From 983056898173b79119bd7746becc91d0634d9c04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sat, 4 Mar 2023 08:21:35 +0000 Subject: [PATCH] force reauth on tailscale key change --- nixos/tailscale/default.nix | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/nixos/tailscale/default.nix b/nixos/tailscale/default.nix index 94c5523f..750fdb60 100644 --- a/nixos/tailscale/default.nix +++ b/nixos/tailscale/default.nix @@ -1,23 +1,17 @@ -{ - config, - pkgs, - inputs, - ... -}: let - inherit - (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") - tailscale - ; +{ config, pkgs, inputs, ... }: +let + inherit (inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux") + tailscale; in { - environment.systemPackages = [tailscale]; + environment.systemPackages = [ tailscale ]; services.tailscale = { enable = true; package = tailscale; }; networking.firewall = { - trustedInterfaces = ["tailscale0"]; - allowedUDPPorts = [config.services.tailscale.port]; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; }; sops.secrets."tailscale-key-${config.networking.hostName}" = { sopsFile = ./keys.sops.yaml; @@ -25,9 +19,9 @@ in { systemd.services.tailscale-auth = { description = "Auth with tailscale"; - after = ["network-pre.target" "tailscale.service"]; - wants = ["network-pre.target" "tailscale.service"]; - wantedBy = ["multi-user.target"]; + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; serviceConfig.Type = "oneshot"; @@ -39,7 +33,7 @@ in { exit 0 fi - ${tailscale}/bin/tailscale up -authkey `cat /run/secrets/tailscale-key-${config.networking.hostName}` + ${tailscale}/bin/tailscale up --force-reauth --authkey `cat /run/secrets/tailscale-key-${config.networking.hostName}` ''; }; }