2024-01-23 05:40:52 +01:00
|
|
|
{ config, pkgs, lib, ... }: let
|
|
|
|
cfg = config.services.headscale;
|
|
|
|
in {
|
|
|
|
sops.secrets."headscale/oauth2_secret" = lib.mkIf cfg.enable rec {
|
2023-05-08 02:33:55 +02:00
|
|
|
restartUnits = [ "headscale.service" ];
|
|
|
|
owner = config.services.headscale.user;
|
|
|
|
group = config.users.users.${owner}.group;
|
|
|
|
};
|
2024-01-23 05:40:52 +01:00
|
|
|
sops.secrets."postgres/headscale" = lib.mkIf cfg.enable rec {
|
2023-05-08 02:33:55 +02:00
|
|
|
restartUnits = [ "headscale.service" ];
|
|
|
|
owner = config.services.headscale.user;
|
|
|
|
group = config.users.users.${owner}.group;
|
|
|
|
};
|
|
|
|
|
2023-01-16 17:16:07 +01:00
|
|
|
services.headscale = {
|
|
|
|
enable = true;
|
|
|
|
|
2023-10-06 18:05:38 +02:00
|
|
|
port = 39304;
|
2023-01-16 17:16:07 +01:00
|
|
|
|
|
|
|
settings = {
|
2023-05-08 02:33:55 +02:00
|
|
|
server_url = "https://vpn.nani.wtf";
|
2023-07-12 01:35:47 +02:00
|
|
|
log.level = "info";
|
|
|
|
ip_prefixes = [ "100.64.0.0/24" ];
|
2023-05-08 02:33:55 +02:00
|
|
|
|
|
|
|
dns_config = {
|
|
|
|
magic_dns = true;
|
2023-07-12 01:35:47 +02:00
|
|
|
base_domain = "nani.wtf";
|
2023-05-08 02:33:55 +02:00
|
|
|
nameservers = [
|
|
|
|
"1.1.1.1"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
db_type = "postgres";
|
|
|
|
db_user = "headscale";
|
|
|
|
db_name = "headscale";
|
2023-07-12 01:35:47 +02:00
|
|
|
db_host = "/var/run/postgresql";
|
|
|
|
db_port = null;
|
2023-05-08 02:33:55 +02:00
|
|
|
db_password_file = config.sops.secrets."postgres/headscale".path;
|
|
|
|
|
|
|
|
oidc = {
|
|
|
|
issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
|
|
|
|
client_id = "headscale";
|
2023-07-12 01:35:47 +02:00
|
|
|
client_secret_path = config.sops.secrets."headscale/oauth2_secret".path;
|
2023-05-08 02:33:55 +02:00
|
|
|
};
|
2023-01-16 17:16:07 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-01-23 05:40:52 +01:00
|
|
|
systemd.services.headscale = lib.mkIf cfg.enable {
|
2023-07-12 01:35:47 +02:00
|
|
|
requires = [
|
|
|
|
"postgresql.service"
|
|
|
|
"kanidm.service"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2024-01-23 05:40:52 +01:00
|
|
|
services.postgresql = lib.mkIf cfg.enable {
|
2023-01-16 17:16:07 +01:00
|
|
|
enable = true;
|
|
|
|
ensureDatabases = [ "headscale" ];
|
|
|
|
ensureUsers = [
|
|
|
|
(rec {
|
|
|
|
name = "headscale";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2024-01-23 05:40:52 +01:00
|
|
|
environment.systemPackages = lib.mkIf cfg.enable [ pkgs.headscale ];
|
2023-01-16 17:16:07 +01:00
|
|
|
|
|
|
|
services.tailscale.enable = true;
|
|
|
|
|
2023-07-12 01:35:47 +02:00
|
|
|
networking.firewall = {
|
|
|
|
checkReversePath = "loose";
|
|
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
|
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
|
|
|
};
|
2023-01-16 17:16:07 +01:00
|
|
|
}
|