nixos/hosts/architect/headscale.nix

{ config, pkgs, ... }:

let
  baseDomain = "giugl.io";
  domain = "vipienne.${baseDomain}";
  headscalePkg = pkgs.unstablePkgs.headscale;
in
{
  environment.systemPackages = [ headscalePkg ];

  architect = {
    firewall = {
      openUDP = [ config.services.tailscale.port ];
    };

    vhost.${domain} = {
      dnsInterfaces = [ "lan" "tailscale" ];
      locations."/" = {
        port = config.services.headscale.port;
        allowWAN = true;
        proxyWebsockets = true;
      };
    };
  };

  services.headscale = {
    enable = true;
    package = headscalePkg;

    settings = {
      server_url = "https://${domain}";
      log.level = "debug";
      dns_config = {
        magic_dns = false;
        base_domain = baseDomain;
        override_local_dns = true;
        nameservers = [
          config.architect.networks.tailscale.devices.architect.address
        ];
      };
      logtail.enabled = false;
      ip_prefixes = [ config.architect.networks.tailscale.net ];
      noise.private_key_path = "/var/lib/headscale/noise_private.key";
    };
  };
}