Enable Tailscale on macOS

nix-darwin/flake.nix

@@ -114,7 +114,13 @@
           "/etc/ssh/ssh_host_rsa_key"
         ];
         secrets.gitea-runner-token.file = ../nixos/secrets/gitea-runner-token.mac-demarco-mini.age;
+        secrets.tailscale-authkey = {
+          file = ../nixos/secrets/tailscale-authkey.age;
+          owner = "root";
+          mode = "0400";
         };
+      };
+      services.tailscale.enable = true;
       services.gitea-actions-runner = {
         user = "gitea-runner";
         instances.nix = {
@@ -160,6 +166,44 @@
         XDG_CACHE_HOME = "/var/lib/gitea-runner/.cache";
         XDG_RUNTIME_DIR = "/var/lib/gitea-runner/tmp";
       };
+      launchd.daemons.tailscaled.serviceConfig.KeepAlive = true;
+
+      launchd.daemons.tailscale-autoconnect = {
+        script = ''
+          set -euo pipefail
+
+          key_file='${config.age.secrets.tailscale-authkey.path}'
+          if [ ! -s "$key_file" ]; then
+            exit 0
+          fi
+          if [ "$(cat "$key_file")" = "DISABLED" ]; then
+            exit 0
+          fi
+
+          for _ in $(${pkgs.coreutils}/bin/seq 1 30); do
+            state="$(${config.services.tailscale.package}/bin/tailscale status --json 2>/dev/null | ${pkgs.jq}/bin/jq -r '.BackendState // empty' || true)"
+            if [ "$state" = "Running" ]; then
+              exit 0
+            fi
+            if [ -n "$state" ]; then
+              break
+            fi
+            sleep 2
+          done
+
+          ${config.services.tailscale.package}/bin/tailscale up \
+            --auth-key "file:$key_file" \
+            --accept-dns=true \
+            --operator="${primaryUser}" \
+            --timeout=60s
+        '';
+        serviceConfig = {
+          RunAtLoad = true;
+          StartInterval = 300;
+          StandardOutPath = "/var/log/tailscale-autoconnect.log";
+          StandardErrorPath = "/var/log/tailscale-autoconnect.err.log";
+        };
+      };
 
       system.primaryUser = primaryUser;