tailscale, headscale: init

common/default.nix

@@ -14,5 +14,6 @@
     ./sanoid.nix
     ./security.nix
     ./steam.nix
+    ./tailscale.nix
   ];
 }

common/tailscale.nix

@@ -0,0 +1,8 @@
+{
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually
+    extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
+  };
+}

hosts/kalessin/default.nix

@@ -28,6 +28,7 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
+    "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; };
     "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; };
   };
 
@@ -43,5 +44,11 @@ in
     dataDir = "/var/lib/owncast";
   };
 
+  qenya.services.headscale = {
+    enable = true;
+    domain = "headscale.unspecified.systems";
+    dataDir = "/var/lib/headscale";
+  };
+
   system.stateVersion = "23.11";
 }

services/default.nix

@@ -4,6 +4,7 @@
     ./audiobookshelf.nix
     ./distributed-builds.nix
     ./forgejo.nix
+    ./headscale.nix
     ./jellyfin.nix
     ./navidrome.nix
     ./owncast.nix

services/headscale.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  cfg = config.qenya.services.headscale;
+in
+{
+  options.qenya.services.headscale = {
+    enable = mkEnableOption "Headscale";
+    domain = mkOption {
+      type = types.str;
+    };
+    dataDir = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:32770/";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    services.headscale = {
+      enable = true;
+      address = "0.0.0.0"; # required to disable built-in ACME client for some reason
+      port = 32770;
+      settings = {
+        server_url = "https://${cfg.domain}:443";
+        prefixes.allocation = "random";
+        dns.magic_dns = false;
+
+        # disable built-in ACME client
+        tls_cert_path = null;
+        tls_key_path = null;
+      };
+    };
+  };
+}