nix-dotfiles/hosts/tsuki/services/headscale.nix

78 lines
1.9 KiB
Nix
Raw Normal View History

2024-01-23 05:40:52 +01:00
{ config, pkgs, lib, ... }: let
cfg = config.services.headscale;
in {
sops.secrets."headscale/oauth2_secret" = lib.mkIf cfg.enable rec {
restartUnits = [ "headscale.service" ];
owner = config.services.headscale.user;
group = config.users.users.${owner}.group;
};
2024-01-23 05:40:52 +01:00
sops.secrets."postgres/headscale" = lib.mkIf cfg.enable rec {
restartUnits = [ "headscale.service" ];
owner = config.services.headscale.user;
group = config.users.users.${owner}.group;
};
2023-01-16 17:16:07 +01:00
services.headscale = {
enable = true;
port = 39304;
2023-01-16 17:16:07 +01:00
settings = {
server_url = "https://vpn.nani.wtf";
log.level = "info";
ip_prefixes = [ "100.64.0.0/24" ];
dns_config = {
magic_dns = true;
base_domain = "nani.wtf";
nameservers = [
"1.1.1.1"
];
};
db_type = "postgres";
db_user = "headscale";
db_name = "headscale";
db_host = "/var/run/postgresql";
db_port = null;
db_password_file = config.sops.secrets."postgres/headscale".path;
oidc = {
issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
client_id = "headscale";
client_secret_path = config.sops.secrets."headscale/oauth2_secret".path;
};
2023-01-16 17:16:07 +01:00
};
};
2024-01-23 05:40:52 +01:00
systemd.services.headscale = lib.mkIf cfg.enable {
requires = [
"postgresql.service"
"kanidm.service"
];
};
2024-01-23 05:40:52 +01:00
services.postgresql = lib.mkIf cfg.enable {
2023-01-16 17:16:07 +01:00
enable = true;
ensureDatabases = [ "headscale" ];
ensureUsers = [
(rec {
name = "headscale";
ensurePermissions = {
"DATABASE \"${name}\"" = "ALL PRIVILEGES";
};
})
];
};
2024-01-23 05:40:52 +01:00
environment.systemPackages = lib.mkIf cfg.enable [ pkgs.headscale ];
2023-01-16 17:16:07 +01:00
services.tailscale.enable = true;
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
2023-01-16 17:16:07 +01:00
}