{ pkgs, secrets, config, ... }: { sops.secrets."headscale/oauth2_secret" = rec { restartUnits = [ "headscale.service" ]; owner = config.services.headscale.user; group = config.users.users.${owner}.group; }; sops.secrets."postgres/headscale" = rec { restartUnits = [ "headscale.service" ]; owner = config.services.headscale.user; group = config.users.users.${owner}.group; }; services.headscale = { enable = true; # TODO: make PR # dataDir = "${config.machineVars.dataDrives.default}/var/headscale"; port = secrets.ports.headscale; settings = { server_url = "https://vpn.nani.wtf"; log.level = "warn"; ip_prefixes = [ "10.8.0.0/24" ]; dns_config = { magic_dns = true; nameservers = [ "1.1.1.1" ]; }; db_type = "postgres"; db_user = "headscale"; db_name = "headscale"; db_host = "localhost"; db_port = secrets.ports.postgres; db_password_file = config.sops.secrets."postgres/headscale".path; oidc = { issuer = "https://auth.nani.wtf/oauth2/openid/headscale"; client_id = "headscale"; client_secret_file = config.sops.secrets."headscale/oauth2_secret".path; # allowed_domains = [ "nani.wtf" ]; allowed_groups = [ "headscale_users" ]; }; }; }; services.postgresql = { enable = true; ensureDatabases = [ "headscale" ]; ensureUsers = [ (rec { name = "headscale"; ensurePermissions = { "DATABASE \"${name}\"" = "ALL PRIVILEGES"; }; }) ]; }; environment.systemPackages = with pkgs; [ headscale ]; services.tailscale.enable = true; networking.firewall.checkReversePath = "loose"; }