From 97318f33f5efaf185f661e3c77be793de011f53d Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Tue, 8 Apr 2025 10:23:14 +0200
Subject: [PATCH] Add tailscale firewall bypass option

---
 modules/common/linux/default.nix | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix
index 10e602c..416f198 100644
--- a/modules/common/linux/default.nix
+++ b/modules/common/linux/default.nix
@@ -165,6 +165,32 @@ let
         }
       ];
     };
+
+  tailscale =
+    { config, ... }:
+    {
+      options.common.linux = {
+        tailscale = {
+          firewall.allowPorts = mkOption {
+            type = types.listOf types.port;
+            description = "List of ports to allow tailscale to pass through";
+            default = [ ];
+          };
+        };
+      };
+      config =
+        let
+          cfg = config.common.linux.tailscale;
+        in
+        {
+          # Enable tailscale
+          services.tailscale.enable = true;
+          networking.firewall.interfaces."tailscale0" = {
+            allowedUDPPorts = cfg.firewall.allowPorts;
+            allowedTCPPorts = cfg.firewall.allowPorts;
+          };
+        };
+    };
 in
 {
   imports = with modules; [
@@ -180,6 +206,7 @@ in
     accounts
     rt-audio
     nix-ld
+    tailscale
   ];
 
   options.common.linux = {
@@ -330,8 +357,6 @@ in
     # Firewall: only open to SSH now
     networking.firewall.allowedTCPPorts = [ 22 ];
     networking.firewall.allowedUDPPorts = [ 22 ];
-    # Enable tailscale
-    services.tailscale.enable = true;
 
     ## Time and Region
     time.timeZone = lib.mkDefault "Europe/Zurich";