pederbs/config
pederbs
/
config
2
1
Fork 0
Code Issues Pull Requests Releases Activity

headscale wip

This commit is contained in:
Peder Bergebakken Sundt 2024-01-26 23:59:48 +01:00
parent 2fd65cf9a8
commit 791758b499
5 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/noximilien/default.nix
View File

@ -25,6 +25,8 @@
../../profiles/services/tmate-server.nix # opens port 42244 ../../profiles/services/tmate-server.nix # opens port 42244
../../profiles/vpn-pbsds/headscale.nix
../../profiles/http # enables nginx+acme, defines mkDomain ../../profiles/http # enables nginx+acme, defines mkDomain
../../profiles/http/index ../../profiles/http/index
../../profiles/http/services/cinny.nix ../../profiles/http/services/cinny.nix

2
profiles/http/index/default.nix
View File

@ -14,6 +14,8 @@ let
docs = "Various documentation"; docs = "Various documentation";
element = pkgs.element-web.meta.description; element = pkgs.element-web.meta.description;
shlink = "Url shortener"; shlink = "Url shortener";
head = pkgs.headscale.meta.description;
}; };
in in
{ {

75
profiles/vpn-pbsds/headscale.nix Normal file
View File

@ -0,0 +1,75 @@
{ lib, pkgs, config, ... }:
let
cfg = config.services.headscale;
server-url = "head.pbsds.net";
derpPort = 3478;
inherit (lib) mkIf;
in
{
environment.systemPackages = mkIf cfg.enable [ cfg.package ];
services.headscale = {
enable = true;
address = "127.0.0.1";
port = 4987;
# https://github.com/juanfont/headscale/blob/main/config-example.yaml
# https://search.nixos.org/options?query=services.headscale.settings
settings = {
server_url = "https://${server-url}:443";
logtail.enabled = false;
log.level = "warn";
# https://tailscale.com/kb/1054/dns
dns_config.override_local_dns = true; # force clients to use our dns
#dns_config.nameservers = [ "1.1.1.1" ];
dns_config.magic_dns = true; # put our dns first in search
dns_config.domains = [ "ts.pbsds.net" ]; # search domains to inject into clients
dns_config.base_domain = "pbsds.net"; # clients become {hostname}.namespace.{base_domain}
# List of IP prefixes to allocate tailaddresses from.
ip_prefixes = [
"100.64.0.0/10"
"fd7a:115c:a1e0::/48"
];
# DERP is a relay system that Tailscale uses when a direct connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
# headscale needs a list of DERP servers that can be presented to the clients.
derp.server.enable = true; # run embedded DERP server
derp.server.region_id = 999;
derp.server.stun_listen_addr = "0.0.0.0:${toString derpPort}"; # UDP
#derp.server.private_key_path # autogenerated if it's missing.
#derp.urls = [] # List of externally available DERP maps
};
};
systemd.services."headscale-provisioning" = mkIf cfg.enable {
serviceConfig.Type = "oneshot";
after = [ "headscale.service" ];
wantedBy = [ "headscale.service" ];
script = ''
sleep 60 # Wait for headscale to be ready
"${lib.getExe cfg.package}/bin/headscale namespaces create ts || true
'';
};
# The DERP server
networking.firewall.allowedUDPPorts = mkIf (cfg.enable && cfg.settings.derp.server.enable) [ derpPort ];
# https reverse proxy
networking.firewall.allowedTCPPorts = mkIf cfg.enable [ 80 443 ];
services.nginx.enable = mkIf cfg.enable true;
services.nginx.virtualHosts."${server-url}" = mkIf cfg.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
};
#locations."/metrics".proxyPass = "http://${cfg.settings.metrics_listen_addr}/metrics";
};
}

12
profiles/vpn-pbsds/tailscale.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, ...}:
{
services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose";
networking.firewall.trustedInterfaces = [ "tailscale0" ];
networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
# remote-set X
# tailscale up --login-server 'https://head.pbsds.net'
# ssh noximilien.pbsds.net headscale --namespace <namespace_name> nodes register --key <machine_key>
}

2
users/pbsds/default.nix
View File

@ -48,6 +48,8 @@
# TODO: NAS stuff # TODO: NAS stuff
] ++ lib.optionals config.virtualisation.docker.enable [ ] ++ lib.optionals config.virtualisation.docker.enable [
"docker" "docker"
] ++ lib.optionals config.services.headscale.enable [
config.services.headscale.group
]; ];
initialHashedPassword = "$6$yNgxTHcP1UYkNwuZ$1sBehnKgPjVnDe0tSV8kyfynWpfjDzuohZX6SoTrMnYFa3/aiMOtI6JppYevl.M6qYhBIT0XBvL6TqSSFWn8B/"; initialHashedPassword = "$6$yNgxTHcP1UYkNwuZ$1sBehnKgPjVnDe0tSV8kyfynWpfjDzuohZX6SoTrMnYFa3/aiMOtI6JppYevl.M6qYhBIT0XBvL6TqSSFWn8B/";