nixos-config/machines/NixOS-VPS/services/headscale.nix

{ config, pkgs, lib, dns-mapping ? {}, ... }:
let
  domain = (import ../hardware/networks.nix).domain;
  bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
  tailscalePort = config.services.tailscale.port;
  tailscaleIfname = config.services.tailscale.interfaceName;
in {
  networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
  networking.firewall.trustedInterfaces = [ tailscaleIfname ];

  systemd.network.networks."50-tailscale" = {
    matchConfig.Name = tailscaleIfname;
    linkConfig.Unmanaged = true;
    linkConfig.ActivationPolicy = "manual";
  };
  environment.systemPackages = [ config.services.headscale.package ];

  services.headscale = {
    enable = true;
    address = "0.0.0.0";
    port = 8080;
    settings = {
      logtail.enabled = false;
      server_url = "https://${domain}";
      ip_prefixes = [
        "fd7a:115c:a1e0::/64" "100.64.0.0/16"
      ];
      dns_config = {
        base_domain = domain;
        nameservers = [ "127.0.0.1" ];
        extra_records = dns-mapping;
      };
      oidc = {
        only_start_if_oidc_is_available = true;
        issuer = "https://auth.ataraxiadev.com/application/o/headscale/";
        client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";
        scope = [ "openid" "profile" "email" "groups" ];
        allowed_groups = [ "headscale" ];
        strip_email_domain = true;
      };
    };
  };
  systemd.services.headscale = {
    serviceConfig.TimeoutStopSec = 10;
    serviceConfig.EnvironmentFile = "/srv/headscale-oidc";
    serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''
      until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done
    '');
  };

  services.tailscale = {
    enable = true;
    port = 18491;
    useRoutingFeatures = "both";
  };
  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    enableACME = false;
    useACMEHost = "wg.ataraxiadev.com";
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
      proxyWebsockets = true;
    };
  };
}
authentik + headscale, and change some settings 2023-06-29 23:21:54 +03:00			`{ config, pkgs, lib, dns-mapping ? {}, ... }:`
			`let`
			`domain = (import ../hardware/networks.nix).domain;`
			`bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;`
			`tailscalePort = config.services.tailscale.port;`
			`tailscaleIfname = config.services.tailscale.interfaceName;`
			`in {`
			`networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];`
			`networking.firewall.trustedInterfaces = [ tailscaleIfname ];`

			`systemd.network.networks."50-tailscale" = {`
			`matchConfig.Name = tailscaleIfname;`
			`linkConfig.Unmanaged = true;`
			`linkConfig.ActivationPolicy = "manual";`
			`};`
			`environment.systemPackages = [ config.services.headscale.package ];`

			`services.headscale = {`
			`enable = true;`
			`address = "0.0.0.0";`
			`port = 8080;`
			`settings = {`
			`logtail.enabled = false;`
			`server_url = "https://${domain}";`
			`ip_prefixes = [`
			`"fd7a:115c:a1e0::/64" "100.64.0.0/16"`
			`];`
			`dns_config = {`
			`base_domain = domain;`
			`nameservers = [ "127.0.0.1" ];`
			`extra_records = dns-mapping;`
			`};`
			`oidc = {`
			`only_start_if_oidc_is_available = true;`
			`issuer = "https://auth.ataraxiadev.com/application/o/headscale/";`
			`client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";`
			`scope = [ "openid" "profile" "email" "groups" ];`
			`allowed_groups = [ "headscale" ];`
			`strip_email_domain = true;`
			`};`
			`};`
			`};`
			`systemd.services.headscale = {`
			`serviceConfig.TimeoutStopSec = 10;`
			`serviceConfig.EnvironmentFile = "/srv/headscale-oidc";`
			`serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''`
			`until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done`
			`'');`
			`};`

			`services.tailscale = {`
			`enable = true;`
			`port = 18491;`
			`useRoutingFeatures = "both";`
			`};`
			`services.nginx.virtualHosts.${domain} = {`
			`forceSSL = true;`
			`enableACME = false;`
			`useACMEHost = "wg.ataraxiadev.com";`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`}`