From 6d51a10659004e12801b2b4e20a79a4be51eba16 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Sat, 13 May 2023 14:10:40 +0200
Subject: [PATCH] headscale: DO NOT bind vipienne.giugl.io to avoid in-vpn lock

---
 hosts/architect/headscale.nix | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix
index c9f11b3..7afa411 100644
--- a/hosts/architect/headscale.nix
+++ b/hosts/architect/headscale.nix
@@ -2,21 +2,12 @@
 
 let
   domain = "vipienne.giugl.io";
-  
-  utilities = import ./utilities.nix { inherit lib config; };
-  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
-    openTCP = [ config.services.headscale.port ];
+    openUDP = [ config.services.tailscale.port ];
   };
 
-  networking.extraHosts = ''
-    ${architectInterfaceAddress "lan"} ${domain}
-    ${architectInterfaceAddress "wireguard"} ${domain}
-    ${architectInterfaceAddress "tailscale"} ${domain}
-  '';
-
   environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
 
   services = {
@@ -30,21 +21,12 @@ in
       settings = {
         dns_config = {
           magic_dns = true;
-          domains = [
-            "giugl.io"
-            "runas.rocks"
-            "devs.giugl.io"
-          ];
           base_domain = "giugl.io";
           override_local_dns = true;
           nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
         };
         logtail.enabled = false;
         ip_prefixes = [ config.architect.networks.tailscale.net ];
-        # The Noise private key is used to encrypt the
-        # traffic between headscale and Tailscale clients when
-        # using the new Noise-based protocol. It must be different
-        # from the legacy private key.
         noise.private_key_path = "/var/lib/headscale/noise_private.key";
       };
     };
@@ -52,12 +34,19 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
+      extraConfig = ''
+        ssl_protocols TLSv1.2 TLSv1.3;
+      '';
       locations."/" = {
         proxyPass =
           "http://127.0.0.1:${toString config.services.headscale.port}";
         proxyWebsockets = true;
+        recommendedProxySettings = true;
+        extraConfig = ''
+          proxy_buffering off;
+          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+        '';
       };
     };
-
   };
 }