From c3168bb2d32c83a5d0605eb75be5dfe4893405bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Thu, 24 Aug 2023 23:44:18 +0300
Subject: [PATCH] headscale

---
 hosts/hel1-a/configuration.nix         | 49 +++-----------------
 modules/services/default.nix           |  1 +
 modules/services/headscale/default.nix | 64 ++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 43 deletions(-)
 create mode 100644 modules/services/headscale/default.nix

diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix
index 1575908..213f3e0 100644
--- a/hosts/hel1-a/configuration.nix
+++ b/hosts/hel1-a/configuration.nix
@@ -71,6 +71,12 @@
 
       gitea.enable = true;
 
+      headscale = {
+        enable = true;
+        clientOidcPath = config.age.secrets.headscale-client-oidc.path;
+        subnetCIDR = myData.tailscale_subnet.cidr;
+      };
+
       deployerbot = {
         follower = {
           enable = true;
@@ -99,7 +105,6 @@
   };
 
   environment.systemPackages = with pkgs; [
-    headscale
     nixos-option
     graphicsmagick
   ];
@@ -115,39 +120,12 @@
       };
     };
 
-    headscale = {
-      enable = true;
-      settings = {
-        server_url = "https://vpn.jakstys.lt";
-        ip_prefixes = [
-          myData.tailscale_subnet.cidr
-          "fd7a:115c:a1e0:59b0::/64"
-        ];
-        log.level = "warn";
-        dns_config = {
-          nameservers = ["1.1.1.1" "8.8.4.4"];
-          magic_dns = false;
-          base_domain = "jakst";
-        };
-        oidc = {
-          issuer = "https://git.jakstys.lt/";
-          client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea";
-          # TODO https://github.com/NixOS/nixpkgs/pull/249101/files
-          #client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret";
-          client_secret_path = "/run/credentials/headscale.service/oidc-client-secret";
-        };
-      };
-    };
-
     caddy = {
       enable = true;
       email = "motiejus+acme@jakstys.lt";
       virtualHosts."recordrecap.jakstys.lt".extraConfig = ''
         reverse_proxy vno1-oh2.servers.jakst:8080
       '';
-      virtualHosts."vpn.jakstys.lt".extraConfig = ''
-        reverse_proxy 127.0.0.1:8080
-      '';
       virtualHosts."www.jakstys.lt".extraConfig = ''
         redir https://jakstys.lt
       '';
@@ -303,12 +281,10 @@
         53
         80
         443
-        3478 # headscale
       ];
       allowedUDPPorts = [
         53
         443
-        3478 # headscale
         41641 # tailscale
       ];
       logRefusedConnections = false;
@@ -321,19 +297,6 @@
   ];
 
   systemd.services = {
-    headscale = {
-      unitConfig.StartLimitIntervalSec = "5m";
-
-      # Allow restarts for up to a minute. A start
-      # itself may take a while, thus the window of restart
-      # is higher.
-      unitConfig.StartLimitBurst = 50;
-      serviceConfig.RestartSec = 1;
-      serviceConfig.LoadCredential = [
-        "oidc-client-secret:${config.age.secrets.headscale-client-oidc.path}"
-      ];
-    };
-
     matrix-synapse = let
       # TODO https://github.com/NixOS/nixpkgs/pull/222336 replace with `preStart`
       secretsScript = pkgs.writeShellScript "write-secrets" ''
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 9d14e99..1f797e5 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -8,6 +8,7 @@
     ./deployerbot
     ./friendlyport
     ./gitea
+    ./headscale
     ./node_exporter
     ./nsd-acme
     ./postfix
diff --git a/modules/services/headscale/default.nix b/modules/services/headscale/default.nix
new file mode 100644
index 0000000..85c8561
--- /dev/null
+++ b/modules/services/headscale/default.nix
@@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  options.mj.services.headscale = with lib.types; {
+    enable = lib.mkEnableOption "Enable headscale";
+    clientOidcPath = lib.mkOption {type = str;};
+    subnetCIDR = lib.mkOption {type = str;};
+  };
+
+  config = lib.mkIf config.mj.services.headscale.enable {
+    environment.systemPackages = [pkgs.headscale];
+
+    networking.firewall.allowedTCPPorts = [3478];
+    networking.firewall.allowedUDPPorts = [3478];
+
+    services = {
+      headscale = {
+        enable = true;
+        settings = {
+          server_url = "https://vpn.jakstys.lt";
+          ip_prefixes = [
+            config.mj.services.headscale.subnetCIDR
+            "fd7a:115c:a1e0:59b0::/64"
+          ];
+          log.level = "warn";
+          dns_config = {
+            nameservers = ["1.1.1.1" "8.8.4.4"];
+            magic_dns = false;
+            base_domain = "jakst";
+          };
+          oidc = {
+            issuer = "https://git.jakstys.lt/";
+            client_id = "e25c15ea-41ca-4bf0-9ebf-2be9f2d1ccea";
+            # TODO 23.11 from https://github.com/NixOS/nixpkgs/pull/249101/files
+            #client_secret_path = "\${CREDENTIALS_DIRECTORY}/oidc-client-secret";
+            client_secret_path = "/run/credentials/headscale.service/oidc-client-secret";
+          };
+        };
+      };
+
+      caddy = {
+        virtualHosts."vpn.jakstys.lt".extraConfig = ''
+          reverse_proxy 127.0.0.1:8080
+        '';
+      };
+    };
+
+    systemd.services.headscale = {
+      unitConfig.StartLimitIntervalSec = "5m";
+
+      # Allow restarts for up to a minute. A start
+      # itself may take a while, thus the window of restart
+      # is higher.
+      unitConfig.StartLimitBurst = 50;
+      serviceConfig.RestartSec = 1;
+      serviceConfig.LoadCredential = [
+        "oidc-client-secret:${config.mj.services.headscale.clientOidcPath}"
+      ];
+    };
+  };
+}