63 lines
1.7 KiB
Nix
63 lines
1.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
domain = "vipienne.giugl.io";
|
|
architectInterfaceAddress = interface:
|
|
config.architect.networks.${interface}.devices.architect.address;
|
|
in
|
|
{
|
|
architect.firewall = {
|
|
openTCP = [ config.services.headscale.port ];
|
|
};
|
|
|
|
networking.extraHosts = ''
|
|
${architectInterfaceAddress "lan"} ${domain}
|
|
${architectInterfaceAddress "wireguard"} ${domain}
|
|
${architectInterfaceAddress "tailscale"} ${domain}
|
|
'';
|
|
|
|
environment.systemPackages = [ pkgs.unstablePkgs.headscale ];
|
|
|
|
services = {
|
|
headscale = {
|
|
enable = true;
|
|
package = pkgs.unstablePkgs.headscale;
|
|
port = 1194;
|
|
address = "0.0.0.0";
|
|
serverUrl = "https://${domain}";
|
|
logLevel = "debug";
|
|
settings = {
|
|
dns_config = {
|
|
magic_dns = true;
|
|
domains = [
|
|
"giugl.io"
|
|
"runas.rocks"
|
|
"devs.giugl.io"
|
|
];
|
|
base_domain = "giugl.io";
|
|
override_local_dns = true;
|
|
nameservers = [ config.architect.networks.tailscale.devices.architect.address ];
|
|
};
|
|
logtail.enabled = false;
|
|
ip_prefixes = [ config.architect.networks.tailscale.net ];
|
|
# The Noise private key is used to encrypt the
|
|
# traffic between headscale and Tailscale clients when
|
|
# using the new Noise-based protocol. It must be different
|
|
# from the legacy private key.
|
|
noise.private_key_path = "/var/lib/headscale/noise_private.key";
|
|
};
|
|
};
|
|
|
|
nginx.virtualHosts.${domain} = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass =
|
|
"http://127.0.0.1:${toString config.services.headscale.port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|