tailscale.nix

{ pkgs, config, lib, ... }:
let
  unstable = import (
    builtins.fetchTarball {
      url = "https://github.com/NixOS/nixpkgs/archive/7fa76be757c8d9feaecb984d8bc0b3b13e40545f.tar.gz";
      sha256 = "0whjrnfz0n1rbr84ykzp1nqnmsn7d9lpj1h4q76w1kxzx50rqg9r";
    }
  ) {};
  tailscale = unstable.tailscale;
  tailscale-cert-service = certName: conf: {
    serviceConfig = {
      type = "oneshot";
    };
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    requires = [ "tailscaled.service" ];
    after = [ "tailscaled.service" ];
    script = let
      cert-dir = conf.directory;
      group = conf.group;
    in
      ''
        set -euxo pipefail
        ${tailscale}/bin/tailscale cert --cert-file ${cert-dir}/fullchain.pem --key-file ${cert-dir}/key.pem ${certName}
        chgrp ${group} ${cert-dir}/fullchain.pem ${cert-dir}/key.pem
        chmod g+r ${cert-dir}/fullchain.pem ${cert-dir}/key.pem
      '';
  };
in
{
  services.tailscale.enable = true;
  services.tailscale.package = tailscale;
  virtualisation.graphics = false;
  virtualisation.qemu.options = [
    "-virtfs local,path=/root/persist/${config.networking.hostName},security_model=none,mount_tag=persist"
  ];
  virtualisation.fileSystems."/persist" = let
    cfg = config.virtualisation;
  in
    {
      device = "persist";
      fsType = "9p";
      neededForBoot = true;
      options = [ "trans=virtio" "version=9p2000.L" ] ++ lib.optional (cfg.msize != null) "msize=${toString cfg.msize}";
    };
  systemd.tmpfiles.rules = [
    "d /persist/tailscale 0700 root root -"
    "d /persist/ssh 0700 root root -"
  ];
  services.openssh = {
    hostKeys = [
      {
        path = "/persist/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
  };
  systemd.services = lib.mapAttrs' (cert: conf: lib.nameValuePair "acme-${cert}" (lib.mkForce (tailscale-cert-service cert conf))) config.security.acme.certs
  // {
    tailscaled = {
      serviceConfig.BindPaths = [ "/persist/tailscale:/var/lib/tailscale" ];
      environment = {
        TS_DEBUG_RESTUN_STOP_ON_IDLE = "true";
      };
    };
  };
}