From 3bb634f3581f47038c5bad0f2d878eb51deaa723 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Mon, 5 Jan 2026 23:05:43 -0600
Subject: [PATCH] Require tun device and trust Tailscale interface in firewall

---
 flakes/common/nix_modules/tailnet.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/flakes/common/nix_modules/tailnet.nix b/flakes/common/nix_modules/tailnet.nix
index 9351576b..fe9e9be8 100644
--- a/flakes/common/nix_modules/tailnet.nix
+++ b/flakes/common/nix_modules/tailnet.nix
@@ -20,6 +20,16 @@
       "--no-logs-no-support"
     ];
   };
+
+  systemd.services.tailscaled = {
+    after = [
+      "systemd-modules-load.service"
+      "dev-net-tun.device"
+    ];
+    wants = [ "dev-net-tun.device" ];
+    requires = [ "dev-net-tun.device" ];
+  };
+
   networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
   networking.firewall.checkReversePath = "loose";
 }