monitor: wait for tailscale interface

flake.nix

@@ -50,7 +50,6 @@
     catppuccin = {
       url = "github:catppuccin/nix";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
     };
 
     disko = {

machines/osmium/default.nix

@@ -69,7 +69,7 @@
       neovim
       jq
       iptables
-      ebtables
+      nftables
       tcpdump
       busybox
       ethtool
@@ -88,15 +88,53 @@
 
     systemd.network = {
       enable = true;
-      networks."lan" = {
-        matchConfig.Name = "enu1";
-        networkConfig.DHCP = "no";
-        linkConfig.RequiredForOnline = "no";
-      };
       networks."wan" = {
         matchConfig.Name = "end0";
         networkConfig.DHCP = "yes";
-        linkConfig.RequiredForOnline = "yes";
+        linkConfig.RequiredForOnline = false;
+      };
+      networks."lan" = {
+        matchConfig.Name = "enu1";
+        networkConfig = {
+          DHCP = "no";
+          DHCPServer = "yes";
+          Address = "10.1.1.1/24";
+        };
+        dhcpServerConfig = {
+          ServerAddress = "10.1.1.1/24";
+          UplinkInterface = "end0";
+          EmitDNS = "yes";
+          DNS = [ "192.168.1.1" ];
+        };
+        linkConfig.RequiredForOnline = false;
+      };
+    };
+
+    networking.firewall.enable = false;
+    networking.nftables = {
+      enable = true;
+      tables = {
+        filter = {
+          family = "inet";
+          content = ''
+            chain forward {
+              iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN"
+              iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs"
+              iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale"
+            }
+          '';
+        };
+
+        nat = {
+          family = "ip";
+          content = ''
+            chain postrouting {
+              type nat hook postrouting priority 100; policy accept;
+              oifname "end0" masquerade
+              oifname "tailscale0" masquerade
+            }
+          '';
+        };
       };
     };
 
@@ -105,7 +143,11 @@
       configFile = "/var/lib/dae/config.dae";
     };
 
-    services.tailscale.enable = true;
-
+    services.tailscale = {
+      enable = true;
+      extraSetFlags = [
+        "--advertise-routes=10.1.1.0/24"
+      ];
+    };
   };
 }

modules/nixos/monitor/exporters.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib) mkIf concatStringsSep;
+  inherit (lib) mkIf getExe;
   inherit (config.my-lib.settings) prometheusCollectors;
   cfg = config.custom.prometheus.exporters;
 in
@@ -16,6 +16,30 @@ in
       ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
       ++ (lib.optional config.services.caddy.enable "caddy.service");
 
+    systemd.services.tailscaled.serviceConfig.ExecStartPost =
+      pkgs.writers.writePython3Bin "tailscale-wait-online"
+        {
+          flakeIgnore = [
+            "E401" # import on one line
+            "E501" # line length limit
+          ];
+        }
+        ''
+          import subprocess, json, time
+
+          for _ in range(30):
+              status = json.loads(
+                  subprocess.run(
+                      ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
+                  ).stdout
+              )["Self"]["Online"]
+              if status:
+                  exit(0)
+              time.sleep(1)
+
+          exit(1)
+        '';
+
     services.prometheus.exporters.node = mkIf cfg.node.enable {
       enable = true;
       enabledCollectors = [