From 0ae311e1c74ad88a74b3ee5d897d4df4f633044f Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Tue, 20 Sep 2022 16:09:02 +1000
Subject: [PATCH 1/2] tailscale: fix `tailscaled` not running as root

Run `tailscaled` using a system daemon as it does not work as a non-root
user without `userspace-networking`.

Also, remove the broken warning relating to setting the search domain.
Manually adding the search domain to `networking.search` isn't necessary
to use only machine names to refer to other machines.
---
 modules/services/tailscale.nix | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix
index fb63af9..201e04a 100644
--- a/modules/services/tailscale.nix
+++ b/modules/services/tailscale.nix
@@ -29,20 +29,21 @@ in
   };
 
   config = mkIf cfg.enable {
-    warnings = [
-      (mkIf (cfg.magicDNS.enable && cfg.domain == "") "${showOption cfg.domain} isn't empty, Tailscale MagicDNS search path won't be configured.")
-    ];
-
     environment.systemPackages = [ cfg.package ];
-    launchd.user.agents.tailscaled = {
+
+    launchd.daemons.tailscaled = {
       # derived from
       # https://github.com/tailscale/tailscale/blob/main/cmd/tailscaled/install_darwin.go#L30
       serviceConfig = {
         Label = "com.tailscale.tailscaled";
-        ProgramArguments = [ "${lib.getBin cfg.package}/bin/tailscaled" ];
+        ProgramArguments = [
+          "/bin/sh" "-c"
+          "/bin/wait4path ${cfg.package} &amp;&amp; ${cfg.package}/bin/tailscaled"
+        ];
         RunAtLoad = true;
       };
     };
+
     networking = mkIf cfg.magicDNS.enable {
       dns = [ "100.100.100.100" ];
       search =

From bdd5d81b13cd5886eab49d23472233b9b6e7f606 Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Tue, 20 Sep 2022 18:03:50 +1000
Subject: [PATCH 2/2] tailscale: prevent significant DNS footgun

---
 modules/services/tailscale.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/services/tailscale.nix b/modules/services/tailscale.nix
index 201e04a..6e1a86d 100644
--- a/modules/services/tailscale.nix
+++ b/modules/services/tailscale.nix
@@ -29,6 +29,16 @@ in
   };
 
   config = mkIf cfg.enable {
+    assertions = [ {
+      assertion = !cfg.magicDNS.enable || config.networking.dns != [ "100.100.100.100" ];
+      message = ''
+        When MagicDNS is enabled, fallback DNS servers need to be set with `networking.dns`.
+
+        Otherwise, Tailscale will take a long time to connect and all DNS queries
+        will fail until Tailscale has connected.
+      '';
+    } ];
+
     environment.systemPackages = [ cfg.package ];
 
     launchd.daemons.tailscaled = {