headscale: use architect options

hosts/architect/dns.nix

@@ -1,40 +1,49 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 
 let
-  domain = "adguard.architect.devs.giugl.io";
+  # Function to generate CoreDNS config for a single vhost
+  generateCoreDNSConfigForVhost = domain: conf:
+    let
+      # Retrieve architect's IP on each interface
+      interfaceConfigs = builtins.map
+        (iface:
+          let
+            architectIP = config.architect.networks.${iface}.devices.architect.address;
+            interfaceNet = config.architect.networks.${iface}.net;
+          in
+          ''
+            ${domain} {
+              view ${iface} {
+                expr incidr(client_ip(), '${interfaceNet}')
+              }
+
+              template IN A ${domain} {
+                answer "${domain}. 60 IN A ${architectIP}"
+              }
+              template IN HTTPS ${domain} {
+                answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${architectIP}\""
+              }
+              cache
+              log
+            }
+          ''
+        )
+        conf.dnsInterfaces;
+    in
+    lib.concatStringsSep "\n" interfaceConfigs;
 in
 {
-  architect = {
-    firewall.openUDPVPN = [ 53 ];
-
-    vhost.${domain} = {
-      dnsInterfaces = [ "lan" "tailscale" ];
-
-      locations."/" = with config; {
-        port = services.adguardhome.settings.bind_port;
-        allow = with architect.networks; [ lan.net tailscale.net ];
-        deny = [
-          architect.networks."lan".devices.router.address
-        ];
-      };
-    };
-  };
-
   services = {
-    dnsmasq = {
+    coredns = {
       enable = true;
-      settings = {
+      config = ''
-        server = [ "127.0.0.1#${toString config.services.adguardhome.settings.dns.port}" ];
+        ${lib.concatStringsSep "\n" (lib.mapAttrsToList generateCoreDNSConfigForVhost config.architect.vhost)}
-        localise-queries = true;
+          
-        min-cache-ttl = 120;
+        . {
-        max-cache-ttl = 2400;
+          cache
-        domain = [
+          forward . 127.0.0.1:${toString config.services.adguardhome.settings.dns.port}
-          "runas.rocks"
+        }
-          "giugl.io"
+      '';
-          "devs.runas.rocks"
-          "devs.giugl.io"
-        ];
-      };
     };
 
     adguardhome = {

hosts/architect/headscale.nix

@@ -1,53 +1,46 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 let
-  domain = "vipienne.giugl.io";
+  baseDomain = "giugl.io";
+  domain = "vipienne.${baseDomain}";
+  headscalePkg = pkgs.unstablePkgs.headscale;
 in
 {
-  environment.systemPackages = [ pkgs.headscale ];
+  environment.systemPackages = [ headscalePkg ];
 
-  architect.firewall = {
+  architect = {
-    openUDP = [ config.services.tailscale.port ];
+    firewall = {
-  };
+      openUDP = [ config.services.tailscale.port ];
-
-  services = {
-    headscale = {
-      enable = true;
-      package = pkgs.unstablePkgs.headscale;
-      port = 1194;
-      address = "0.0.0.0";
-
-      settings = {
-        server_url = "https://${domain}";
-        log.level = "debug";
-        dns_config = {
-          magic_dns = true;
-          base_domain = "giugl.io";
-          override_local_dns = true;
-          nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
-        };
-        logtail.enabled = false;
-        ip_prefixes = [ config.architect.networks.tailscale.net ];
-        noise.private_key_path = "/var/lib/headscale/noise_private.key";
-      };
     };
 
-    nginx.virtualHosts.${domain} = {
+    vhost.${domain} = {
-      forceSSL = true;
+      dnsInterfaces = [ "lan" "tailscale" ];
-      enableACME = true;
-      extraConfig = ''
-        ssl_protocols TLSv1.2 TLSv1.3;
-      '';
       locations."/" = {
-        proxyPass =
+        port = config.services.headscale.port;
-          "http://127.0.0.1:${toString config.services.headscale.port}";
+        allowWAN = true;
         proxyWebsockets = true;
-        recommendedProxySettings = true;
-        extraConfig = ''
-          proxy_buffering off;
-          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-        '';
       };
     };
   };
+
+  services.headscale = {
+    enable = true;
+    package = headscalePkg;
+
+    settings = {
+      server_url = "https://${domain}";
+      log.level = "debug";
+      dns_config = {
+        magic_dns = false;
+        base_domain = baseDomain;
+        override_local_dns = true;
+        nameservers = [
+          config.architect.networks.tailscale.devices.architect.address
+        ];
+      };
+      logtail.enabled = false;
+      ip_prefixes = [ config.architect.networks.tailscale.net ];
+      noise.private_key_path = "/var/lib/headscale/noise_private.key";
+    };
+  };
 }

