Add tailscale

config/hosts/grondahl/configuration.nix

@@ -6,7 +6,8 @@
     ./hardware-configuration.nix
     ./data/secrets/secrets.nix
     ../../common/services/ssh.nix
-		../../common/users.nix
+    ../../common/services/tailscale.nix
+    ../../common/users.nix
     ./services/acme.nix
     ./services/coturn.nix
     ./services/nginx.nix
@@ -72,9 +73,15 @@
     dig
   ];
 
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-  networking.firewall.allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
-  networking.firewall.allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  networking.firewall = {
+    enable = true;
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedTCPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } ];
+    allowedUDPPortRanges = [ { from = 3478; to = 3479; } { from = 5349; to = 5350; } { from = 49152; to = 49999; } ];
+  };
 
   system.stateVersion = "21.05";