From 75f9cc9d2bdd32fbcb1e28b7a300d61fc04da2b3 Mon Sep 17 00:00:00 2001
From: Cilly Leang <mini@cilly.moe>
Date: Wed, 10 Jun 2026 15:05:05 +1000
Subject: [PATCH] system/tailscale: open port 123 on headless

---
 modules/system/tailscale.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix
index 02bce52..e7e6e0c 100644
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -1,7 +1,9 @@
-{ config, ... }: {
+{ config, lib, ... }: {
   age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
   me.binds."/var/lib/tailscale" = "tailscale";
   networking.firewall.trustedInterfaces = [ "tailscale0" ];
+  networking.firewall.allowedUdpPorts = lib.mkIf config.me.environment == "headless" [ 123 ];
+
   services.tailscale = {
     enable = true;
     authKeyFile = config.age.secrets.tailscale_auth.path;