hosts/architect/nginx.nix

@@ -3,7 +3,6 @@
 {
   architect.firewall = {
     openTCP = [ 80 443 ];
-    openTCPVPN = [ 80 443 ];
   };
 
   services.nginx = {

hosts/architect/options.nix

@@ -2,10 +2,6 @@
 
 with lib;
 
-let
-  utilities = import ./utilities.nix { inherit lib config; };
-  inherit (utilities) architectInterfaceAddress;
-in
 {
   options.architect = {
     firewall = {
@@ -17,14 +13,6 @@ in
         type = types.listOf types.int;
         default = [ ];
       };
-      openTCPVPN = mkOption {
-        type = types.listOf types.int;
-        default = [ ];
-      };
-      openUDPVPN = mkOption {
-        type = types.listOf types.int;
-        default = [ ];
-      };
     };
 
     networks = mkOption {
@@ -118,12 +106,6 @@ in
                   default = false;
                   description = "If set to false, deny all WAN traffic.";
                 };
-
-                deny = mkOption {
-                  type = types.listOf types.str;
-                  default = [ ];
-                  description = "IP address or CIDR block to deny.";
-                };
               };
             });
             default = { };
@@ -136,6 +118,7 @@ in
     };
   };
 
+  # TODO: move to nginx
   config = {
     services.nginx.virtualHosts = mapAttrs
       (domain: conf: {
@@ -147,21 +130,12 @@ in
             proxyWebsockets = location.proxyWebsockets;
             extraConfig = ''
               ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
-              ${optionalString (!location.allowWAN) "deny all;"}
-              ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny}
               ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
+              ${optionalString (!location.allowWAN) "deny all;"}
             '' + location.extraConfig;
           })
           conf.locations;
       })
       config.architect.vhost;
-
-    networking.extraHosts = concatStringsSep "\n" (
-      mapAttrsToList
-        (domain: conf: concatMapStringsSep "\n"
-          (iface: "${architectInterfaceAddress iface} ${domain}")
-          conf.dnsInterfaces)
-        config.architect.vhost
-    );
   };
 }

hosts/architect/prowlarr.nix

@@ -1,10 +1,13 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 
 let
   domain = "htpro.giugl.io";
 in
 {
-  services.prowlarr.enable = true;
+  services.prowlarr = {
+    enable = true;
+    package = pkgs.unstablePkgs.prowlarr;
+  };
 
   architect.vhost.${domain} = with config.architect.networks; {
     dnsInterfaces = [ "tailscale" ];

hosts/architect/radarr.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, ... }:
 
 let
   domain = "htrad.giugl.io";
@@ -6,6 +6,7 @@ in
 {
   services.radarr = {
     enable = true;
+    package = pkgs.unstablePkgs.radarr;
     group = "media";
   };
 

hosts/architect/sonarr.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, pkgs, ... }:
 
 let
   domain = "htson.giugl.io";
@@ -7,6 +7,7 @@ in
   services.sonarr = {
     enable = true;
     group = "media";
+    package = pkgs.unstablePkgs.sonarr;
   };
 
   architect.vhost.${domain} = with config.architect.networks; {

hosts/architect/tailscale.nix

@@ -15,14 +15,16 @@ in
       devices = {
         architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; };
         kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; };
+        parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
         chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; };
         dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
         manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
         tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
-        # ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
+        ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
-        ucsb-workstation = { address = "100.64.0.10"; hostname = "ucsb-workstation.${domain}"; };
         alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
-        parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
+        appletv = { address = "100.64.0.13"; hostname = "appletv.${domain}"; };
+        watkinshouse = { address = "100.64.0.14"; hostname = "watkinshouse.${domain}"; };
+        afsun = { address = "100.64.0.15"; hostname = "afsun.${domain}"; };
       };
     };
   };