tailscale: improve MagicDNS setup

doc/known-files/2c28f4fe3b4a958cd86b120e7eb799eee6976daa35b228c885f0630c55ef626c

@@ -0,0 +1,2 @@
+# Added by tailscaled
+nameserver 100.100.100.100

modules/nix/default.nix

@@ -140,7 +140,7 @@ in
     in
     [
       # Only ever in NixOS
-      (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivilant to this NixOS option.")
+      (mkRemovedOptionModule [ "nix" "enable" ] "No `nix-darwin` equivalent to this NixOS option.")
       (mkRemovedOptionModule [ "nix" "daemonCPUSchedPolicy" ] (altOption "nix.daemonProcessType"))
       (mkRemovedOptionModule [ "nix" "daemonIOSchedClass" ] (altOption "nix.daemonProcessType"))
       (mkRemovedOptionModule [ "nix" "daemonIOSchedPriority" ] (altOption "nix.daemonIOLowPriority"))

modules/services/tailscale.nix

@@ -7,13 +7,12 @@ let
 
 in
 {
-  options.services.tailscale = {
+  imports = [
-    domain = mkOption {
+    (mkRemovedOptionModule [ "services" "tailscale" "domain" ] "Tailscale no longer requires setting the search domain manually.")
-      type = types.str;
+    (mkRemovedOptionModule [ "services" "tailscale" "magicDNS" ] "MagicDNS no longer requires overriding the DNS servers, if this is necessary you can use `services.tailscale.overrideLocalDns`.")
-      default = "";
+  ];
-      description = lib.mdDoc "The Tailscale domain. This is displayed at the top left of https://login.tailscale.com/admin, next to the Tailscale logo.";
-    };
 
+  options.services.tailscale = {
     enable = mkEnableOption (lib.mdDoc "Tailscale client daemon");
 
     package = mkOption {
@@ -23,26 +22,32 @@ in
       description = lib.mdDoc "The package to use for tailscale";
     };
 
-    magicDNS = {
+    overrideLocalDns = mkOption {
-      enable = mkOption {
+      type = types.bool;
-        type = types.bool;
+      default = false;
-        default = false;
+      example = true;
-        example = true;
+      description = lib.mdDoc ''
-        description = lib.mdDoc "Whether to configure networking to work with Tailscale's MagicDNS.";
+        This option implements `Override local DNS` as it is not yet implemented in Tailscaled-on-macOS.
-      };
+
+        To use this option, in the Tailscale control panel:
+          1. at least one DNS server is added
+          2. `Override local DNS` is enabled
+
+        As this option sets 100.100.100.100 as your sole DNS server, if the requirements above are not met,
+        all non-MagicDNS queries WILL fail.
+      '';
     };
   };
 
   config = mkIf cfg.enable {
-    assertions = [ {
+    assertions = [{
-      assertion = !cfg.magicDNS.enable || config.networking.dns != [ "100.100.100.100" ];
+      assertion = !cfg.overrideLocalDns || config.networking.dns == [ "100.100.100.100" ];
       message = ''
-        When MagicDNS is enabled, fallback DNS servers need to be set with `networking.dns`.
+        DNS servers should be configured on the Tailscale control panel when `services.tailscale.overrideLocalDns` is enabled.
 
-        Otherwise, Tailscale will take a long time to connect and all DNS queries
+        A race condition can occur when DNS servers are set locally, leading to MagicDNS to not work.
-        will fail until Tailscale has connected.
       '';
-    } ];
+    }];
 
     environment.systemPackages = [ cfg.package ];
 
@@ -59,13 +64,21 @@ in
       };
     };
 
-    networking = mkIf cfg.magicDNS.enable {
+    networking.dns = mkIf cfg.overrideLocalDns [ "100.100.100.100" ];
-      dns = [ "100.100.100.100" ];
+
-      search =
+    # Ensures Tailscale MagicDNS always works even without adding 100.100.100.100 to DNS servers
-        if cfg.domain == "" then
+    environment.etc."resolver/ts.net".text = "nameserver 100.100.100.100";
-          [ ]
+
-        else
+    # This file gets created by tailscaled when `Override local DNS` is turned off
-          [ "${cfg.domain}.beta.tailscale.net" ];
+    environment.etc."resolver/ts.net".knownSha256Hashes = [
-    };
+      "2c28f4fe3b4a958cd86b120e7eb799eee6976daa35b228c885f0630c55ef626c"
+    ];
+
+    # Cleaning up the .orig file is necessary as any files in /etc/resolver will be used.
+    system.activationScripts.etc.text = mkAfter ''
+      if [ -e /etc/resolver/ts.net.orig ]; then
+        rm /etc/resolver/ts.net.orig
+      fi
+    '';
   };
 }