Remote luks unlock via ssh and tailscale

Moraxno · December 27, 2025, 11:59am

I am trying to setup an early ssh access to my remote backup server at a (not very tech-inclined) friends house.

Because I want to minimize attack surfaces for his network and my server, I am using tailscale as the only way to connect to the server from afar.

I am now working on encrypting my full disk (except for boot) and was looking into options to unlock my disks after a reboot and was studying this guide on the wiki that enables ssh for initrd: Remote disk unlocking - NixOS Wiki

However, this will not work for me, because I cannot access the server unless the tailscale daemon is running and authenticated it to my tailnet.

Which settings do I need to get tailscale also up and running for initrd. Has anybody a recipe where they already setup something similar to this?

Thanks in advance

ElvishJerricco · December 27, 2025, 12:15pm

I’ve been using this for a couple of years now:

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.services.tailscale;
in
{
  boot.initrd = {
    systemd.packages = [ cfg.package ];
    systemd.initrdBin = [
      pkgs.iptables
      pkgs.iproute2
      cfg.package
    ];
    availableKernelModules = [
      "tun"
      "nft_chain_nat"
    ];

    systemd.services.tailscaled = {
      unitConfig.DefaultDependencies = false;
      wantedBy = [ "initrd.target" ];
      serviceConfig.Environment = [
        "PORT=${toString cfg.port}"
        ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"''
      ];
    };

    systemd.tmpfiles.settings."50-tailscale"."/var/run".L.argument = "/run";

    systemd.network.networks."50-tailscale" = {
      matchConfig = {
        Name = cfg.interfaceName;
      };
      linkConfig = {
        Unmanaged = true;
        ActivationPolicy = "manual";
      };
    };

    systemd.extraBin.ping = "${pkgs.iputils}/bin/ping";
  };
}

This assumes boot.initrd.systemd.enable = true; and assumes you’ve done something else to mount /var/lib/tailscale in the initrd, which should contain your tailscale state.

So far this has worked pretty much perfectly for me ever since I got it working. Never had any issues.

supermarin · May 7, 2026, 3:38pm

@ElvishJerricco Tried spiking this in a VM, but getting DNS errors due to no network. Should this service be dependent on network-online.target?

Mind posting a brief complete steps related to mounting tailscale state to it? I think this approach is super useful and should be documented a bit better.

ElvishJerricco · May 7, 2026, 3:56pm

Do you also have boot.initrd.network.enable = true;?

supermarin · May 7, 2026, 4:10pm

nope, that did it!

Still need to figure out the best way to make /var/lib/tailscale available to initrd, any tips there?

ElvishJerricco · May 7, 2026, 4:12pm

I do… complicated tpm stuff for that (that repo may be out of date; not sure). But the TL;DR is that the tailscale state exists on a separate file system that can be decrypted and mounted during initrd unattended. EDIT: And that file system is shared for use with the regular stage 2 tailscale.