From 2aeea208adebed051ff2365f7c1bfdfcd562018e Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Thu, 25 Jan 2024 20:59:39 +0300 Subject: [PATCH] expose headscale api --- machines/Home-Hypervisor/default.nix | 2 +- profiles/servers/headscale.nix | 22 ++++++++++++---------- profiles/servers/nginx.nix | 23 ++++++++++++++++------- 3 files changed, 29 insertions(+), 18 deletions(-) diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix index 6c1d997..a015754 100644 --- a/machines/Home-Hypervisor/default.nix +++ b/machines/Home-Hypervisor/default.nix @@ -43,7 +43,7 @@ in { }) (import customProfiles.headscale { - inherit config pkgs inputs; + inherit config pkgs lib inputs; inherit (import ./dns-mapping.nix) headscale-list; }) ]; diff --git a/profiles/servers/headscale.nix b/profiles/servers/headscale.nix index a8130f2..f174c09 100644 --- a/profiles/servers/headscale.nix +++ b/profiles/servers/headscale.nix @@ -1,4 +1,4 @@ -{ config, pkgs, inputs, headscale-list ? {}, ... }: +{ config, lib, pkgs, inputs, headscale-list ? {}, ... }: let domain = "wg.ataraxiadev.com"; in { @@ -9,12 +9,12 @@ in { address = "0.0.0.0"; port = 8005; settings = { - logtail.enabled = false; server_url = "https://${domain}"; ip_prefixes = [ "fd7a:115c:a1e0::/64" "100.64.0.0/16" ]; dns_config = { + override_local_dns = true; base_domain = domain; nameservers = [ "127.0.0.1" ]; extra_records = headscale-list; @@ -23,10 +23,15 @@ in { only_start_if_oidc_is_available = true; issuer = "https://auth.ataraxiadev.com/application/o/headscale/"; client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi"; + client_secret_path = config.sops.secrets.headscale-oidc.path; scope = [ "openid" "profile" "email" "groups" ]; allowed_groups = [ "headscale" ]; strip_email_domain = true; }; + grpc_listen_addr = "127.0.0.1:50443"; + grpc_allow_insecure = true; + disable_check_updates = true; + ephemeral_node_inactivity_timeout = "4h"; }; }; @@ -35,14 +40,11 @@ in { owner = "headscale"; restartUnits = [ "headscale.service" ]; }; - systemd.services.headscale = { - serviceConfig.TimeoutStopSec = 10; - serviceConfig.TimeoutStartSec = 300; - serviceConfig.EnvironmentFile = config.sops.secrets.headscale-oidc.path; - serviceConfig.ExecStartPre = (pkgs.writeShellScript "wait-dns.sh" '' - until ${pkgs.host}/bin/host auth.ataraxiadev.com > /dev/null; do sleep 1; done - ''); - }; + systemd.services.headscale.after = lib.mkIf config.services.authentik.enable [ + "authentik-server.service" + "authentik-worker.service" + "nginx.service" + ]; persist.state.directories = [ "/var/lib/headscale" ]; } \ No newline at end of file diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index a1a9fe0..2dd96d6 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -313,21 +313,30 @@ in { }; } // default; "wg.ataraxiadev.com" = { + locations."/headscale." = { + extraConfig = '' + grpc_pass grpc://${config.services.headscale.settings.grpc_listen_addr}; + ''; + priority = 1; + }; + locations."/metrics" = { + proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; + extraConfig = '' + allow 100.64.0.0/16; + allow 192.168.0.0/24; + deny all; + ''; + priority = 2; + }; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}"; proxyWebsockets = true; + priority = 3; }; } // default; "wiki.ataraxiadev.com" = default // authentik { proxyPass = "http://127.0.0.1:8190"; }; - # "cocalc.ataraxiadev.com" = { - # locations."/" = { - # proxyPass = "https://127.0.0.1:9599"; - # proxyWebsockets = true; - # extraConfig = proxySettings; - # }; - # } // default; }; };