Use Tailscale

common/network/default.nix

@@ -1,10 +1,23 @@
 { config, lib, ... }:
 
+with lib;
+
+let
+  cfg = config.networking;
+in
 {
   imports = [
     ./hosts.nix
     ./pia-openvpn.nix
+    ./tailscale.nix
     ./vpn.nix
     ./zerotier.nix
   ];
+
+  options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
+
+  config = mkIf cfg.ip_forward {
+    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  };
 }

common/network/tailscale.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.tailscale;
+in
+{
+  options.services.tailscale.exitNode = mkEnableOption "Enable exit node support";
+
+  config.services.tailscale.enable = true;
+
+  # exit node
+  config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
+  config.networking.ip_forward = mkIf cfg.exitNode true;
+}

common/network/vpn.nix

@@ -88,7 +88,7 @@ in
     networking.nat.internalInterfaces = [
       "ve-${cfg.containerName}"
     ];
-    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    networking.ip_forward = true;
 
     # assumes only one potential interface
     networking.usePredictableInterfaceNames = false;

machines/ponyo/configuration.nix

@@ -63,6 +63,9 @@
     };
   };
 
+  # tailscale
+  services.tailscale.exitNode = true;
+
   # icecast endpoint + website
   services.nginx.virtualHosts."radio.runyan.org" = {
     enableACME = true;

machines/storage/s0/configuration.nix

@@ -145,6 +145,9 @@
     proxyWebsockets = true;
   };
 
+  # tailscale
+  services.tailscale.exitNode = true;
+
   nixpkgs.overlays = [
     (final: prev: {
       radarr = prev.radarr.overrideAttrs (old: rec {