expose headscale api

2024-01-25 20:59:39 +03:00 · 2024-01-25 20:59:39 +03:00 · 2aeea208ad
commit 2aeea208ad
parent 6d74befec3
3 changed files with 29 additions and 18 deletions
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -43,7 +43,7 @@ in {
    })

    (import customProfiles.headscale {
-      inherit config pkgs inputs;
+      inherit config pkgs lib inputs;
      inherit (import ./dns-mapping.nix) headscale-list;
    })
  ];
--- a/profiles/servers/headscale.nix
+++ b/profiles/servers/headscale.nix
@ -1,4 +1,4 @@
-{ config, pkgs, inputs, headscale-list ? {}, ... }:
+{ config, lib, pkgs, inputs, headscale-list ? {}, ... }:
 let
  domain = "wg.ataraxiadev.com";
 in {
@ -9,12 +9,12 @@ in {
    address = "0.0.0.0";
    port = 8005;
    settings = {
-      logtail.enabled = false;
      server_url = "https://${domain}";
      ip_prefixes = [
        "fd7a:115c:a1e0::/64" "100.64.0.0/16"
      ];
      dns_config = {
+        override_local_dns = true;
        base_domain = domain;
        nameservers = [ "127.0.0.1" ];
        extra_records = headscale-list;
@ -23,10 +23,15 @@ in {
        only_start_if_oidc_is_available = true;
        issuer = "https://auth.ataraxiadev.com/application/o/headscale/";
        client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";
+        client_secret_path = config.sops.secrets.headscale-oidc.path;
        scope = [ "openid" "profile" "email" "groups" ];
        allowed_groups = [ "headscale" ];
        strip_email_domain = true;
      };
+      grpc_listen_addr = "127.0.0.1:50443";
+      grpc_allow_insecure = true;
+      disable_check_updates = true;
+      ephemeral_node_inactivity_timeout = "4h";
    };
  };

@ -35,14 +40,11 @@ in {
    owner = "headscale";
    restartUnits = [ "headscale.service" ];
  };
-  systemd.services.headscale = {
-    serviceConfig.TimeoutStopSec = 10;
-    serviceConfig.TimeoutStartSec = 300;
-    serviceConfig.EnvironmentFile = config.sops.secrets.headscale-oidc.path;
-    serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" ''
-      until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done
-    '');
-  };
+  systemd.services.headscale.after = lib.mkIf config.services.authentik.enable [
+    "authentik-server.service"
+    "authentik-worker.service"
+    "nginx.service"
+  ];

  persist.state.directories = [ "/var/lib/headscale" ];
 }
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -313,21 +313,30 @@ in {
        };
      } // default;
      "wg.ataraxiadev.com" = {
+        locations."/headscale." = {
+          extraConfig = ''
+            grpc_pass grpc://${config.services.headscale.settings.grpc_listen_addr};
+          '';
+          priority = 1;
+        };
+        locations."/metrics" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+          extraConfig = ''
+            allow 100.64.0.0/16;
+            allow 192.168.0.0/24;
+            deny all;
+          '';
+          priority = 2;
+        };
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
          proxyWebsockets = true;
+          priority = 3;
        };
      } // default;
      "wiki.ataraxiadev.com" = default // authentik {
        proxyPass = "http://127.0.0.1:8190";
      };
-      # "cocalc.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     proxyPass = "https://127.0.0.1:9599";
-      #     proxyWebsockets = true;
-      #     extraConfig = proxySettings;
-      #   };
-      # } // default;
    };
  };