From b485be966a68a0b4a9a6f528a8c544cfc6dd5dac Mon Sep 17 00:00:00 2001 From: Natsu Kagami Date: Thu, 4 May 2023 18:30:55 +0200 Subject: [PATCH] Add headscale --- modules/common/linux/default.nix | 2 + nki-personal-do/configuration.nix | 2 + nki-personal-do/headscale.nix | 81 ++++++++++++++++++++++++++++ nki-personal-do/secrets/secrets.yaml | 7 ++- 4 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 nki-personal-do/headscale.nix diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix index 4fab6e5..cb7987f 100644 --- a/modules/common/linux/default.nix +++ b/modules/common/linux/default.nix @@ -172,6 +172,8 @@ in # Firewall: only open to SSH now networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedUDPPorts = [ 22 ]; + # Enable tailscale + services.tailscale.enable = true; ## Time and Region time.timeZone = "Europe/Zurich"; diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index 24b060e..20a0b73 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -12,6 +12,8 @@ ../modules/cloud/conduit ../modules/cloud/writefreely ../modules/cloud/gotosocial + + ./headscale.nix ]; common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine. diff --git a/nki-personal-do/headscale.nix b/nki-personal-do/headscale.nix new file mode 100644 index 0000000..c4736e8 --- /dev/null +++ b/nki-personal-do/headscale.nix @@ -0,0 +1,81 @@ +{ pkgs, config, lib, ... }: +let + secrets = config.sops.secrets; + + host = "hs.dtth.ch"; + port = 19876; + webuiPort = 19877; +in +rec { + sops.secrets."headscale/client_secret" = { owner = "headscale"; }; + sops.secrets."headscale/webui-env" = { }; + # database + cloud.postgresql.databases = [ "headscale" ]; + # traefik + cloud.traefik.hosts.headscale = { + inherit port host; + filter = "Host(`hs.dtth.ch`) && !PathPrefix(`/admin`)"; + }; + cloud.traefik.hosts.headscale_webui = { + inherit host; + port = webuiPort; + filter = "Host(`hs.dtth.ch`) && PathPrefix(`/admin`)"; + }; + + services.headscale = { + enable = true; + package = pkgs.unstable.headscale; + inherit port; + + settings = { + server_url = "https://hs.dtth.ch"; + + db_type = "postgres"; + db_host = "/var/run/postgresql"; # find out yourself + db_user = "headscale"; + db_name = "headscale"; + + dns_config = { + base_domain = host; + }; + + noise = { + private_key_path = "/var/lib/headscale/noise_private.key"; + }; + + ip_prefixes = [ + "fd7a:115c:a1e0::/48" + "100.64.0.0/10" + ]; + + oidc = { + only_start_if_oidc_is_available = true; + client_id = "XgHLi5CC7mbW6xF8wuOHq3xxCPagSUaHt1fFM74M"; + client_secret_path = secrets."headscale/client_secret".path; + issuer = "https://auth.dtth.ch/application/o/headscale/"; + strip_email_domain = true; + }; + }; + }; + + environment.etc."headscale/config.yaml".mode = "0644"; + virtualisation.arion.projects.headscale-webui.settings = { + services.webui.service = { + image = "ghcr.io/ifargle/headscale-webui@sha256:b4f02337281853648b071301af4329b4e4fc9189d77ced2eb2fbb78204321cab"; + restart = "unless-stopped"; + + environment = { + TZ = "Europe/Zurich"; + COLOR = "blue-gray"; + HS_SERVER = "https://hs.dtth.ch"; + SCRIPT_NAME = "/admin"; + }; + env_file = [ secrets."headscale/webui-env".path ]; + ports = [ "${toString webuiPort}:5000" ]; + volumes = [ + "/var/lib/headscale/webui:/data" + "/etc/headscale:/etc/headscale:ro" + ]; + }; + }; +} diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 1f477d6..e4b79e1 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -16,6 +16,9 @@ matrix-discord-bridge: ENC[AES256_GCM,data:/rlSjD6inKfak7HKKghH5ays5RjKmb9czGsoI authentik-env: ENC[AES256_GCM,data:CjxTaqIcpBX7ea9L3tgJDELr8HBPJdxXsrOfhsiH4cXwCEzktsNKHjF7l95ZFgI5O08q4Vlbln5Dg4xPEx33nwUesEbQrT5d+n+2YaAxmm/WInrYzF+jB7HYTXASb3rY9PWgd2C3v+YPBkJetHlTUc/k19Q7lOQRNw==,iv:cG8Bi2eCsS+v94tSJBsqp+bjVLzXZvvwX1QVVSYExL8=,tag:VmbfcxCcfi3IpKjg3f8QPw==,type:str] firezone-env: ENC[AES256_GCM,data:Guwc3ovHJyr0m0gsvcJeYDXxOsccv6ZMBJSjWa87F7BZwCXLanMetz8b/GAxe/+0qT8IBKCDvLS7B5v2DM5SYOZD2tQWnrwjU90Pjji2RZhZZy7Pc1kAmhLA6ddpBKGJTLcGxWkTnWOcv8qWEwmfNpgT+kUIDLmjQz2pIMUXiXBpheQyPLWBvIIgrBT8QxkX81LHSUDNG29r7olJv1t4oox58r/PKxnfzUkX7lMhZdIpDMbxdWCU6/F2R483YIaFAaL1BuhCkK/QbuqOPRL7yIGID+W1a0JvKsRc2oPPU7WAWyGA3CLwmJka2sTvHrxosMgY/eZYfCWDtRno6q+OA+LI5ZfFu0weA9dpiUkWLGJ2auSZtiL0Sa5D0VHxZlG2m0iD7o3bcIWUi65cb2olcABn3NikMglw6PCWXxM7E5hqAbpvwcN5JeIkTTesI6xthzT9eoUak5SSvdThrwSlc3dvMqOvmRVGD/wR8T9GcKIZoNT7wOvgltecpDbYPNgwKimHhBloMON/qKXuIaYV1dP1XQ10MMpSM1vUZl/JD24pDjFXH8XkZK6owVI2tRTTRZajQT2uB73oVN8EMPFHPdI3uwyH72NycQojIzXmDvMI/UXNsYWArWZyTwGpHbE0pr+I9rXch78pJYKvlIVFTqicE/NceeOm8bMO1O7qofk1/yiIE8RVjs7YrNNahcBrNI+97lvBNLmk9zpWU0YFtfmyDb/XxBsepwj++QY+3gJ5331ohp9BK5Ypr9pp1WRt9syKv2cwFMBIcHKMCji43NW1MqBj/2bgKGfoNAyCUaJqZ9yRcb1TwHyulvEVhJUAOeUxPHdJeA==,iv:6kPPn4Zl1lhxaEtRqq2BcMW7d1zKy/HUJzXdAgkPv7E=,tag:VaVIWg4RbOE7tnimOuqhGw==,type:str] gts-env: