Commit 836709c
Changed files (2)
modules
hosts
pardofelis
services
services
modules/hosts/pardofelis/services/default.nix
@@ -29,6 +29,8 @@ in {
<services/goatcounter>
+ (<services/headscale> "headscale.hpcesia.com")
+
<services/podman>
<services/restic>
modules/services/headscale.nix
@@ -0,0 +1,72 @@
+{lib, ...}: {
+ den.aspects.services.provides.headscale = domain: {host}: {
+ nixos = {
+ pkgs,
+ config,
+ ...
+ }: {
+ environment.systemPackages = [pkgs.headscale];
+ services.headscale = {
+ enable = true;
+ address = "127.0.0.1";
+ port = 3324;
+ settings = {
+ server_url = "https://${domain}";
+ metrics_listen_addr = "127.0.0.1:9190";
+ derp.server = {
+ enabled = true;
+ stun_listen_addr = "0.0.0.0:3478";
+ verify_clients = true;
+ region_id = 999;
+ region_code = "headscale";
+ region_name = "Headscale Embedded DERP";
+ };
+ database.type = "sqlite";
+ tls_cert_path = null; # Use Caddy for TLS instead.
+ tls_key_path = null;
+ dns = {
+ # Magic DNS is not needed for me.
+ magic_dns = false;
+ override_local_dns = false;
+ };
+ };
+ };
+
+ networking.firewall.allowedUDPPorts = [3478];
+
+ systemd.services.headscale.serviceConfig.EnvironmentFile = config.vaultix.templates.headscale-env.path;
+
+ services.caddy.virtualHosts.${domain}.extraConfig =
+ lib.mkIf config.services.caddy.enable
+ (let
+ localAddress = "http://${config.services.headscale.settings.listen_addr}";
+ in ''
+ encode zstd gzip
+ reverse_proxy ${localAddress}
+ '');
+
+ services.restic.backups."${config.networking.hostName}-backup".paths =
+ lib.mkIf
+ (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+ ["/var/lib/headscale"];
+
+ vaultix.templates.headscale-env = {
+ content = lib.concatLines (
+ (
+ lib.optional
+ (lib.hasAttr "hosts-${host.name}-ipv4" config.vaultix.placeholder)
+ "HEADSCALE_DERP_SERVER_IPV4=${config.vaultix.placeholder."hosts-${host.name}-ipv4"}"
+ )
+ ++ (
+ lib.optional
+ (lib.hasAttr "hosts-${host.name}-ipv6" config.vaultix.placeholder)
+ "HEADSCALE_DERP_SERVER_IPV6=${config.vaultix.placeholder."hosts-${host.name}-ipv6"}"
+ )
+ );
+ owner = "root";
+ group = config.services.headscale.group;
+ mode = "0440";
+ };
+ };
+ };
+}