hs

hosts/fwminex/configuration.nix

@@ -1,7 +1,7 @@
 {
-  myData,
   pkgs,
   config,
+  myData,
   ...
 }:
 let
@@ -101,6 +101,12 @@ in
         verboseLogs = false;
       };
 
+      headscale = {
+        enable = true;
+        clientOidcPath = config.age.secrets.headscale-client-oidc.path;
+        subnetCIDR = myData.subnets.tailscale.cidr;
+      };
+
       btrfsborg = {
         enable = true;
         passwordPath = config.age.secrets.borgbackup-password.path;

hosts/vno1-oh2/configuration.nix

@@ -170,12 +170,6 @@
       sshguard.enable = true;
       hass.enable = true;
 
-      headscale = {
-        enable = true;
-        clientOidcPath = config.age.secrets.headscale-client-oidc.path;
-        subnetCIDR = myData.subnets.tailscale.cidr;
-      };
-
       nsd-acme =
         let
           accountKey = config.age.secrets.letsencrypt-account-key.path;
@@ -245,7 +239,9 @@
       virtualHosts = {
         "www.11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/";
         "11sync.net".extraConfig = "redir https://jakstys.lt/2024/11sync-shutdown/";
-
+        "vpn.jakstys.lt".extraConfig = ''reverse_proxy ${
+          myData.hosts."fwminex.servers.jakst".jakstIP
+        }:8080"'';
         "hass.jakstys.lt".extraConfig = ''
           @denied not remote_ip ${myData.subnets.tailscale.cidr}
           abort @denied

modules/services/headscale/default.nix

@@ -14,7 +14,10 @@
   config = lib.mkIf config.mj.services.headscale.enable {
     environment.systemPackages = [ pkgs.headscale ];
 
-    networking.firewall.allowedTCPPorts = [ 3478 ];
+    networking.firewall.allowedTCPPorts = [
+      3478
+      8080
+    ];
     networking.firewall.allowedUDPPorts = [ 3478 ];
 
     services = {
@@ -41,11 +44,6 @@
         };
       };
 
-      caddy = {
-        virtualHosts."vpn.jakstys.lt".extraConfig = ''
-          reverse_proxy 127.0.0.1:8080
-        '';
-      };
     };
 
     systemd.services.headscale = {