nano: allow tailscale forwarding and SSH

1 files changed, 10 insertions, 6 deletions

diff --git a/system/nano.nix b/system/nano.nix
index be440a62..695d3f38 100644
--- a/system/nano.nix
+++ b/system/nano.nix
@@ -71,12 +71,19 @@ in
         "tailscale0"
       ];
       filterForward = true;
+      extraForwardRules = ''
+        iifname "tailscale0" oifname "${lan}" accept
+        iifname "${lan}" oifname "tailscale0" accept
+      '';
     };
     nftables.enable = true;
     nat = {
       enable = true;
       externalInterface = wan;
-      internalInterfaces = [ lan ];
+      internalInterfaces = [
+        lan
+        "tailscale0"
+      ];
     };
   };
   systemd.network = {
@@ -188,6 +195,8 @@ in
     '';
   };
 
+  services.openssh.openFirewall = false;
+
   services.dnsmasq = {
     enable = dnsmasqEnable;
     alwaysKeepRunning = true;
@@ -273,7 +282,6 @@ in
   services.tailscale = {
     enable = true;
     extraUpFlags = [
-      "--accept-dns=false"
       "--advertise-exit-node"
       "--advertise-routes=10.0.0.0/16,fd12:d04f:65d:42::/56"
     ];
@@ -318,10 +326,6 @@ in
     ];
   };
 
-  services.sshguard = {
-    enable = true;
-  };
-
   services.caddy = {
     enable = true;
     globalConfig = ''