From b596c38cb9bf556ca1e454644db837df63fb5281 Mon Sep 17 00:00:00 2001 From: Kat Huang Date: Sun, 26 Apr 2026 18:07:03 -0700 Subject: [PATCH] Enable Tailscale on macOS --- nix-darwin/flake.nix | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/nix-darwin/flake.nix b/nix-darwin/flake.nix index 3a02ad64..0da9b836 100644 --- a/nix-darwin/flake.nix +++ b/nix-darwin/flake.nix @@ -114,7 +114,13 @@ "/etc/ssh/ssh_host_rsa_key" ]; secrets.gitea-runner-token.file = ../nixos/secrets/gitea-runner-token.mac-demarco-mini.age; + secrets.tailscale-authkey = { + file = ../nixos/secrets/tailscale-authkey.age; + owner = "root"; + mode = "0400"; + }; }; + services.tailscale.enable = true; services.gitea-actions-runner = { user = "gitea-runner"; instances.nix = { @@ -160,6 +166,44 @@ XDG_CACHE_HOME = "/var/lib/gitea-runner/.cache"; XDG_RUNTIME_DIR = "/var/lib/gitea-runner/tmp"; }; + launchd.daemons.tailscaled.serviceConfig.KeepAlive = true; + + launchd.daemons.tailscale-autoconnect = { + script = '' + set -euo pipefail + + key_file='${config.age.secrets.tailscale-authkey.path}' + if [ ! -s "$key_file" ]; then + exit 0 + fi + if [ "$(cat "$key_file")" = "DISABLED" ]; then + exit 0 + fi + + for _ in $(${pkgs.coreutils}/bin/seq 1 30); do + state="$(${config.services.tailscale.package}/bin/tailscale status --json 2>/dev/null | ${pkgs.jq}/bin/jq -r '.BackendState // empty' || true)" + if [ "$state" = "Running" ]; then + exit 0 + fi + if [ -n "$state" ]; then + break + fi + sleep 2 + done + + ${config.services.tailscale.package}/bin/tailscale up \ + --auth-key "file:$key_file" \ + --accept-dns=true \ + --operator="${primaryUser}" \ + --timeout=60s + ''; + serviceConfig = { + RunAtLoad = true; + StartInterval = 300; + StandardOutPath = "/var/log/tailscale-autoconnect.log"; + StandardErrorPath = "/var/log/tailscale-autoconnect.err.log"; + }; + }; system.primaryUser = primaryUser;