[solved] Possible to automatically authenticate Tailscale after every rebuild/reboot?

Update: Got some good info on both reddit and the tailscale forums on this.

Here’s my working config combining both those recommendations:

  # always allow traffic from your Tailscale network
  networking.trustedInterfaces = [ "tailscale0" ];

  # allow the Tailscale UDP port through the firewall
  allowedUDPPorts = [ config.services.tailscale.port ];

  # Tailscale keys
  # Create a secrets location for your tailscale auth keys.  Create a reusable key at
  # https://login.tailscale.com/admin/settings/authkeys, save it in a file, and put that file in your secrets location
  # If you're running an "Erase Your Darlings" setup, don't forget to persist your tailscale secrets location  
  environment.etc."tailscale".source = "/persist/etc/tailscale/";
  # Tailscale autu-auth config, based on:
  # https://tailscale.com/blog/nixos-minecraft/
  services.tailscale.enable = true;

  # create a systemd oneshot job to authenticate to Tailscale on startup
  systemd.services.tailscale-autoconnect = {
    description = "Automatic connection to Tailscale";

    # make sure tailscale is running before trying to connect to tailscale
    after = [ "network-pre.target" "tailscale.service" ];
    wants = [ "network-pre.target" "tailscale.service" ];
    wantedBy = [ "multi-user.target" ];

    # set this service as a oneshot job
    serviceConfig.Type = "oneshot";

    # have the job run this shell script
    script = with pkgs; ''

      # wait for tailscaled to settle
      echo "Waiting for tailscale.service start completion ..." 
      sleep 5
      # (as of tailscale 1.4 this should no longer be necessary, but I find it still is)

      # check if already authenticated
      echo "Checking if already authenticated to Tailscale ..."
      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
      if [ $status = "Running" ]; then  # do nothing
      	echo "Already authenticated to Tailscale, exiting."
        exit 0

      # otherwise authenticate with tailscale
      echo "Authenticating with Tailscale ..."
      # old: ${tailscale}/bin/tailscale up --authkey $(cat /etc/tailscale/tskey-reusable)
      ${tailscale}/bin/tailscale up --auth-key file:/etc/tailscale/tskey-reusable

I’m running Tailscale free tier, and every time I rebuild and reboot, I have to re-authenticate Tailscale.

Eg, after the system starts, I manually run sudo tailscale up, and it gives me a tailscale authentication url to load in a browser.

Is there 1) any way to automate this process, and 2) reuse a prior Tailscale authentication instead of creating a new one? (I have 8 different Tailscale authentications for the same workstation now in the Tailscale control panel)

You probably should look into tailscale documentation and especially read the service configuration documentation (or ask their support). Once you have that information it’s just a matter of enriching the configuration of the systemd.services.tailscale service that is created by the services.tailscale config entry, probably.

1 Like