From 7f8d60057d4bfd5a9acc30be4995d229373a30f7 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 12 Jul 2023 01:35:47 +0200
Subject: [PATCH] tsuki/headscale: fix oauth2, and set up tailscale

---
 hosts/tsuki/services/headscale.nix     | 26 ++++++++++++++++++--------
 hosts/tsuki/services/nginx/default.nix |  4 ++++
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/hosts/tsuki/services/headscale.nix b/hosts/tsuki/services/headscale.nix
index c735ce0..7b99587 100644
--- a/hosts/tsuki/services/headscale.nix
+++ b/hosts/tsuki/services/headscale.nix
@@ -21,11 +21,12 @@
 
     settings = {
       server_url = "https://vpn.nani.wtf";
-      log.level = "warn";
-      ip_prefixes = [ "10.8.0.0/24" ];
+      log.level = "info";
+      ip_prefixes = [ "100.64.0.0/24" ];
 
       dns_config = {
         magic_dns = true;
+        base_domain = "nani.wtf";
         nameservers = [
           "1.1.1.1"
         ];
@@ -34,20 +35,25 @@
       db_type = "postgres";
       db_user = "headscale";
       db_name = "headscale";
-      db_host = "localhost";
-      db_port = secrets.ports.postgres;
+      db_host = "/var/run/postgresql";
+      db_port = null;
       db_password_file = config.sops.secrets."postgres/headscale".path;
 
       oidc = {
         issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
         client_id = "headscale";
-        client_secret_file = config.sops.secrets."headscale/oauth2_secret".path;
-        # allowed_domains = [ "nani.wtf" ];
-        allowed_groups = [ "headscale_users" ];
+        client_secret_path = config.sops.secrets."headscale/oauth2_secret".path;
       };
     };
   };
 
+  systemd.services.headscale = {
+    requires = [
+      "postgresql.service"
+      "kanidm.service"
+    ];
+  };
+
   services.postgresql = {
     enable = true;
     ensureDatabases = [ "headscale" ];
@@ -65,5 +71,9 @@
 
   services.tailscale.enable = true;
 
-  networking.firewall.checkReversePath = "loose";
+  networking.firewall = {
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
 }
diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix
index 2f23e57..14e1df0 100644
--- a/hosts/tsuki/services/nginx/default.nix
+++ b/hosts/tsuki/services/nginx/default.nix
@@ -137,6 +137,10 @@
         '';
       })
       (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
+      (proxy ["atuin"] "http://localhost:${s config.services.atuin.port}" {})
+      (proxy ["vpn"] "http://localhost:${s config.services.headscale.port}" {
+        locations."/".proxyWebsockets = true;
+      })
     ] ++ (let
       stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {
         inherit (inputs) maunium-stickerpicker secrets;