motiejus
/
config
1
Fork 0
Code Packages Releases Activity

headscale

This commit is contained in:
Motiejus Jakštys 2023-08-24 23:44:18 +03:00
parent be4df58cbb
commit c3168bb2d3
3 changed files with 71 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
hosts/hel1-a/configuration.nix
View File

@ -71,6 +71,12 @@
gitea.enable = true;
headscale = {
enable = true;
clientOidcPath = config.age.secrets.headscale-client-oidc.path;
subnetCIDR = myData.tailscale_subnet.cidr;
};
deployerbot = {
follower = {
enable = true;
@ -99,7 +105,6 @@
};
environment.systemPackages = with pkgs; [
headscale
nixos-option
graphicsmagick
];
@ -115,39 +120,12 @@
};
};
headscale = {
enable = true;
settings = {
server_url = "https://vpn.jakstys.lt";
ip_prefixes = [
myData.tailscale_subnet.cidr
"fd7a:115c:a1e0:59b0::/64"
];
log.level = "warn";
dns_config = {
nameservers = ["1.1.1.1" "8.8.4.4"];
magic_dns = false;
base_domain = "jakst";
};
oidc = {
issuer = "https://git.jakstys.lt/";
client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea";
# TODO https://github.com/NixOS/nixpkgs/pull/249101/files
#client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret";
client_secret_path = "/run/credentials/headscale.service/oidc-client-secret";
};
};
};
caddy = {
enable = true;
email = "motiejus+acme@jakstys.lt";
virtualHosts."recordrecap.jakstys.lt".extraConfig = ''
reverse_proxy vno1-oh2.servers.jakst:8080
'';
virtualHosts."vpn.jakstys.lt".extraConfig = ''
reverse_proxy 127.0.0.1:8080
'';
virtualHosts."www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
@ -303,12 +281,10 @@
53
80
443
3478 # headscale
];
allowedUDPPorts = [
53
443
3478 # headscale
41641 # tailscale
];
logRefusedConnections = false;
@ -321,19 +297,6 @@
];
systemd.services = {
headscale = {
unitConfig.StartLimitIntervalSec = "5m";
# Allow restarts for up to a minute. A start
# itself may take a while, thus the window of restart
# is higher.
unitConfig.StartLimitBurst = 50;
serviceConfig.RestartSec = 1;
serviceConfig.LoadCredential = [
"oidc-client-secret:${config.age.secrets.headscale-client-oidc.path}"
];
};
matrix-synapse = let
# TODO https://github.com/NixOS/nixpkgs/pull/222336 replace with `preStart`
secretsScript = pkgs.writeShellScript "write-secrets" ''

1
modules/services/default.nix
View File

@ -8,6 +8,7 @@
./deployerbot
./friendlyport
./gitea
./headscale
./node_exporter
./nsd-acme
./postfix

64
modules/services/headscale/default.nix Normal file
View File

@ -0,0 +1,64 @@
{
config,
lib,
pkgs,
...
}: {
options.mj.services.headscale = with lib.types; {
enable = lib.mkEnableOption "Enable headscale";
clientOidcPath = lib.mkOption {type = str;};
subnetCIDR = lib.mkOption {type = str;};
};
config = lib.mkIf config.mj.services.headscale.enable {
environment.systemPackages = [pkgs.headscale];
networking.firewall.allowedTCPPorts = [3478];
networking.firewall.allowedUDPPorts = [3478];
services = {
headscale = {
enable = true;
settings = {
server_url = "https://vpn.jakstys.lt";
ip_prefixes = [
config.mj.services.headscale.subnetCIDR
"fd7a:115c:a1e0:59b0::/64"
];
log.level = "warn";
dns_config = {
nameservers = ["1.1.1.1" "8.8.4.4"];
magic_dns = false;
base_domain = "jakst";
};
oidc = {
issuer = "https://git.jakstys.lt/";
client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea";
# TODO 23.11 from https://github.com/NixOS/nixpkgs/pull/249101/files
#client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret";
client_secret_path = "/run/credentials/headscale.service/oidc-client-secret";
};
};
};
caddy = {
virtualHosts."vpn.jakstys.lt".extraConfig = ''
reverse_proxy 127.0.0.1:8080
'';
};
};
systemd.services.headscale = {
unitConfig.StartLimitIntervalSec = "5m";
# Allow restarts for up to a minute. A start
# itself may take a while, thus the window of restart
# is higher.
unitConfig.StartLimitBurst = 50;
serviceConfig.RestartSec = 1;
serviceConfig.LoadCredential = [
"oidc-client-secret:${config.mj.services.headscale.clientOidcPath}"
];
};
};
}