Commit 836709c

HPCesia <me@hpcesia.com>
2026-04-26 06:50:51
feat: headscale service
1 parent 7586af9
Changed files (2)
modules
hosts
pardofelis
services
services
modules/hosts/pardofelis/services/default.nix
@@ -29,6 +29,8 @@ in {
 
     <services/goatcounter>
 
+    (<services/headscale> "headscale.hpcesia.com")
+
     <services/podman>
 
     <services/restic>
modules/services/headscale.nix
@@ -0,0 +1,72 @@
+{lib, ...}: {
+  den.aspects.services.provides.headscale = domain: {host}: {
+    nixos = {
+      pkgs,
+      config,
+      ...
+    }: {
+      environment.systemPackages = [pkgs.headscale];
+      services.headscale = {
+        enable = true;
+        address = "127.0.0.1";
+        port = 3324;
+        settings = {
+          server_url = "https://${domain}";
+          metrics_listen_addr = "127.0.0.1:9190";
+          derp.server = {
+            enabled = true;
+            stun_listen_addr = "0.0.0.0:3478";
+            verify_clients = true;
+            region_id = 999;
+            region_code = "headscale";
+            region_name = "Headscale Embedded DERP";
+          };
+          database.type = "sqlite";
+          tls_cert_path = null; # Use Caddy for TLS instead.
+          tls_key_path = null;
+          dns = {
+            # Magic DNS is not needed for me.
+            magic_dns = false;
+            override_local_dns = false;
+          };
+        };
+      };
+
+      networking.firewall.allowedUDPPorts = [3478];
+
+      systemd.services.headscale.serviceConfig.EnvironmentFile = config.vaultix.templates.headscale-env.path;
+
+      services.caddy.virtualHosts.${domain}.extraConfig =
+        lib.mkIf config.services.caddy.enable
+        (let
+          localAddress = "http://${config.services.headscale.settings.listen_addr}";
+        in ''
+          encode zstd gzip
+          reverse_proxy ${localAddress}
+        '');
+
+      services.restic.backups."${config.networking.hostName}-backup".paths =
+        lib.mkIf
+        (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+        ["/var/lib/headscale"];
+
+      vaultix.templates.headscale-env = {
+        content = lib.concatLines (
+          (
+            lib.optional
+            (lib.hasAttr "hosts-${host.name}-ipv4" config.vaultix.placeholder)
+            "HEADSCALE_DERP_SERVER_IPV4=${config.vaultix.placeholder."hosts-${host.name}-ipv4"}"
+          )
+          ++ (
+            lib.optional
+            (lib.hasAttr "hosts-${host.name}-ipv6" config.vaultix.placeholder)
+            "HEADSCALE_DERP_SERVER_IPV6=${config.vaultix.placeholder."hosts-${host.name}-ipv6"}"
+          )
+        );
+        owner = "root";
+        group = config.services.headscale.group;
+        mode = "0440";
+      };
+    };
+  };
+}