From 7881c76f73dd18dc24c8ff552d15de744a6146cb Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Mon, 7 Jul 2025 19:13:16 +0800
Subject: [PATCH] feat(nixos): add tailscale module

---
 nix/modules/networking/ssh.nix       | 29 ++++++++++++++++++++++++++++
 nix/modules/networking/tailscale.nix | 17 ++++++++++++++++
 secrets/tailscale.yaml               | 17 ++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 nix/modules/networking/ssh.nix
 create mode 100644 nix/modules/networking/tailscale.nix
 create mode 100644 secrets/tailscale.yaml

diff --git a/nix/modules/networking/ssh.nix b/nix/modules/networking/ssh.nix
new file mode 100644
index 0000000..d721746
--- /dev/null
+++ b/nix/modules/networking/ssh.nix
@@ -0,0 +1,29 @@
+{ config, lib, ... }:
+let
+  cfg = config.flake;
+  inherit (lib.modules) mkMerge;
+  inherit (cfg.lib.modules) forAllUsers';
+in
+{
+  flake.modules.nixos.default = mkMerge [
+    {
+      services.openssh.enable = true;
+      users.users = forAllUsers' (_: value: { openssh.authorizedKeys.keys = [ value.pubkey ]; });
+      persistFiles = [
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ];
+    }
+    { users.users.root.openssh.authorizedKeys.keys = [ cfg.admin.pubkey ]; }
+  ];
+  flake.modules.homeManager.default = {
+    persistDirs = [ ".ssh" ];
+    programs.ssh.enable = true;
+    programs.ssh.extraConfig = ''
+      Host *
+        SetEnv TERM=xterm-256color
+    '';
+  };
+}
diff --git a/nix/modules/networking/tailscale.nix b/nix/modules/networking/tailscale.nix
new file mode 100644
index 0000000..ddf1b9a
--- /dev/null
+++ b/nix/modules/networking/tailscale.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+let
+  inherit (config.flake.paths) secrets;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    {
+      services.tailscale = {
+        enable = true;
+        authKeyFile = config.sops.secrets."tailscale/client-secret".path;
+        authKeyParameters.preauthorized = true;
+      };
+      persistDirs = [ "/var/lib/tailscale" ];
+      sops.secrets."tailscale/client-secret".sopsFile = secrets + "/tailscale.yaml";
+    };
+}
diff --git a/secrets/tailscale.yaml b/secrets/tailscale.yaml
new file mode 100644
index 0000000..0913120
--- /dev/null
+++ b/secrets/tailscale.yaml
@@ -0,0 +1,17 @@
+tailscale:
+    client-secret: ENC[AES256_GCM,data:qAJUDTHxnzhgUtpe/DaH8Vv72jy/DWU/1UKzp2Pg/GtayClZXGFz00bCNKmZJCE7NYHERgr2Ssnhpz90eRCjKg==,iv:aWp2lvIFpUH6OMTkD8V1HNMyxUPxiVA+Il4NvlVKjOA=,tag:OzkdsOKerKiSHzHSkScIQA==,type:str]
+sops:
+    age:
+        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZytHNnlKcWFPVVNpTkxX
+            cFgxRjFDdWJkMzB2NUk1N2VLSWx3cVpvY20wCkdHbjZ4ZUlHTWp1QUFJVGxaV2cx
+            K0NlaFdnYlEvektieDJJVkY2cEtmL1UKLS0tIDFHQlM4OEIzaGVvUThCbUJZNTU3
+            ZGNJd3NvSCsrdDNFb0VuMDJOU09DVEEKrDnezqYWRuEyS6/WRWq0jMfv4DQ3TS1L
+            Zic6TBIA3qNEjUlqXKRfq//H3vDRz4dzZCqbbh+5+FXDGBIVLL2DaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-07T11:12:16Z"
+    mac: ENC[AES256_GCM,data:rOuEqjHByaGaYredcMFGds+pB1rIgh0qu245Vt2gVGjjqOJtfEYcuvziVKgvV5yvBVhizcjeFIzCFdQ2KpflvwOLjiOZ594UaZChPGtO5hDc1VY/Gz86t8x6DYuHjWu4S1XOrBWgv2ebD0iBgbjuRNgBEhkWfVS2/7hn1PtqGD0=,iv:ZQ0b7pHG3NM2mwQdSVoGr4WsluIrp+/YUQi6KoMneC0=,tag:5E5bNxdRPQpTRVrQ+qoxfQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2