Nixos and Tailscale

NixOS is a Linux distribution that is built around the Nix package manager. More information is in my previous post(s). This post is about the way I user Tailscale on my collection of Nixos systems.

Tailscale on Desktop and Laptop Link to heading

Enabling tailscale on desktop and laptop can be done by adding the line services.tailscale.enable = true; to my Nixos configuration. However I do not always want to use Tailscale and therefore I want to be able to manually start the Tailscale service. This can be accomplished by adding the following Tailscale configuration to the Nixos configuration:

  # Tailscale, but without auto-starting
  services.tailscale.enable = true; = lib.mkForce [];

I add this to the Nixos configurations of all the systems I want in my Tailscale network.

Tailscale on Servers Link to heading

On my server(s) I want to be able to use Tailscale with the Exit Node option (see here). This way, I create my own virtual prive network (VPN) which allows me to securely access the internet from my home network and/or my remote Nixos servers.

The Tailscale server configuration with Exit Node functionality looks as follows:

  # Tailscale (with oneshot exit-node)
  services.tailscale.enable = true; = {
    description = "Automatic connection to Tailscale";

    # make sure tailscale is running before trying to connect to tailscale
    after = [ "" "tailscale.service" ];
    wants = [ "" "tailscale.service" ];
    wantedBy = [ "" ];

    # set this service as a oneshot job
    serviceConfig.Type = "oneshot";

    # have the job run this shell script
    script = with pkgs; ''
      # wait for tailscaled to settle
      sleep 2

      # otherwise authenticate with tailscale
      ${tailscale}/bin/tailscale up --advertise-exit-node

This configuration restarts tailscale, but adding the --advertise-exit-node option.