From df8682f4d09b062ff8853b813453d75f6cc0da6d Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 10 Jan 2026 01:26:16 +0100 Subject: [PATCH 1/3] tailscale: Fix interface by making it unmanaged again --- modules/system/services/tailscale.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/system/services/tailscale.nix b/modules/system/services/tailscale.nix index 8f37da5..28fc6e1 100644 --- a/modules/system/services/tailscale.nix +++ b/modules/system/services/tailscale.nix @@ -35,13 +35,5 @@ in systemd.services.tailscaled-set.after = [ "tailscaled-autoconnect.service" ]; custom.persistence.directories = [ "/var/lib/tailscale" ]; - - # Disable search domain when nebula is in use - systemd.network.networks."50-tailscale" = lib.mkIf config.custom.services.nebula.node.enable { - matchConfig.Name = config.services.tailscale.interfaceName; - linkConfig.Unmanaged = lib.mkForce false; - dns = [ "100.100.100.100" ]; - domains = [ ]; - }; }; } From bd196f1f2705c149951f8df62e924eaaff110ddf Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 10 Jan 2026 01:31:09 +0100 Subject: [PATCH 2/3] nebula/dns: Add forward-zone for tailscale domains I'm not sure if this is actually doing anything --- modules/system/services/nebula/dns.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/modules/system/services/nebula/dns.nix b/modules/system/services/nebula/dns.nix index f750fc1..51b04fa 100644 --- a/modules/system/services/nebula/dns.nix +++ b/modules/system/services/nebula/dns.nix @@ -29,13 +29,18 @@ in |> lib.map (node: "\"${node.name}.${nebulaCfg.network.domain}. A ${node.address}\""); }; - forward-zone = lib.singleton { - name = "."; - forward-addr = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; + forward-zone = + (lib.singleton { + name = "."; + forward-addr = [ + "1.1.1.1" + "8.8.8.8" + ]; + }) + ++ lib.optional config.custom.services.tailscale.enable { + name = "${config.custom.services.tailscale.domain}"; + forward-addr = [ "100.100.100.100" ]; + }; }; }; From 653ebd2c8504170680dad35512fc5885077ae6f5 Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 10 Jan 2026 01:32:23 +0100 Subject: [PATCH 3/3] syncthing: Connect devices over nebula instead of tailscale --- modules/system/services/syncthing.nix | 85 +++++++++++++++------------ 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix index b2faf1f..b4e9605 100644 --- a/modules/system/services/syncthing.nix +++ b/modules/system/services/syncthing.nix @@ -51,8 +51,8 @@ in config = lib.mkIf cfg.enable { assertions = [ { - assertion = config.custom.services.tailscale.enable; - message = "Syncthing requires tailscale"; + assertion = config.custom.services.nebula.node.enable; + message = "Syncthing requires nebula"; } { assertion = cfg.isServer -> (cfg.gui.domain != null); @@ -86,48 +86,61 @@ in }; }; - services.syncthing = { - enable = true; + services = { + syncthing = { + enable = true; - user = lib.mkIf (!cfg.isServer) "seb"; - group = lib.mkIf (!cfg.isServer) "users"; - dataDir = lib.mkIf (!cfg.isServer) "/home/seb"; + user = lib.mkIf (!cfg.isServer) "seb"; + group = lib.mkIf (!cfg.isServer) "users"; + dataDir = lib.mkIf (!cfg.isServer) "/home/seb"; - guiAddress = "localhost:${toString cfg.gui.port}"; + guiAddress = "localhost:${toString cfg.gui.port}"; - cert = lib.mkIf useSopsSecrets config.sops.secrets."syncthing/cert".path; - key = lib.mkIf useSopsSecrets config.sops.secrets."syncthing/key".path; + cert = lib.mkIf useSopsSecrets config.sops.secrets."syncthing/cert".path; + key = lib.mkIf useSopsSecrets config.sops.secrets."syncthing/key".path; - settings = { - # Get the devices and their ids from the configs of the other hosts - devices = - self.nixosConfigurations - |> lib.filterAttrs (name: _: name != config.networking.hostName) - |> lib.filterAttrs (_: value: value.config.custom.services.syncthing.enable) - |> lib.mapAttrs ( - name: value: { - id = value.config.custom.services.syncthing.deviceId; - addresses = [ "tcp://${name}.${config.custom.services.tailscale.domain}:${toString cfg.syncPort}" ]; - } - ); + settings = { + # Get the devices and their ids from the configs of the other hosts + devices = + self.nixosConfigurations + |> lib.filterAttrs (name: _: name != config.networking.hostName) + |> lib.filterAttrs (_: value: value.config.custom.services.syncthing.enable) + |> lib.mapAttrs ( + _: value: { + id = value.config.custom.services.syncthing.deviceId; + addresses = [ + "tcp://${value.config.custom.services.nebula.node.address}:${toString cfg.syncPort}" + ]; + } + ); - folders = - cfg.folders - |> lib'.genAttrs (name: { - path = "${dataDir}/${name}"; - devices = config.services.syncthing.settings.devices |> lib.attrNames; - }); + folders = + cfg.folders + |> lib'.genAttrs (name: { + path = "${dataDir}/${name}"; + devices = config.services.syncthing.settings.devices |> lib.attrNames; + }); - options = { - listenAddress = "tcp://0.0.0.0:${toString cfg.syncPort}"; - globalAnnounceEnabled = false; - localAnnounceEnabled = false; - relaysEnabled = false; - natEnabled = false; - urAccepted = -1; - autoUpgradeIntervalH = 0; + options = { + listenAddress = "tcp://${config.custom.services.nebula.node.address}:${toString cfg.syncPort}"; + globalAnnounceEnabled = false; + localAnnounceEnabled = false; + relaysEnabled = false; + natEnabled = false; + urAccepted = -1; + autoUpgradeIntervalH = 0; + }; }; }; + + nebula.networks.mesh.firewall.inbound = + config.services.syncthing.settings.devices + |> lib.attrNames + |> lib.map (name: { + port = cfg.syncPort; + proto = "tcp"; + host = name; + }); }; custom = {