Remove all traces of tailscale

2026-01-21 12:51:34 +01:00 · 2026-01-11 00:17:51 +01:00 · 2026-01-11 00:17:51 +01:00 · 3cf75dc7e1
commit 3cf75dc7e1
parent ccac4395a2
11 changed files with 19 additions and 127 deletions
--- a/modules/home/services/tailscale.nix
+++ b/modules/home/services/tailscale.nix
@ -1,16 +0,0 @@
-{ config, lib, ... }@moduleArgs:
-{
-  options.custom.services.tailscale.enable = lib.mkEnableOption "" // {
-    default = moduleArgs.osConfig.custom.services.tailscale.enable or false;
-  };
-
-  config = lib.mkIf config.custom.services.tailscale.enable {
-    programs.ssh = {
-      enable = true;
-      matchBlocks.installer.extraOptions = {
-        UserKnownHostsFile = "/dev/null";
-        StrictHostKeyChecking = "no";
-      };
-    };
-  };
-}
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@ -1,20 +1,15 @@
 {
  config,
-  pkgs,
  lib,
  lib',
  ...
 }:
 let
  cfg = config.custom.services.caddy;
-  inherit (config.services.caddy) user;

  virtualHosts = cfg.virtualHosts |> lib.attrValues |> lib.filter (value: value.enable);

-  publicHostsExist =
-    virtualHosts
-    |> lib.any (value: (!lib'.isPrivateDomain value.domain) && (!lib'.isTailscaleDomain value.domain));
-  tailscaleHostsExist = virtualHosts |> lib.any (value: lib'.isTailscaleDomain value.domain);
+  publicHostsExist = virtualHosts |> lib.any (value: (!lib'.isPrivateDomain value.domain));
  privateHostsExist = virtualHosts |> lib.any (value: lib'.isPrivateDomain value.domain);

  webPorts = [
@ -32,7 +27,6 @@ let
    lib.nameValuePair domain {
      logFormat = "output file ${config.services.caddy.logDir}/${domain}.log { mode 640 }";
      extraConfig = lib.concatLines [
-        (lib.optionalString (lib'.isTailscaleDomain domain) "bind tailscale/${lib'.subdomainOf domain}")
        (lib.optionalString (lib'.isPrivateDomain domain) (
          let
            certDir = config.security.acme.certs.${domain}.directory;
@ -115,26 +109,6 @@ in
        networking.firewall.allowedTCPPorts = webPorts;
      })

-      (lib.mkIf tailscaleHostsExist {
-        sops.secrets."tailscale/service-auth-key" = {
-          owner = user;
-          restartUnits = [ "caddy.service" ];
-        };
-
-        services.caddy = {
-          package = pkgs.caddy.withPlugins {
-            plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20251117033914-662ef34c64b1" ];
-            hash = "sha256-3lc2oSLFIco5Pgz1QNH2hT5tDTPZ4wcbc+NKH9wLEfY=";
-          };
-          globalConfig = ''
-            tailscale {
-              auth_key {file.${config.sops.secrets."tailscale/service-auth-key".path}}
-              ephemeral true
-            }
-          '';
-        };
-      })
-
      (lib.mkIf privateHostsExist {
        sops.secrets = {
          "porkbun/api-key".owner = config.users.users.acme.name;
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@ -135,7 +135,6 @@ in
      settings = {
        pki.disconnect_invalid = true;
        cipher = "aes";
-        lighthouse.local_allow_list.interfaces.${config.services.tailscale.interfaceName} = false;
      };
    };

--- a/modules/system/services/nebula/dns.nix
+++ b/modules/system/services/nebula/dns.nix
@ -48,18 +48,13 @@ in
              nodeRecords ++ serviceRecords;
          };

-          forward-zone =
-            (lib.singleton {
-              name = ".";
-              forward-addr = [
-                "1.1.1.1"
-                "8.8.8.8"
-              ];
-            })
-            ++ lib.optional config.custom.services.tailscale.enable {
-              name = "${config.custom.services.tailscale.domain}";
-              forward-addr = [ "100.100.100.100" ];
-            };
+          forward-zone = lib.singleton {
+            name = ".";
+            forward-addr = [
+              "1.1.1.1"
+              "8.8.8.8"
+            ];
+          };
        };
      };

--- a/modules/system/services/tailscale.nix
+++ b/modules/system/services/tailscale.nix
@ -1,39 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.custom.services.tailscale;
-in
-{
-  options.custom.services.tailscale = {
-    enable = lib.mkEnableOption "";
-    domain = lib.mkOption {
-      type = lib.types.nonEmptyStr;
-      default = "stork-atlas.ts.net";
-    };
-    ssh.enable = lib.mkEnableOption "";
-    exitNode.enable = lib.mkEnableOption "";
-  };
-
-  config = lib.mkIf cfg.enable {
-    meta.ports.udp = lib.mkIf config.services.tailscale.openFirewall [
-      config.services.tailscale.port
-    ];
-
-    sops.secrets."tailscale/auth-key".restartUnits = [ "tailscaled-autoconnect.service" ];
-
-    services.tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets."tailscale/auth-key".path;
-      openFirewall = true;
-      useRoutingFeatures = if cfg.exitNode.enable then "server" else "client";
-      extraUpFlags = [ "--reset=true" ];
-      extraSetFlags = [
-        "--ssh=${lib.boolToString cfg.ssh.enable}"
-        "--advertise-exit-node=${lib.boolToString cfg.exitNode.enable}"
-      ];
-    };
-
-    systemd.services.tailscaled-set.after = [ "tailscaled-autoconnect.service" ];
-
-    custom.persistence.directories = [ "/var/lib/tailscale" ];
-  };
-}