diff --git a/hosts/sakoserver/configuration.nix b/hosts/sakoserver/configuration.nix index 8b5a23f2..4f8ad95d 100644 --- a/hosts/sakoserver/configuration.nix +++ b/hosts/sakoserver/configuration.nix @@ -64,7 +64,10 @@ dns.blocky.enable = true; nginx.enable = true; postgresql.enable = true; - services = { forgejo.enable = true; }; + services = { + forgejo.enable = true; + # headscale.enable = true; + }; }; }; diff --git a/modules/server/postgresql.nix b/modules/server/postgresql.nix index a0c7d35b..487ec7c3 100644 --- a/modules/server/postgresql.nix +++ b/modules/server/postgresql.nix @@ -8,7 +8,7 @@ in { services.postgresql = { enable = true; package = pkgs.postgresql_17_jit; - ensureDatabases = [ "forgejo" "headscale" ]; + ensureDatabases = [ "forgejo" ]; ensureUsers = [ { name = "postgres"; @@ -24,10 +24,6 @@ in { name = "forgejo"; ensureDBOwnership = true; } - { - name = "headscale"; - ensureDBOwnership = true; - } ]; # Thank you NotAShelf # https://github.com/NotAShelf/nyx/blob/d407b4d6e5ab7f60350af61a3d73a62a5e9ac660/modules/core/roles/server/system/services/databases/postgresql.nix#L74 diff --git a/modules/server/services/default.nix b/modules/server/services/default.nix index 8d2b47d0..baab1ce9 100644 --- a/modules/server/services/default.nix +++ b/modules/server/services/default.nix @@ -1 +1 @@ -{ imports = [ ./forgejo.nix ]; } +{ imports = [ ./forgejo.nix ./headscale.nix ]; } diff --git a/modules/server/services/headscale.nix b/modules/server/services/headscale.nix new file mode 100644 index 00000000..9013d683 --- /dev/null +++ b/modules/server/services/headscale.nix @@ -0,0 +1,89 @@ +{ config, lib, ... }: +with lib; +let cfg = config.void.server.services.headscale; +in { + options.void.server.services.headscale = { enable = mkEnableOption false; }; + + config = mkIf cfg.enable { + # THANK YOU NOTASHLEF + environment.systemPackages = + [ config.services.headscale.package pkgs.tailscale ]; + + services.tailscale.enable = true; + + services.headscale = { + enable = true; + package = pkgs.headscale; + address = "127.0.0.1"; + port = 8085; + + settings = { + server_url = "https://headscale.sako.lol"; + grpc_listen_addr = "127.0.0.1:50443"; + grpc_allow_insecure = false; + prefixes = { + allocation = "sequential"; + v4 = "100.64.0.0/10"; + v6 = "fd7a:115c:a1e0::/48"; + }; + # TODOOOOO POSTGRES NOW NOWNOW + database = { + type = "sqlite3"; + debug = false; + sqlite.path = "/var/lib/headscale/db.sqlite"; + # GORM configuration settings. + gorm = { + # Enable prepared statements. + prepare_stmt = true; + + # Enable parameterized queries. + parameterized_queries = true; + + # Skip logging "record not found" errors. + skip_err_record_not_found = true; + + # Threshold for slow queries in milliseconds. + slow_threshold = 1000; + }; + }; + metrics_listen_addr = "127.0.0.1:8086"; + randomize_client_port = + false; # prefer a random port for WireGuard traffic over + disable_check_updates = true; # disable checking for updates on startup + ephemeral_node_inactivity_timeout = + "30m"; # time before an e ephemeral node is deleted. + node_update_check_interval = "10s"; + + # Unix socket used for the CLI to connect without authentication + unix_socket = "/run/headscale/headscale.sock"; + unix_socket_permission = "0770"; + + # logging + log = { + format = "text"; + level = "info"; + }; + + services.nginx.virtualHosts."headscale.sako.lol" = { + forceSSL = true; + enableACME = true; + http3 = true; + + locations = { + "/" = { + proxyPass = + "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + }; + + systemd.services = { tailscaled.after = [ "headscale.service" ]; }; + + }; + }; + }; +}