From a98fd9ba8361583c8be4eb14c5e30fbbd73a2eed Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Wed, 21 May 2025 19:28:07 +0100
Subject: [PATCH] tailscale, headscale: init

---
 common/default.nix         |  1 +
 common/tailscale.nix       |  8 ++++++
 hosts/kalessin/default.nix |  7 ++++++
 services/default.nix       |  1 +
 services/headscale.nix     | 50 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 67 insertions(+)
 create mode 100644 common/tailscale.nix
 create mode 100644 services/headscale.nix

diff --git a/common/default.nix b/common/default.nix
index c60088e..5118c86 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -14,5 +14,6 @@
     ./sanoid.nix
     ./security.nix
     ./steam.nix
+    ./tailscale.nix
   ];
 }
diff --git a/common/tailscale.nix b/common/tailscale.nix
new file mode 100644
index 0000000..a6337d6
--- /dev/null
+++ b/common/tailscale.nix
@@ -0,0 +1,8 @@
+{
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually
+    extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
+  };
+}
diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix
index f29dc7a..7150e5a 100644
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@@ -28,6 +28,7 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
+    "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; };
     "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; };
   };
 
@@ -43,5 +44,11 @@ in
     dataDir = "/var/lib/owncast";
   };
 
+  qenya.services.headscale = {
+    enable = true;
+    domain = "headscale.unspecified.systems";
+    dataDir = "/var/lib/headscale";
+  };
+
   system.stateVersion = "23.11";
 }
diff --git a/services/default.nix b/services/default.nix
index 927886c..194eb43 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -4,6 +4,7 @@
     ./audiobookshelf.nix
     ./distributed-builds.nix
     ./forgejo.nix
+    ./headscale.nix
     ./jellyfin.nix
     ./navidrome.nix
     ./owncast.nix
diff --git a/services/headscale.nix b/services/headscale.nix
new file mode 100644
index 0000000..eeae58c
--- /dev/null
+++ b/services/headscale.nix
@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  cfg = config.qenya.services.headscale;
+in
+{
+  options.qenya.services.headscale = {
+    enable = mkEnableOption "Headscale";
+    domain = mkOption {
+      type = types.str;
+    };
+    dataDir = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:32770/";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    services.headscale = {
+      enable = true;
+      address = "0.0.0.0"; # required to disable built-in ACME client for some reason
+      port = 32770;
+      settings = {
+        server_url = "https://${cfg.domain}:443";
+        prefixes.allocation = "random";
+        dns.magic_dns = false;
+
+        # disable built-in ACME client
+        tls_cert_path = null;
+        tls_key_path = null;
+      };
+    };
+  };
+}