;
     extraUpFlags = [
-      "--accept-dns=false"
       "--advertise-exit-node"
       "--advertise-routes=10.0.0.0/16,fd12:d04f:65d:42::/56"
     ];
@@ -316,10 +324,6 @@ users.users.root = {     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYUyDdw92TNXguAxcmcmZmn/7ECGdRp6ckjxU+5zCw3BCnsS5+xEvHBVnnFdJRoH2XpfMeJjE+fi67zFVhlbn4= root@secretive.marvin.local"
     ];
-  };
-
-  services.sshguard = {
-    enable = true;
   };
 
   services.caddy = {