Update: Got some good info on both reddit and the tailscale forums on this.
Here’s my working config combining both those recommendations:
# always allow traffic from your Tailscale network
networking.trustedInterfaces = [ "tailscale0" ];
# allow the Tailscale UDP port through the firewall
allowedUDPPorts = [ config.services.tailscale.port ];
# Tailscale keys
# Create a secrets location for your tailscale auth keys. Create a reusable key at
# https://login.tailscale.com/admin/settings/authkeys, save it in a file, and put that file in your secrets location
# If you're running an "Erase Your Darlings" setup, don't forget to persist your tailscale secrets location
environment.etc."tailscale".source = "/persist/etc/tailscale/";
# Tailscale autu-auth config, based on:
# https://tailscale.com/blog/nixos-minecraft/
services.tailscale.enable = true;
# create a systemd oneshot job to authenticate to Tailscale on startup
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
echo "Waiting for tailscale.service start completion ..."
sleep 5
# (as of tailscale 1.4 this should no longer be necessary, but I find it still is)
# check if already authenticated
echo "Checking if already authenticated to Tailscale ..."
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # do nothing
echo "Already authenticated to Tailscale, exiting."
exit 0
fi
# otherwise authenticate with tailscale
echo "Authenticating with Tailscale ..."
# old: ${tailscale}/bin/tailscale up --authkey $(cat /etc/tailscale/tskey-reusable)
${tailscale}/bin/tailscale up --auth-key file:/etc/tailscale/tskey-reusable
'';
};
I’m running Tailscale free tier, and every time I rebuild and reboot, I have to re-authenticate Tailscale.
Eg, after the system starts, I manually run sudo tailscale up, and it gives me a tailscale authentication url to load in a browser.
Is there 1) any way to automate this process, and 2) reuse a prior Tailscale authentication instead of creating a new one? (I have 8 different Tailscale authentications for the same workstation now in the Tailscale control panel)