tailscale-ssh

for connecting _from_ the mac.

hosts/macworx/configuration.nix

@@ -17,6 +17,7 @@ in
     ../../modules/profiles/devtools
     ../../modules/profiles/work/mac.nix
     ../../modules/services/ssh8022/client.nix
+    ../../modules/services/tailscale-ssh
   ];
 
   nixpkgs.hostPlatform = "aarch64-darwin";
@@ -48,6 +49,8 @@ in
     mode = "444";
   };
 
+  mj.services.tailscale-ssh.enable = true;
+
   mj.services.ssh8022.client = {
     enable = true;
     keyfile = config.age.secrets.ssh8022-client.path;

modules/services/ssh8022/client.nix

@@ -17,9 +17,6 @@ in
     programs.ssh.extraConfig = ''
       Host fra1-c.jakstys.lt jakstys.lt
         ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
-      Host fra1-c
-        HostName fra1-c.jakstys.lt
-        ProxyCommand ${pkgs.spiped}/bin/spipe -t %h:8022 -k ${cfg.keyfile}
     '';
   };
 }

modules/services/tailscale-ssh/default.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  myData,
+  ...
+}:
+let
+  cfg = config.mj.services.tailscale-ssh;
+
+  vpnDomain = ".jakst.vpn";
+
+  vpnHosts = lib.filterAttrs (name: _: lib.hasSuffix vpnDomain name) myData.hosts;
+
+  hostConfigs = lib.concatStringsSep "\n" (
+    lib.mapAttrsToList (
+      fqdn: hostData:
+      let
+        shortName = lib.removeSuffix vpnDomain fqdn;
+        extraNames = lib.filter (n: n != shortName) (hostData.extraHostNames or [ ]);
+        allNames = [ shortName ] ++ extraNames;
+        hostPattern = lib.concatStringsSep " " allNames;
+      in
+      ''
+        Host ${hostPattern}
+          ProxyCommand bash -c 'exec nc $(${pkgs.tailscale}/bin/tailscale ip -4 ${shortName}) %p'
+      ''
+    ) vpnHosts
+  );
+in
+{
+  options.mj.services.tailscale-ssh = {
+    enable = lib.mkEnableOption "SSH via Tailscale IP lookup for VPN hosts";
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.ssh.extraConfig = hostConfigs;
+  };
+}