Bit of a necrobump but it pops up via search engines so figured I’d post how I solved it:
services.tailscale = {
enable = true;
openFirewall = true;
authKeyFile = config.age.secrets.vpn-preauth.path;
extraUpFlags = [
"--login-server=https://your-instance" # if you use a non-default tailscale coordinator
"--accept-dns=false" # if its' a server you prolly dont need magicdns
];
};
age.secrets.vpn-preauth.file = ../secrets/vpn-preauth.age;
Remember to make your preauth key reproducible and (if possible? idk about official Tailscale but it is with Headscale) make it last for how long fits with your security policy (rotating it often is kind of annoying, but at the same time it only applies when new servers are enrolled into Tailscale)