hosts/prefect/services/headscale.nix at f0ec6d2062b5e6f670e75a3c19b24e49f1a82bc3 · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / prefect / services / headscale.nix
at f0ec6d2062b5e6f670e75a3c19b24e49f1a82bc3 2.5 kB view raw
 1# Headscale is a tailscale-compatible control plane that you can use with all of the clients.
 2{
 3  services.headscale = {
 4    enable = true;
 5    port = 6900;
 6    # Set so that anything can access this. Default is localhost only, which is useless
 7    address = "0.0.0.0";
 8    # Server URL is the FQDN of this server
 9    serverUrl = "https://vpn.thehedgehog.me:6900";
10    dns = {
11      # All domains are .hog domains internally
12      baseDomain = "hog";
13      # Enable MagicDNS
14      # See https://tailscale.com/kb/1081/magicdns/ for more details
15      magicDns = true;
16      # I inject DNS.sb as my secondary nameserver, and my adblocking server as primary.
17      nameservers = [ "45.11.45.11" ];
18      # Domains to inject, so I can type "media/" into my search bar and go to "media.main.hog"
19      # You can't tell headscale to not create a namespace, so this is the best that I can do
20      domains = [ "main.hog" ];
21    };
22    # Automatic TLS
23    tls = {
24      letsencrypt = {
25        # Set up automatic Let's Encrypt cert pulls
26        hostname = "vpn.thehedgehog.me";
27      };
28    };
29    # Disabled since if this goes down, then it's a pain to reconnect to auth
30    # OIDC configuration, so I can have my beloved SSO.
31    # openIdConnect = {
32    #   # Issuer is HedgeCloud auth, my private auth server
33    #   issuer = "https://auth.thehedgehog.me/application/o/hedgevpn/";
34    #   # All people get assigned to the "main" namespace
35    #   domainMap = {
36    #     ".*" = "main";
37    #   };
38    #   # Set client ID for OIDC
39    #   clientId = "25066b6b1e72718186f8c0dc20f7892951834b6e";
40    #   # Client Secret is in this file
41    #   clientSecretFile = "/run/agenix/headscale-oidc-secret";
42    # };
43    # Misc settings that aren't set in the above sections
44    settings = {
45      # Set challenge type, forwarded by Caddy
46      tls_letsencrypt_challenge_type = "HTTP-01";
47      # oidc.strip_email_domain = true;
48      # NixOS handles our updates
49      disable_check_updates = true;
50      ip_prefixes = [
51        "4349:3909:beef::/48"
52        "100.64.0.0/10"
53      ];
54      derp = {
55        server = {
56          enabled = true;
57          region_id = 969;
58          region_code = "internal";
59          region_name = "Internal DERP";
60          stun_listen_addr = "0.0.0.0:6869";
61        };
62      };
63    };
64  };
65  systemd.services.headscale.serviceConfig.CapabilityBoundingSet = [
66    "CAP_CHOWN"
67    "CAP_NET_BIND_SERVICE"
68  ];
69  systemd.services.headscale.serviceConfig.AmbientCapabilities = [
70    "CAP_CHOWN"
71    "CAP_NET_BIND_SERVICE"
72  ];
73}