services.tailscale

A file containing the auth key. Tailscale will be automatically started if provided. Services that bind to Tailscale IPs should order using {option}`systemd.services.<name>.after` `tailscaled-autoconnect.service`.

Example:

"/run/secrets/tailscale_key"

Extra parameters to pass after the auth key. See <https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials>

Whether to disable the Taildrop feature for sending files between nodes.

Default:

false

Whether to disable Tailscaled from sending debug logging upstream.

Default:

false

Whether to enable Tailscale client daemon.

Default:

false

Example:

true

Extra flags to pass to {command}`tailscaled`.

Default:

[]

Example:

["--no-logs-no-support"]

Extra flags to pass to {command}`tailscale set`.

Default:

[]

Example:

["--advertise-exit-node"]

Extra flags to pass to {command}`tailscale up`. Only applied if {option}`services.tailscale.authKeyFile` is specified.

Default:

[]

Example:

["--ssh"]

The interface name for tunnel traffic. Use "userspace-networking" (beta) to not use TUN.

Default:

"tailscale0"

Whether to open the firewall for the specified port.

Default:

false

The tailscale package to use.

Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.

The port to listen on for tunnel traffic (0=autoselect).

Default:

41641

Enables settings required for Tailscale's routing features like subnet routers and exit nodes. To use these these features, you will still need to call `sudo tailscale up` with the relevant flags like `--advertise-exit-node` and `--exit-node`. When set to `client` or `both`, reverse path filtering will be set to loose instead of strict. When set to `server` or `both`, IP forwarding will be enabled.

Default:

"none"

Example:

"server"