From 9eb814766009e8181a95269b7400883ac5ae884d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Thu, 14 Sep 2023 14:37:55 +0300
Subject: [PATCH] tailscale: silence logs on some machines

---
 hosts/fra1-a/configuration.nix         |  6 ++++--
 hosts/fwminex/configuration.nix        |  7 +++++--
 hosts/vno1-oh2/configuration.nix       |  6 +-----
 hosts/vno3-rp3b/configuration.nix      |  6 ++++--
 modules/base/default.nix               |  1 -
 modules/services/default.nix           |  5 +++--
 modules/services/tailscale/default.nix | 25 +++++++++++++++++++++++++
 7 files changed, 42 insertions(+), 14 deletions(-)
 create mode 100644 modules/services/tailscale/default.nix

diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix
index 7bf543a..4cf6fd2 100644
--- a/hosts/fra1-a/configuration.nix
+++ b/hosts/fra1-a/configuration.nix
@@ -45,6 +45,10 @@
     services = {
       node_exporter.enable = true;
       sshguard.enable = true;
+      tailscale = {
+        enable = true;
+        silenceLogs = true;
+      };
 
       postfix = {
         enable = true;
@@ -74,8 +78,6 @@
     };
   };
 
-  services.tailscale.enable = true;
-
   services.nsd = {
     enable = true;
     interfaces = ["0.0.0.0" "::"];
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index 320de8b..333c478 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -74,7 +74,11 @@
 
     services = {
       node_exporter.enable = true;
-      sshguard.enable = true;
+      sshguard.enable = false;
+      tailscale = {
+        enable = true;
+        silenceLogs = true;
+      };
 
       deployerbot = {
         follower = {
@@ -99,7 +103,6 @@
   };
 
   services = {
-    tailscale.enable = true;
 
     xserver = {
       enable = true;
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 16d3c5e..28dc059 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -155,11 +155,9 @@
           ];
         }
       ];
-
+      tailscale.enable = true;
       node_exporter.enable = true;
-
       gitea.enable = true;
-
       snmp_exporter.enable = true;
       sshguard.enable = true;
 
@@ -232,8 +230,6 @@
   };
 
   services = {
-    tailscale.enable = true;
-
     caddy = {
       enable = true;
       email = "motiejus+acme@jakstys.lt";
diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix
index 8d9bc21..e6ea08f 100644
--- a/hosts/vno3-rp3b/configuration.nix
+++ b/hosts/vno3-rp3b/configuration.nix
@@ -62,6 +62,10 @@
     services = {
       node_exporter.enable = true;
       sshguard.enable = true;
+      tailscale = {
+        enable = true;
+        silenceLogs = true;
+      };
 
       borgstor = {
         enable = true;
@@ -92,8 +96,6 @@
     };
   };
 
-  services.tailscale.enable = true;
-
   services.journald.extraConfig = "Storage=volatile";
 
   environment.etc = {
diff --git a/modules/base/default.nix b/modules/base/default.nix
index 66059a9..eeb1cc1 100644
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@@ -154,7 +154,6 @@
     };
 
     networking.firewall.logRefusedConnections = false;
-    networking.firewall.checkReversePath = "loose"; # for tailscale
 
     services = {
       chrony = {
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 384d390..c31cbed 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,7 +1,7 @@
 {
   config,
-  lib,
-  pkgs,
+lib,
+pkgs,
   ...
 }: {
   imports = [
@@ -18,6 +18,7 @@
     ./snmp_exporter
     ./sshguard
     ./syncthing
+    ./tailscale
     ./zfsunlock
   ];
 }
diff --git a/modules/services/tailscale/default.nix b/modules/services/tailscale/default.nix
new file mode 100644
index 0000000..16fdf41
--- /dev/null
+++ b/modules/services/tailscale/default.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  myData,
+  ...
+}: {
+  options.mj.services.tailscale = with lib.types; {
+    enable = lib.mkEnableOption "Enable tailscale";
+    # https://github.com/tailscale/tailscale/issues/1548
+    silenceLogs = lib.mkOption {
+      type = bool;
+      default = false;
+    };
+  };
+
+  config = with config.mj.services.tailscale;
+    lib.mkIf enable {
+      services.tailscale.enable = true;
+      networking.firewall.checkReversePath = "loose"; # for tailscale
+    }
+    // lib.mkIf silenceLogs {
+      systemd.services.tailscale.serviceConfig."StandardOutput" = "null";
+    };
+}