From 390457ae1f04f01632764dfa300f4652237b14c9 Mon Sep 17 00:00:00 2001
From: Jan Kremer <mail@jankremer.eu>
Date: Fri, 23 Jan 2026 09:25:22 +0100
Subject: [PATCH] tailscale: Update config

---
 modules/nixos/default.nix   |  7 -------
 modules/nixos/jellyfin.nix  |  1 -
 modules/nixos/tailscale.nix | 25 ++++++++++++++++++++++++-
 3 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 8e3d7ca..b9c6b6f 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -1,18 +1,11 @@
 {
   imports = [
-    # ./adguardhome.nix
-    # ./audiobookshelf.nix
     # ./forgejo.nix
-    # ./freshrss.nix
     # ./immich.nix
     ./jellyfin.nix
-    # ./mealie.nix
     # ./minecraft.nix
-    # ./navidrome.nix
-    # ./nextcloud.nix
     # ./pinchflat.nix
     ./samba.nix
     ./tailscale.nix
-    # ./vaultwarden.nix
   ];
 }
diff --git a/modules/nixos/jellyfin.nix b/modules/nixos/jellyfin.nix
index 832cfc3..ae55f41 100644
--- a/modules/nixos/jellyfin.nix
+++ b/modules/nixos/jellyfin.nix
@@ -32,7 +32,6 @@
         services = {
           jellyfin = {
             enable = true; # port = 8096
-            openFirewall = true;
           };
 
           tailscale = {
diff --git a/modules/nixos/tailscale.nix b/modules/nixos/tailscale.nix
index 61b954e..a360858 100644
--- a/modules/nixos/tailscale.nix
+++ b/modules/nixos/tailscale.nix
@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.tailscale = {
     enable = true;
@@ -5,5 +6,27 @@
     extraUpFlags = [ "--ssh" ];
   };
 
-  networking.firewall.checkReversePath = "loose";
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      # Always allow traffic from your Tailscale network
+      trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
+      # Allow the Tailscale UDP port through the firewall
+      allowedUDPPorts = [ config.services.tailscale.port ];
+      checkReversePath = "loose";
+    };
+  };
+
+  # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)
+  # This avoids the "iptables-compat" translation layer issues.
+  systemd.services.tailscaled.serviceConfig.Environment = [
+    "TS_DEBUG_FIREWALL_MODE=nftables"
+  ];
+
+  # 3. Optimization: Prevent systemd from waiting for network online
+  # (Optional but recommended for faster boot with VPNs)
+  # systemd.network.wait-online.enable = false;
+  # boot.initrd.systemd.network.wait-online.enable = false;
+  systemd.network.wait-online.ignoredInterfaces = [ "${config.services.tailscale.interfaceName}" ];
 }