66 lines
1.3 KiB
Nix
66 lines
1.3 KiB
Nix
|
{ pkgs, config, ... }:
|
||
|
let
|
||
|
fqdn = "ctrl.headscale.kempkens.network";
|
||
|
in
|
||
|
{
|
||
|
environment.systemPackages = [ pkgs.headscale ];
|
||
|
|
||
|
services.headscale = {
|
||
|
enable = true;
|
||
|
|
||
|
address = "127.0.0.1";
|
||
|
port = 8017;
|
||
|
|
||
|
settings = {
|
||
|
ip_prefixes = [
|
||
|
"fd7a:115c:a1e0:1010::/64"
|
||
|
"100.64.10.0/24"
|
||
|
];
|
||
|
|
||
|
db_type = "postgres";
|
||
|
db_host = "/run/postgresql";
|
||
|
db_name = "headscale";
|
||
|
db_user = "headscale";
|
||
|
db_password_file = config.age.secrets.headscale-database-password.path;
|
||
|
|
||
|
server_url = "https://${fqdn}";
|
||
|
acl_policy_path = config.age.secrets.headscale-acls.path;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
services.postgresql = {
|
||
|
ensureDatabases = [ "headscale" ];
|
||
|
|
||
|
ensureUsers = [
|
||
|
{
|
||
|
name = "headscale";
|
||
|
ensurePermissions = {
|
||
|
"DATABASE headscale" = "ALL PRIVILEGES";
|
||
|
};
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."${fqdn}" = {
|
||
|
quic = true;
|
||
|
http3 = true;
|
||
|
|
||
|
onlySSL = true;
|
||
|
useACMEHost = "headscale.kempkens.network";
|
||
|
|
||
|
extraConfig = ''
|
||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||
|
'';
|
||
|
|
||
|
locations."/" = {
|
||
|
recommendedProxySettings = true;
|
||
|
proxyPass = "http://127.0.0.1:8017";
|
||
|
proxyWebsockets = true;
|
||
|
};
|
||
|
|
||
|
locations."/web" = {
|
||
|
root = "${pkgs.headscale-ui}/share";
|
||
|
};
|
||
|
};
|
||
|
}
|