peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

headscale: init

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-05-06 15:04:25 +02:00
parent 098e0a6147
commit b644b9d684
4 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/architect/default.nix
View File

@ -41,6 +41,7 @@ in
./tailscale.nix ./tailscale.nix
# ./searx.nix # ./searx.nix
./plex.nix ./plex.nix
./headscale.nix
]; ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";

1
hosts/architect/firewall.nix
View File

@ -63,6 +63,7 @@ in
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}" iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}" iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname ${tailscale-if} ip saddr ${tailscale-net} accept iifname ${tailscale-if} ip saddr ${tailscale-net} accept
iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }

61
hosts/architect/headscale.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, pkgs, ... }:
let
domain = "vipienne.giugl.io";
network = import ./network.nix;
in
{
architect.firewall = {
openTCP = [ config.services.headscale.port ];
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
${network.architect-ts} ${domain}
'';
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
services = {
headscale = {
enable = true;
package = pkgs.unstablePkgs.headscale;
port = 1194;
address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = {
dns_config = {
magic_dns = true;
# domains = [ "giugl.io" "runas.rocks" ];
# base_domain = "giugl.io";
override_local_dns = true;
nameservers = "10.4.0.2";
};
logtail.enabled = false;
ip_prefixes = [ "10.4.0.0/24" ];
# The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when
# using the new Noise-based protocol. It must be different
# from the legacy private key.
noise.private_key_path = "/var/lib/headscale/noise_private.key";
};
};
# ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
# ssl.cert =
# "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
}

6
hosts/architect/network.nix
View File

@ -11,7 +11,8 @@ rec {
vpn-net = "10.3.0.0/24"; vpn-net = "10.3.0.0/24";
external_lan-net = "192.168.1.0/24"; external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16"; docker-net = "172.17.0.0/16";
tailscale-net = "100.64.0.0/10"; # tailscale-net = "100.64.0.0/10";
tailscale-net = "10.4.0.0/24";
# ips # ips
router-lan = "10.0.0.1"; router-lan = "10.0.0.1";
@ -51,7 +52,8 @@ rec {
framecca_four-wg = "10.3.0.39"; framecca_four-wg = "10.3.0.39";
giuliophone-ts = "100.68.68.46"; giuliophone-ts = "100.68.68.46";
architect-ts = "100.67.205.28"; # architect-ts = "100.67.205.28";
architect-ts = "10.4.0.2";
giuliopc-ts = "100.124.78.64"; giuliopc-ts = "100.124.78.64";
dodino-ts = "100.106.244.35"; dodino-ts = "100.106.244.35";