From aa7bbc5932c09435e5b26f57ec6e6b99aa873e56 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Thu, 23 Jun 2022 22:30:07 -0400
Subject: [PATCH] Use Tailscale

---
 common/network/default.nix            | 13 +++++++++++++
 common/network/tailscale.nix          | 16 ++++++++++++++++
 common/network/vpn.nix                |  2 +-
 machines/ponyo/configuration.nix      |  3 +++
 machines/storage/s0/configuration.nix |  3 +++
 5 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 common/network/tailscale.nix

diff --git a/common/network/default.nix b/common/network/default.nix
index 7f87dc5..70529e7 100644
--- a/common/network/default.nix
+++ b/common/network/default.nix
@@ -1,10 +1,23 @@
 { config, lib, ... }:
 
+with lib;
+
+let
+  cfg = config.networking;
+in
 {
   imports = [
     ./hosts.nix
     ./pia-openvpn.nix
+    ./tailscale.nix
     ./vpn.nix
     ./zerotier.nix
   ];
+
+  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
+
+  config = mkIf cfg.ip_forward {
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  };
 }
\ No newline at end of file
diff --git a/common/network/tailscale.nix b/common/network/tailscale.nix
new file mode 100644
index 0000000..f0e65c7
--- /dev/null
+++ b/common/network/tailscale.nix
@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tailscale;
+in
+{
+  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
+
+  config.services.tailscale.enable = true;
+
+  # exit node
+  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
+  config.networking.ip_forward = mkIf cfg.exitNode true;
+}
\ No newline at end of file
diff --git a/common/network/vpn.nix b/common/network/vpn.nix
index d991e8a..8a8886f 100644
--- a/common/network/vpn.nix
+++ b/common/network/vpn.nix
@@ -88,7 +88,7 @@ in
     networking.nat.internalInterfaces = [
       "ve-${cfg.containerName}"
     ];
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    networking.ip_forward = true;
 
     # assumes only one potential interface
     networking.usePredictableInterfaceNames = false;
diff --git a/machines/ponyo/configuration.nix b/machines/ponyo/configuration.nix
index 4bee05e..b2e4fbf 100644
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -63,6 +63,9 @@
     };
   };
 
+  # tailscale
+  services.tailscale.exitNode = true;
+
   # icecast endpoint + website
   services.nginx.virtualHosts."radio.runyan.org" = {
     enableACME = true;
diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix
index 96d6efc..d98896c 100644
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -145,6 +145,9 @@
     proxyWebsockets = true;
   };
 
+  # tailscale
+  services.tailscale.exitNode = true;
+
   nixpkgs.overlays = [
     (final: prev: {
       radarr = prev.radarr.overrideAttrs (old: rec {