break tailscale into 2 configs for server and client

hosts/nixos/snowbelle/configuration.nix

@@ -25,7 +25,6 @@ in
     sops.enable = true;
     podman.enable = true;
     yubikey.enable = true;
-    tailscale.enable = true;
     nvidia.enable = true;
   };
   holocron = {
@@ -38,6 +37,7 @@ in
   };
   homelab = {
     enable = true;
+    tailscale.enable = true;
     backups.enable = true;
     motd.enable = true;
     postfix.enable = true;

modules/homelab/default.nix

@@ -62,6 +62,7 @@ in
     ./arr/flaresolverr
     ./home/mosquitto
     ./uptime-kuma
+    ./tailscale
   ];
 
   config = lib.mkIf cfg.enable {

modules/homelab/tailscale/default.nix

@@ -0,0 +1,36 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.system.tailscale;
+  authkey_file = config.sops.secrets."tailscale_authkey".path;
+in {
+  options.system.tailscale = {
+    enable = lib.mkEnableOption "enables tailscale";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+      authKeyFile = authkey_file;
+      extraUpFlags = [
+        "--accept-routes=false" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
+        "--accept-dns=true" # explicitly allow resolved
+      ];
+    };
+
+    # network config
+    networking.firewall.trustedInterfaces = ["tailscale0"];
+    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+
+    # declare authkey secrets
+    sops.secrets = {
+      "tailscale_authkey" = {
+        owner = "root";
+      };
+    };
+  };
+}

modules/system/default.nix

@@ -20,7 +20,7 @@
   system.ssh.enable = lib.mkDefault true;
   system.sops.enable = lib.mkDefault true;
   system.docker.enable = lib.mkDefault false;
-  system.tailscale.enable = lib.mkDefault true;
+  system.tailscale.enable = lib.mkDefault false;
   system.vpns.enable = lib.mkDefault false;
   system.vpn-confinement.enable = lib.mkDefault false;
   system.syncthing.enable = lib.mkDefault false;

modules/system/tailscale/default.nix

@@ -17,7 +17,7 @@ in {
       useRoutingFeatures = "both";
       authKeyFile = authkey_file;
       extraUpFlags = [
-        "--accept-routes=false" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
+        "--accept-routes=true" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
         "--accept-dns=true" # explicitly allow resolved
       ];
     };

users/blake/dots/default.nix

@@ -9,6 +9,7 @@
     ./kitty
     ./dunst
     ./waybar
+    ./stylix
     ./hypr
     ./tofi
     ./nvf