ENC[AES256_GCM,data:xnL6FYNQ4Cd1XUsHcgGN0jYBPDViVAi9WsD4ewImk4IxmMyJi50xxfS6X7x5lVJ4FGcI7XvxT4uCEwSVjxKaVaDXHw/1TPaY8xQkXzZNvHI1oQvs7ULUVtQ9Mlyv08CwqJGQbptJvBmlvszuTeEqgZ0uVK8iKBbqnw9FB9v3swyfjr0VZYZt+uFCwUI6KDXSTPzTX1axzBBqdPuGDB0G8ZPMpY9nLgtBzZpj/+ozdmlHiwswdPnvTx8YrkJCurdaBzmW1gQmXpM+1xsj03jOr1bYOQ7gm5KzWhviAPdPFYmIS8GOv1Jh33Y/r1WkMvAp3HGv7OGoY8kCJp21gcbzxMH7UScFN1uQipknxrpSPkAy0I7AZD/tEpaBLObPVt3803LFQEq9neXSap7XZEj6Jcl9NppRwJjXIun5ebuiWcONGsa0XeLNNhBajzpYq217k242h8DTAht6mgS+6AohID4lIESsr2cYrXeb4PTNr2mpG/4JOzhSV/eOxc9i1GQeXX+RHXOfn5lIIbQxLwfaarorXvrgAf7jAoEzMHm9/LhYGHasBNnQoEYe0kGmEPju6Pkq769o5Am2NHeG3y0N0EEHyTBLj3P3gjEatzlBjOveBlbeIzFqnNP8VuM86neYvyhGi2+M42u3QQs/fCrXbZnhumqxPKQqNy9UZClH6gzZYMUBcPXOLDqUrDIGLst/W0KaKx/2bv25vo0d9V/fOwEkw4RGb3hibhDNe5psSsHupwU3T3EZenTiloaExfUK1yzYQJ/wXai5sZHcHK6m0nPTtGxGM8b8G367BsICFraZbW2q4fFHY7XvbGGdv6ydpxhdI69ERS7FSGWgEcJlUcxCsXE2NeLtmLgfUz0zQrEHPYo3kxJYRedmSARvUNJzZWZMb3NQ0QjqGsq1us9uo7LgPF+Ur+oeQyrKWi+4JQRKB16nxUd/HrDIXbAWxub/Fk730kZVdQ8Vus6B2lrSs+hDHoihek40Tfq1CKq8tSI=,iv:fa9Lpq3/ppG3dbYMgWtWI/sReN6bnHvXQSOSnIbpF8A=,tag:i97q7HTGLRdAkC8aF75aPg==,type:str] +headscale: + client_secret: ENC[AES256_GCM,data:MLW0z2stjhXgxb4poAYr7LzrLzTNj5HqJzsyzOvYpKpKbyfx7SEdeZidG+m3ROuaN4PVsdpJblFjsvozzQlDQYRJZo8q+kpPvUPvhU0Ejya/XBO/sFcJKzulpfr4j3rK7FSKh2V6PiB8m9mvLziHfDmgL30le0wDD9uCNWkaHVo=,iv:1hRwI1NG2yO6igBsEGCg2Qn/po97ZhsyAEZOMKP3EZc=,tag:FV+RXBKyq+EJRsKT+DZ6lQ==,type:str] + webui-env: ENC[AES256_GCM,data:F4fGd5szjEGYqseq15VF8Emdd5oXKAlj+O7jET7BpD/w0/M162KgXQ/xN/uzO5Bh/euzedMrair0c8SQKO/06Ko9cj35lclaSrnBiwHSDIkFvuoITvLeSVSR4W3dsui91Dh8GCCYO8JAZQnpqClls6kHBOO2FYVwF06zg8Coxli9cKkPdeJKLDEnPGUb2UpLoP0dieanNFc3YNIavlXwkgt4/hxEoKHJplTYrilekBtZjD998SyvubhhVKHTH/VhTgxodXgnbI3sV1a3uJCrUKWt79NwHu5TUd+C2/gZqAniCbo4AX8=,iv:87cme6ToLFR4eF5apZauIm3Q6HR3Z8EM3GkQxo06oNI=,tag:dbXLQhw6qn/DyYJ3/UeDiw==,type:str] sops: kms: [] gcp_kms: [] @@ -49,8 +52,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-04T10:59:24Z" - mac: ENC[AES256_GCM,data:3/eVepYi5oxOO0VlZeYdEw84r3EPb+w8vOT8Sge2lt1ZYVgIf+4GT/xtqzq5BQi4/7AC81A8+xsNJSoZIhMMeCY1Y1KAy8CApsiu3tFCbey1aZi5oDaX2UQg8D21sy0QwrCve9sQZ38zM1Z9Bwt/JZJxwVIOEpeX1hNXHcIPrmk=,iv:bhk+YdEP/1w9fAOrhSkbOf7z2uerx58t29YWC4FCF8I=,tag:tlipMk4mUbIqup4pDPR3zQ==,type:str] + lastmodified: "2023-05-04T15:23:57Z" + mac: ENC[AES256_GCM,data:Zk6+H5SEt+W1/R+kv5jppwvPcZZ5g1PJWNuIDzjoUhtUacF/z7Lri0F6y2OAAscd2y8+h6rKmEw1HgcLL4sLFTfAmdihxgl9qc/RTBInYOAIiBBZbrDL5kcsFdYRoBoii53JVAlLksxl1wnM7somtHSP4Z2jTBujOTPgNSGMFMc=,iv:44SJBbERicfiNMmw5kzhC9Wr8vfBnDT5eHqzm6HAI4I=,tag:gz8hk78IPwenO14zO76OoA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3