headscale: init

2023-05-06 15:04:25 +02:00 · 2023-05-06 15:04:25 +02:00 · b644b9d684
commit b644b9d684
parent 098e0a6147
4 changed files with 67 additions and 2 deletions
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -41,6 +41,7 @@ in
    ./tailscale.nix
    #    ./searx.nix
    ./plex.nix
+    ./headscale.nix
  ];

  time.timeZone = "Europe/Rome";
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -63,6 +63,7 @@ in
            iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
            iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
            iifname ${tailscale-if} ip saddr ${tailscale-net} accept
+            iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept
            iifname "lo" accept comment "bind any ip to intf lo"
            jump mangle_drop
          }
--- a/hosts/architect/headscale.nix
+++ b/hosts/architect/headscale.nix
@ -0,0 +1,61 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "vipienne.giugl.io";
+  network = import ./network.nix;
+in
+{
+  architect.firewall = {
+    openTCP = [ config.services.headscale.port ];
+  };
+
+  networking.extraHosts = ''
+    ${network.architect-lan} ${domain}
+    ${network.architect-wg} ${domain}
+    ${network.architect-ts} ${domain}
+  '';
+
+  environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
+
+  services = {
+    headscale = {
+      enable = true;
+      package = pkgs.unstablePkgs.headscale;
+      port = 1194;
+      address = "0.0.0.0";
+      serverUrl = "https://${domain}";
+      logLevel = "debug";
+      settings = {
+        dns_config = {
+          magic_dns = true;
+#          domains = [ "giugl.io" "runas.rocks" ];
+#          base_domain = "giugl.io";
+          override_local_dns = true;
+          nameservers = "10.4.0.2";
+        };
+        logtail.enabled = false;
+        ip_prefixes = [ "10.4.0.0/24" ];
+        # The Noise private key is used to encrypt the
+        # traffic between headscale and Tailscale clients when
+        # using the new Noise-based protocol. It must be different
+        # from the legacy private key.
+        noise.private_key_path = "/var/lib/headscale/noise_private.key";
+      };
+    };
+
+    # ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+    # ssl.cert =
+    #   "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass =
+          "http://127.0.0.1:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+  };
+}
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -11,7 +11,8 @@ rec {
  vpn-net = "10.3.0.0/24";
  external_lan-net = "192.168.1.0/24";
  docker-net = "172.17.0.0/16";
-  tailscale-net = "100.64.0.0/10";
+#  tailscale-net = "100.64.0.0/10";
+  tailscale-net = "10.4.0.0/24";

  # ips
  router-lan = "10.0.0.1";
@ -51,7 +52,8 @@ rec {
  framecca_four-wg = "10.3.0.39";

  giuliophone-ts = "100.68.68.46";
-  architect-ts = "100.67.205.28";
+#  architect-ts = "100.67.205.28";
+  architect-ts = "10.4.0.2";
  giuliopc-ts = "100.124.78.64";
  dodino-ts = "100.106.244.35";