nixpkgs/nixos/modules/services/networking/tailscale.nix
David Anderson 3fdac0f981 nixos/tailscale: warn if strict reverse path filtering is in use.
Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.

Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.

Updates tailscale/tailscale#4432

Signed-off-by: David Anderson <dave@natulte.net>
2022-05-05 18:28:48 -07:00

73 lines
2.7 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.tailscale;
firewallOn = config.networking.firewall.enable;
rpfMode = config.networking.firewall.checkReversePath;
rpfIsStrict = rpfMode == true || rpfMode == "strict";
in {
meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
options.services.tailscale = {
enable = mkEnableOption "Tailscale client daemon";
port = mkOption {
type = types.port;
default = 41641;
description = "The port to listen on for tunnel traffic (0=autoselect).";
};
interfaceName = mkOption {
type = types.str;
default = "tailscale0";
description = ''The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.'';
};
permitCertUid = mkOption {
type = types.nullOr types.nonEmptyStr;
default = null;
description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.";
};
package = mkOption {
type = types.package;
default = pkgs.tailscale;
defaultText = literalExpression "pkgs.tailscale";
description = "The package to use for tailscale";
};
};
config = mkIf cfg.enable {
warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'";
environment.systemPackages = [ cfg.package ]; # for the CLI
systemd.packages = [ cfg.package ];
systemd.services.tailscaled = {
wantedBy = [ "multi-user.target" ];
path = [
pkgs.openresolv # for configuring DNS in some configs
pkgs.procps # for collecting running services (opt-in feature)
pkgs.glibc # for `getent` to look up user shells
];
serviceConfig.Environment = [
"PORT=${toString cfg.port}"
''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"''
] ++ (lib.optionals (cfg.permitCertUid != null) [
"TS_PERMIT_CERT_UID=${cfg.permitCertUid}"
]);
# Restart tailscaled with a single `systemctl restart` at the
# end of activation, rather than a `stop` followed by a later
# `start`. Activation over Tailscale can hang for tens of
# seconds in the stop+start setup, if the activation script has
# a significant delay between the stop and start phases
# (e.g. script blocked on another unit with a slow shutdown).
#
# Tailscale is aware of the correctness tradeoff involved, and
# already makes its upstream systemd unit robust against unit
# version mismatches on restart for compatibility with other
# linux distros.
stopIfChanged = false;
};
};
}