tailscale: Update config

modules/nixos/default.nix

@@ -1,18 +1,11 @@
 {
   imports = [
-    # ./adguardhome.nix
-    # ./audiobookshelf.nix
     # ./forgejo.nix
-    # ./freshrss.nix
     # ./immich.nix
     ./jellyfin.nix
-    # ./mealie.nix
     # ./minecraft.nix
-    # ./navidrome.nix
-    # ./nextcloud.nix
     # ./pinchflat.nix
     ./samba.nix
     ./tailscale.nix
-    # ./vaultwarden.nix
   ];
 }

modules/nixos/jellyfin.nix

@@ -32,7 +32,6 @@
         services = {
           jellyfin = {
             enable = true; # port = 8096
-            openFirewall = true;
           };
 
           tailscale = {

modules/nixos/tailscale.nix

@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services.tailscale = {
     enable = true;
@@ -5,5 +6,27 @@
     extraUpFlags = [ "--ssh" ];
   };
 
-  networking.firewall.checkReversePath = "loose";
+  networking = {
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      # Always allow traffic from your Tailscale network
+      trustedInterfaces = [ "${config.services.tailscale.interfaceName}" ];
+      # Allow the Tailscale UDP port through the firewall
+      allowedUDPPorts = [ config.services.tailscale.port ];
+      checkReversePath = "loose";
+    };
+  };
+
+  # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)
+  # This avoids the "iptables-compat" translation layer issues.
+  systemd.services.tailscaled.serviceConfig.Environment = [
+    "TS_DEBUG_FIREWALL_MODE=nftables"
+  ];
+
+  # 3. Optimization: Prevent systemd from waiting for network online
+  # (Optional but recommended for faster boot with VPNs)
+  # systemd.network.wait-online.enable = false;
+  # boot.initrd.systemd.network.wait-online.enable = false;
+  systemd.network.wait-online.ignoredInterfaces = [ "${config.services.tailscale.interfaceName}" ];
 }