2025-01-01 02:16:05 +04:00
|
|
|
{ config, lib, pkgs, ... }:
|
2025-01-01 01:18:25 +04:00
|
|
|
with lib;
|
|
|
|
let cfg = config.void.server.services.headscale;
|
|
|
|
in {
|
|
|
|
options.void.server.services.headscale = { enable = mkEnableOption false; };
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
# THANK YOU NOTASHLEF
|
|
|
|
environment.systemPackages =
|
|
|
|
[ config.services.headscale.package pkgs.tailscale ];
|
|
|
|
|
|
|
|
services.tailscale.enable = true;
|
|
|
|
|
|
|
|
services.headscale = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.headscale;
|
|
|
|
address = "127.0.0.1";
|
|
|
|
port = 8085;
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
server_url = "https://headscale.sako.lol";
|
|
|
|
grpc_listen_addr = "127.0.0.1:50443";
|
|
|
|
grpc_allow_insecure = false;
|
|
|
|
prefixes = {
|
|
|
|
allocation = "sequential";
|
|
|
|
v4 = "100.64.0.0/10";
|
|
|
|
v6 = "fd7a:115c:a1e0::/48";
|
|
|
|
};
|
|
|
|
database = {
|
|
|
|
type = "sqlite3";
|
|
|
|
debug = false;
|
|
|
|
sqlite.path = "/var/lib/headscale/db.sqlite";
|
|
|
|
# GORM configuration settings.
|
|
|
|
gorm = {
|
|
|
|
# Enable prepared statements.
|
|
|
|
prepare_stmt = true;
|
|
|
|
|
|
|
|
# Enable parameterized queries.
|
|
|
|
parameterized_queries = true;
|
|
|
|
|
|
|
|
# Skip logging "record not found" errors.
|
|
|
|
skip_err_record_not_found = true;
|
|
|
|
|
|
|
|
# Threshold for slow queries in milliseconds.
|
|
|
|
slow_threshold = 1000;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
metrics_listen_addr = "127.0.0.1:8086";
|
|
|
|
randomize_client_port =
|
|
|
|
false; # prefer a random port for WireGuard traffic over
|
|
|
|
disable_check_updates = true; # disable checking for updates on startup
|
|
|
|
ephemeral_node_inactivity_timeout =
|
|
|
|
"30m"; # time before an e ephemeral node is deleted.
|
|
|
|
node_update_check_interval = "10s";
|
|
|
|
|
|
|
|
# Unix socket used for the CLI to connect without authentication
|
|
|
|
unix_socket = "/run/headscale/headscale.sock";
|
|
|
|
unix_socket_permission = "0770";
|
|
|
|
|
2025-01-01 02:15:03 +04:00
|
|
|
dns = {
|
|
|
|
magic_dns = true;
|
|
|
|
#override_local_dns = true;
|
2025-01-01 02:15:38 +04:00
|
|
|
base_domain = "sa.ko";
|
2025-01-01 02:15:03 +04:00
|
|
|
|
|
|
|
domains = [ "sa.ko" ];
|
|
|
|
|
|
|
|
nameservers = { global = [ "192.168.1.28" "sakoserver" "1.1.1.1" ]; };
|
|
|
|
};
|
|
|
|
|
|
|
|
# TODO Derp relays
|
|
|
|
|
2025-01-01 01:18:25 +04:00
|
|
|
# logging
|
|
|
|
log = {
|
|
|
|
format = "text";
|
|
|
|
level = "info";
|
|
|
|
};
|
2025-01-01 02:19:31 +04:00
|
|
|
};
|
|
|
|
};
|
|
|
|
services.nginx.virtualHosts."headscale.sako.lol" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
http3 = true;
|
|
|
|
|
|
|
|
locations = {
|
|
|
|
"/" = {
|
|
|
|
proxyPass =
|
|
|
|
"http://localhost:${toString config.services.headscale.port}";
|
|
|
|
proxyWebsockets = true;
|
2025-01-01 01:18:25 +04:00
|
|
|
};
|
2025-01-01 02:19:31 +04:00
|
|
|
};
|
|
|
|
extraConfig = ''
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
|
|
'';
|
|
|
|
};
|
2025-01-01 01:18:25 +04:00
|
|
|
|
2025-01-01 02:59:02 +04:00
|
|
|
security.acme.certs."headscale.sako.lol" = {
|
|
|
|
credentialsFile = "/srv/secrets/porkbun";
|
|
|
|
dnsProvider = "porkbun";
|
|
|
|
webroot = null;
|
|
|
|
};
|
2025-01-01 02:12:42 +04:00
|
|
|
|
2025-01-01 13:49:32 +04:00
|
|
|
boot.kernel.sysctl = {
|
|
|
|
"net.ipv4.ip_forward" = 1;
|
|
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
|
|
};
|
|
|
|
|
2025-01-01 02:19:31 +04:00
|
|
|
systemd.services = { tailscaled.after = [ "headscale.service" ]; };
|
2025-01-01 01:18:25 +04:00
|
|
|
|
|
|
|
};
|
|
|
|
}
|