Tailscale Support for NixOS

I have been continuing to run with Tailscale instead of hand-cranked WireGuard on various devices, including my daily driver ThinkPad which runs my other favourite OS—NixOS!

However, until now the configuration was not particularly idiomatic due to there being no upstream Tailscale Nix expressions in nixpkgs.

As it transpired, Dan Anderson of Tailscale is also a NixOS user and with his support I was able to shepherd in a quick PR to introduce a Tailscale module. I actually think NixOS ended up being their first Linux flavoured package!

Like the previous OpenBSD post, the rest of this post will walk you through how to set up Tailscale on NixOS.

Installing Tailscale on NixOS

It’s simple!

services.tailscale.enable = true;

# Optional (default: 41641):
services.tailscale.port = 12345;

You can choose to make it easier for Tailscale by opening up the UDP port.

networking.firewall.allowedUDPPorts = [ ${services.tailscale.port} ];

Depending on your setup, you may need to make the tailscale CLI available to all users.

environment.systemPackages = with pkgs; [ tailscale ];

That’s the configuration out of the way. If you perform a rebuild-switch, you should find a Tailscale daemon running.

; systemctl status tailscale

Finally, perform an initial authentication for this machine and you’re done.

; tailscale up

You should be able to see a successfully plumbed device, and Tailscale logs scrolling.

; ip link show tailscale0
; journalctl -fu tailscale