Armael/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixfmt pastila/headscale.nix

Browse source
This commit is contained in:
root 2024-06-14 22:48:21 +02:00
parent a3a85dec1d
commit 0574a44093
1 changed files with 41 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
pastila/headscale.nix
View file

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let localListenPort = 4443;
localListenPort = 4443; in {
in
{
services.headscale = { services.headscale = {
enable = true; enable = true;
address = "127.0.0.1"; address = "127.0.0.1";
@ -13,31 +11,31 @@ in
dns_config = { dns_config = {
override_local_dns = true; override_local_dns = true;
base_domain = "infracoll.su"; base_domain = "infracoll.su";
}; };
derp = { derp = {
urls = []; urls = [ ];
server = { server = {
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled = true; enabled = true;
# Region ID to use for the embedded DERP server. # Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from # The local DERP prevails if the region ID collides with other region ID coming from
# the regular DERP config. # the regular DERP config.
region_id = 999; region_id = 999;
# Region code and name are displayed in the Tailscale UI to identify a DERP region # Region code and name are displayed in the Tailscale UI to identify a DERP region
region_code = "headscale"; region_code = "headscale";
region_name = "Headscale Embedded DERP"; region_name = "Headscale Embedded DERP";
# Listens over UDP at the configured address for STUN connections - to help with NAT traversal. # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
# When the embedded DERP server is enabled stun_listen_addr MUST be defined. # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
# #
# For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr = "0.0.0.0:3478"; stun_listen_addr = "0.0.0.0:3478";
}; };
}; };
# List of IP prefixes to allocate tailaddresses from. # List of IP prefixes to allocate tailaddresses from.
@ -49,10 +47,7 @@ in
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# Any other range is NOT supported, and it will cause unexpected issues. # Any other range is NOT supported, and it will cause unexpected issues.
ip_prefixes = [ ip_prefixes = [ "fd7a:115c:a1e0::/48" "100.64.0.0/10" ];
"fd7a:115c:a1e0::/48"
"100.64.0.0/10"
];
# Address to listen for gRPC. # Address to listen for gRPC.
# gRPC is used for controlling a headscale server # gRPC is used for controlling a headscale server
@ -67,9 +62,7 @@ in
# are doing. # are doing.
grpc_allow_insecure = true; # we're behind a reverse proxy grpc_allow_insecure = true; # we're behind a reverse proxy
logtail = { logtail = { enabled = false; };
enabled = false;
};
}; };
}; };
@ -81,16 +74,16 @@ in
proxyPass = "http://127.0.0.1:" + builtins.toString localListenPort; proxyPass = "http://127.0.0.1:" + builtins.toString localListenPort;
recommendedProxySettings = false; recommendedProxySettings = false;
extraConfig = '' extraConfig = ''
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name; proxy_set_header Host $server_name;
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_buffering off; proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
''; '';
}; };
}; };
@ -100,8 +93,16 @@ in
useACMEHost = "scale.isomorphis.me"; useACMEHost = "scale.isomorphis.me";
onlySSL = true; onlySSL = true;
listen = [ listen = [
{ addr = "0.0.0.0"; port = 50443; ssl = true; } {
{ addr = "[::]"; port = 50443; ssl = true; } addr = "0.0.0.0";
port = 50443;
ssl = true;
}
{
addr = "[::]";
port = 50443;
ssl = true;
}
]; ];
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''