tsuki/headscale: fix oauth2, and set up tailscale
This commit is contained in:
parent
bb67d0b308
commit
7f8d60057d
@ -21,11 +21,12 @@
|
|||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
server_url = "https://vpn.nani.wtf";
|
server_url = "https://vpn.nani.wtf";
|
||||||
log.level = "warn";
|
log.level = "info";
|
||||||
ip_prefixes = [ "10.8.0.0/24" ];
|
ip_prefixes = [ "100.64.0.0/24" ];
|
||||||
|
|
||||||
dns_config = {
|
dns_config = {
|
||||||
magic_dns = true;
|
magic_dns = true;
|
||||||
|
base_domain = "nani.wtf";
|
||||||
nameservers = [
|
nameservers = [
|
||||||
"1.1.1.1"
|
"1.1.1.1"
|
||||||
];
|
];
|
||||||
@ -34,20 +35,25 @@
|
|||||||
db_type = "postgres";
|
db_type = "postgres";
|
||||||
db_user = "headscale";
|
db_user = "headscale";
|
||||||
db_name = "headscale";
|
db_name = "headscale";
|
||||||
db_host = "localhost";
|
db_host = "/var/run/postgresql";
|
||||||
db_port = secrets.ports.postgres;
|
db_port = null;
|
||||||
db_password_file = config.sops.secrets."postgres/headscale".path;
|
db_password_file = config.sops.secrets."postgres/headscale".path;
|
||||||
|
|
||||||
oidc = {
|
oidc = {
|
||||||
issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
|
issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
|
||||||
client_id = "headscale";
|
client_id = "headscale";
|
||||||
client_secret_file = config.sops.secrets."headscale/oauth2_secret".path;
|
client_secret_path = config.sops.secrets."headscale/oauth2_secret".path;
|
||||||
# allowed_domains = [ "nani.wtf" ];
|
|
||||||
allowed_groups = [ "headscale_users" ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.headscale = {
|
||||||
|
requires = [
|
||||||
|
"postgresql.service"
|
||||||
|
"kanidm.service"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureDatabases = [ "headscale" ];
|
ensureDatabases = [ "headscale" ];
|
||||||
@ -65,5 +71,9 @@
|
|||||||
|
|
||||||
services.tailscale.enable = true;
|
services.tailscale.enable = true;
|
||||||
|
|
||||||
networking.firewall.checkReversePath = "loose";
|
networking.firewall = {
|
||||||
|
checkReversePath = "loose";
|
||||||
|
trustedInterfaces = [ "tailscale0" ];
|
||||||
|
allowedUDPPorts = [ config.services.tailscale.port ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -137,6 +137,10 @@
|
|||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
(proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
|
(proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
|
||||||
|
(proxy ["atuin"] "http://localhost:${s config.services.atuin.port}" {})
|
||||||
|
(proxy ["vpn"] "http://localhost:${s config.services.headscale.port}" {
|
||||||
|
locations."/".proxyWebsockets = true;
|
||||||
|
})
|
||||||
] ++ (let
|
] ++ (let
|
||||||
stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {
|
stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {
|
||||||
inherit (inputs) maunium-stickerpicker secrets;
|
inherit (inputs) maunium-stickerpicker secrets;
|
||||||
|
Loading…
Reference in New Issue
Block a user