From c3168bb2d32c83a5d0605eb75be5dfe4893405bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Thu, 24 Aug 2023 23:44:18 +0300 Subject: [PATCH] headscale --- hosts/hel1-a/configuration.nix | 49 +++----------------- modules/services/default.nix | 1 + modules/services/headscale/default.nix | 64 ++++++++++++++++++++++++++ 3 files changed, 71 insertions(+), 43 deletions(-) create mode 100644 modules/services/headscale/default.nix diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix index 1575908..213f3e0 100644 --- a/hosts/hel1-a/configuration.nix +++ b/hosts/hel1-a/configuration.nix @@ -71,6 +71,12 @@ gitea.enable = true; + headscale = { + enable = true; + clientOidcPath = config.age.secrets.headscale-client-oidc.path; + subnetCIDR = myData.tailscale_subnet.cidr; + }; + deployerbot = { follower = { enable = true; @@ -99,7 +105,6 @@ }; environment.systemPackages = with pkgs; [ - headscale nixos-option graphicsmagick ]; @@ -115,39 +120,12 @@ }; }; - headscale = { - enable = true; - settings = { - server_url = "https://vpn.jakstys.lt"; - ip_prefixes = [ - myData.tailscale_subnet.cidr - "fd7a:115c:a1e0:59b0::/64" - ]; - log.level = "warn"; - dns_config = { - nameservers = ["1.1.1.1" "8.8.4.4"]; - magic_dns = false; - base_domain = "jakst"; - }; - oidc = { - issuer = "https://git.jakstys.lt/"; - client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea"; - # TODO https://github.com/NixOS/nixpkgs/pull/249101/files - #client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret"; - client_secret_path = "/run/credentials/headscale.service/oidc-client-secret"; - }; - }; - }; - caddy = { enable = true; email = "motiejus+acme@jakstys.lt"; virtualHosts."recordrecap.jakstys.lt".extraConfig = '' reverse_proxy vno1-oh2.servers.jakst:8080 ''; - virtualHosts."vpn.jakstys.lt".extraConfig = '' - reverse_proxy 127.0.0.1:8080 - ''; virtualHosts."www.jakstys.lt".extraConfig = '' redir https://jakstys.lt ''; @@ -303,12 +281,10 @@ 53 80 443 - 3478 # headscale ]; allowedUDPPorts = [ 53 443 - 3478 # headscale 41641 # tailscale ]; logRefusedConnections = false; @@ -321,19 +297,6 @@ ]; systemd.services = { - headscale = { - unitConfig.StartLimitIntervalSec = "5m"; - - # Allow restarts for up to a minute. A start - # itself may take a while, thus the window of restart - # is higher. - unitConfig.StartLimitBurst = 50; - serviceConfig.RestartSec = 1; - serviceConfig.LoadCredential = [ - "oidc-client-secret:${config.age.secrets.headscale-client-oidc.path}" - ]; - }; - matrix-synapse = let # TODO https://github.com/NixOS/nixpkgs/pull/222336 replace with `preStart` secretsScript = pkgs.writeShellScript "write-secrets" '' diff --git a/modules/services/default.nix b/modules/services/default.nix index 9d14e99..1f797e5 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -8,6 +8,7 @@ ./deployerbot ./friendlyport ./gitea + ./headscale ./node_exporter ./nsd-acme ./postfix diff --git a/modules/services/headscale/default.nix b/modules/services/headscale/default.nix new file mode 100644 index 0000000..85c8561 --- /dev/null +++ b/modules/services/headscale/default.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + ... +}: { + options.mj.services.headscale = with lib.types; { + enable = lib.mkEnableOption "Enable headscale"; + clientOidcPath = lib.mkOption {type = str;}; + subnetCIDR = lib.mkOption {type = str;}; + }; + + config = lib.mkIf config.mj.services.headscale.enable { + environment.systemPackages = [pkgs.headscale]; + + networking.firewall.allowedTCPPorts = [3478]; + networking.firewall.allowedUDPPorts = [3478]; + + services = { + headscale = { + enable = true; + settings = { + server_url = "https://vpn.jakstys.lt"; + ip_prefixes = [ + config.mj.services.headscale.subnetCIDR + "fd7a:115c:a1e0:59b0::/64" + ]; + log.level = "warn"; + dns_config = { + nameservers = ["1.1.1.1" "8.8.4.4"]; + magic_dns = false; + base_domain = "jakst"; + }; + oidc = { + issuer = "https://git.jakstys.lt/"; + client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea"; + # TODO 23.11 from https://github.com/NixOS/nixpkgs/pull/249101/files + #client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret"; + client_secret_path = "/run/credentials/headscale.service/oidc-client-secret"; + }; + }; + }; + + caddy = { + virtualHosts."vpn.jakstys.lt".extraConfig = '' + reverse_proxy 127.0.0.1:8080 + ''; + }; + }; + + systemd.services.headscale = { + unitConfig.StartLimitIntervalSec = "5m"; + + # Allow restarts for up to a minute. A start + # itself may take a while, thus the window of restart + # is higher. + unitConfig.StartLimitBurst = 50; + serviceConfig.RestartSec = 1; + serviceConfig.LoadCredential = [ + "oidc-client-secret:${config.mj.services.headscale.clientOidcPath}" + ]; + }; + }; +}