tsuki/headscale: fix oauth2, and set up tailscale

This commit is contained in:
Oystein Kristoffer Tveit 2023-07-12 01:35:47 +02:00
parent bb67d0b308
commit 7f8d60057d
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
2 changed files with 22 additions and 8 deletions

View File

@ -21,11 +21,12 @@
settings = { settings = {
server_url = "https://vpn.nani.wtf"; server_url = "https://vpn.nani.wtf";
log.level = "warn"; log.level = "info";
ip_prefixes = [ "10.8.0.0/24" ]; ip_prefixes = [ "100.64.0.0/24" ];
dns_config = { dns_config = {
magic_dns = true; magic_dns = true;
base_domain = "nani.wtf";
nameservers = [ nameservers = [
"1.1.1.1" "1.1.1.1"
]; ];
@ -34,20 +35,25 @@
db_type = "postgres"; db_type = "postgres";
db_user = "headscale"; db_user = "headscale";
db_name = "headscale"; db_name = "headscale";
db_host = "localhost"; db_host = "/var/run/postgresql";
db_port = secrets.ports.postgres; db_port = null;
db_password_file = config.sops.secrets."postgres/headscale".path; db_password_file = config.sops.secrets."postgres/headscale".path;
oidc = { oidc = {
issuer = "https://auth.nani.wtf/oauth2/openid/headscale"; issuer = "https://auth.nani.wtf/oauth2/openid/headscale";
client_id = "headscale"; client_id = "headscale";
client_secret_file = config.sops.secrets."headscale/oauth2_secret".path; client_secret_path = config.sops.secrets."headscale/oauth2_secret".path;
# allowed_domains = [ "nani.wtf" ];
allowed_groups = [ "headscale_users" ];
}; };
}; };
}; };
systemd.services.headscale = {
requires = [
"postgresql.service"
"kanidm.service"
];
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "headscale" ]; ensureDatabases = [ "headscale" ];
@ -65,5 +71,9 @@
services.tailscale.enable = true; services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose"; networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
} }

View File

@ -137,6 +137,10 @@
''; '';
}) })
(proxy ["hydra"] "http://localhost:${s ports.hydra}" {}) (proxy ["hydra"] "http://localhost:${s ports.hydra}" {})
(proxy ["atuin"] "http://localhost:${s config.services.atuin.port}" {})
(proxy ["vpn"] "http://localhost:${s config.services.headscale.port}" {
locations."/".proxyWebsockets = true;
})
] ++ (let ] ++ (let
stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix { stickerpickers = pkgs.callPackage ../matrix/maunium-stickerpicker.nix {
inherit (inputs) maunium-stickerpicker secrets; inherit (inputs) maunium-stickerpicker secrets;