From b644b9d684279de8f417b1d8a5d7ca0150064724 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sat, 6 May 2023 15:04:25 +0200 Subject: [PATCH] headscale: init --- hosts/architect/default.nix | 1 + hosts/architect/firewall.nix | 1 + hosts/architect/headscale.nix | 61 +++++++++++++++++++++++++++++++++++ hosts/architect/network.nix | 6 ++-- 4 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 hosts/architect/headscale.nix diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index d5d732a..3ca0903 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -41,6 +41,7 @@ in ./tailscale.nix # ./searx.nix ./plex.nix + ./headscale.nix ]; time.timeZone = "Europe/Rome"; diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 1f43c40..b7989cc 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -63,6 +63,7 @@ in iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${tailscale-if} ip saddr ${tailscale-net} accept + iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept iifname "lo" accept comment "bind any ip to intf lo" jump mangle_drop } diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix new file mode 100644 index 0000000..6b01593 --- /dev/null +++ b/hosts/architect/headscale.nix @@ -0,0 +1,61 @@ +{ config, pkgs, ... }: + +let + domain = "vipienne.giugl.io"; + network = import ./network.nix; +in +{ + architect.firewall = { + openTCP = [ config.services.headscale.port ]; + }; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ${network.architect-ts} ${domain} + ''; + + environment.systemPackages = [ pkgs.unstablePkgs.headscale ]; + + services = { + headscale = { + enable = true; + package = pkgs.unstablePkgs.headscale; + port = 1194; + address = "0.0.0.0"; + serverUrl = "https://${domain}"; + logLevel = "debug"; + settings = { + dns_config = { + magic_dns = true; +# domains = [ "giugl.io" "runas.rocks" ]; +# base_domain = "giugl.io"; + override_local_dns = true; + nameservers = "10.4.0.2"; + }; + logtail.enabled = false; + ip_prefixes = [ "10.4.0.0/24" ]; + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. It must be different + # from the legacy private key. + noise.private_key_path = "/var/lib/headscale/noise_private.key"; + }; + }; + + # ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; + # ssl.cert = + # "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = + "http://127.0.0.1:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + + }; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 5829676..05fa061 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -11,7 +11,8 @@ rec { vpn-net = "10.3.0.0/24"; external_lan-net = "192.168.1.0/24"; docker-net = "172.17.0.0/16"; - tailscale-net = "100.64.0.0/10"; +# tailscale-net = "100.64.0.0/10"; + tailscale-net = "10.4.0.0/24"; # ips router-lan = "10.0.0.1"; @@ -51,7 +52,8 @@ rec { framecca_four-wg = "10.3.0.39"; giuliophone-ts = "100.68.68.46"; - architect-ts = "100.67.205.28"; +# architect-ts = "100.67.205.28"; + architect-ts = "10.4.0.2"; giuliopc-ts = "100.124.78.64"; dodino-ts = "100.106.244.35";