From 7cf37954efecdc2f79c488bbaeeac18da93f33c8 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Wed, 31 Jan 2024 00:33:56 +0100
Subject: [PATCH] headscale: use architect options

---
 hosts/architect/headscale.nix | 73 ++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 40 deletions(-)

diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix
index 9504327..18c3c9f 100644
--- a/hosts/architect/headscale.nix
+++ b/hosts/architect/headscale.nix
@@ -1,53 +1,46 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 let
-  domain = "vipienne.giugl.io";
+  baseDomain = "giugl.io";
+  domain = "vipienne.${baseDomain}";
+  headscalePkg = pkgs.unstablePkgs.headscale;
 in
 {
-  environment.systemPackages = [ pkgs.headscale ];
+  environment.systemPackages = [ headscalePkg ];
 
-  architect.firewall = {
-    openUDP = [ config.services.tailscale.port ];
-  };
-
-  services = {
-    headscale = {
-      enable = true;
-      package = pkgs.unstablePkgs.headscale;
-      port = 1194;
-      address = "0.0.0.0";
-
-      settings = {
-        server_url = "https://${domain}";
-        log.level = "debug";
-        dns_config = {
-          magic_dns = true;
-          base_domain = "giugl.io";
-          override_local_dns = true;
-          nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
-        };
-        logtail.enabled = false;
-        ip_prefixes = [ config.architect.networks.tailscale.net ];
-        noise.private_key_path = "/var/lib/headscale/noise_private.key";
-      };
+  architect = {
+    firewall = {
+      openUDP = [ config.services.tailscale.port ];
     };
 
-    nginx.virtualHosts.${domain} = {
-      forceSSL = true;
-      enableACME = true;
-      extraConfig = ''
-        ssl_protocols TLSv1.2 TLSv1.3;
-      '';
+    vhost.${domain} = {
+      dnsInterfaces = [ "lan" "tailscale" ];
       locations."/" = {
-        proxyPass =
-          "http://127.0.0.1:${toString config.services.headscale.port}";
+        port = config.services.headscale.port;
+        allowWAN = true;
         proxyWebsockets = true;
-        recommendedProxySettings = true;
-        extraConfig = ''
-          proxy_buffering off;
-          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-        '';
       };
     };
   };
+
+  services.headscale = {
+    enable = true;
+    package = headscalePkg;
+
+    settings = {
+      server_url = "https://${domain}";
+      log.level = "debug";
+      dns_config = {
+        magic_dns = false;
+        base_domain = baseDomain;
+        override_local_dns = true;
+        nameservers = [
+          config.architect.networks.tailscale.devices.architect.address
+        ];
+      };
+      logtail.enabled = false;
+      ip_prefixes = [ config.architect.networks.tailscale.net ];
+      noise.private_key_path = "/var/lib/headscale/noise_private.key";
+    };
+  };
 }