From b35fefbf98d5b118fcd418c7fe4c35b95b4a16cc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:27:41 +0100 Subject: [PATCH 1/4] kalessin: Add randomcat to wheel --- common/users/default.nix | 3 +-- hosts/kalessin/default.nix | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/common/users/default.nix b/common/users/default.nix index 2a4c5b3..d063db5 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -27,7 +27,6 @@ in users.users = genAttrs cfg.admins (name: { extraGroups = [ "wheel" ]; - } - ); + }); }; } diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 2b80d96..f29dc7a 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -15,9 +15,9 @@ in networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - fountain.admins = [ "qenya" ]; fountain.users.randomcat.enable = true; fountain.users.trungle.enable = true; + fountain.admins = [ "qenya" "randomcat" ]; qenya.base-server.enable = true; From a98fd9ba8361583c8be4eb14c5e30fbbd73a2eed Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:07 +0100 Subject: [PATCH 2/4] tailscale, headscale: init --- common/default.nix | 1 + common/tailscale.nix | 8 ++++++ hosts/kalessin/default.nix | 7 ++++++ services/default.nix | 1 + services/headscale.nix | 50 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+) create mode 100644 common/tailscale.nix create mode 100644 services/headscale.nix diff --git a/common/default.nix b/common/default.nix index c60088e..5118c86 100644 --- a/common/default.nix +++ b/common/default.nix @@ -14,5 +14,6 @@ ./sanoid.nix ./security.nix ./steam.nix + ./tailscale.nix ]; } diff --git a/common/tailscale.nix b/common/tailscale.nix new file mode 100644 index 0000000..a6337d6 --- /dev/null +++ b/common/tailscale.nix @@ -0,0 +1,8 @@ +{ + services.tailscale = { + enable = true; + openFirewall = true; + extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually + extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry + }; +} diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index f29dc7a..7150e5a 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,6 +28,7 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; + "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; }; "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; }; }; @@ -43,5 +44,11 @@ in dataDir = "/var/lib/owncast"; }; + qenya.services.headscale = { + enable = true; + domain = "headscale.unspecified.systems"; + dataDir = "/var/lib/headscale"; + }; + system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 927886c..194eb43 100644 --- a/services/default.nix +++ b/services/default.nix @@ -4,6 +4,7 @@ ./audiobookshelf.nix ./distributed-builds.nix ./forgejo.nix + ./headscale.nix ./jellyfin.nix ./navidrome.nix ./owncast.nix diff --git a/services/headscale.nix b/services/headscale.nix new file mode 100644 index 0000000..eeae58c --- /dev/null +++ b/services/headscale.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.headscale; +in +{ + options.qenya.services.headscale = { + enable = mkEnableOption "Headscale"; + domain = mkOption { + type = types.str; + }; + dataDir = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:32770/"; + proxyWebsockets = true; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.headscale = { + enable = true; + address = "0.0.0.0"; # required to disable built-in ACME client for some reason + port = 32770; + settings = { + server_url = "https://${cfg.domain}:443"; + prefixes.allocation = "random"; + dns.magic_dns = false; + + # disable built-in ACME client + tls_cert_path = null; + tls_key_path = null; + }; + }; + }; +} From 2e37815edb050b0aa3d9b8e19fd3092960080fd9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:29 +0100 Subject: [PATCH 3/4] audiobookshelf: Use built-in NixOS setting for nginx websocket support --- services/audiobookshelf.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix index a9c34da..6019108 100644 --- a/services/audiobookshelf.nix +++ b/services/audiobookshelf.nix @@ -21,11 +21,7 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8234/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; + proxyWebsockets = true; }; }; }; From fa7815612081e218fe19209a958f8c6f8a0bb9f6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:39 +0100 Subject: [PATCH 4/4] owncast: Resolve port number clash --- services/owncast.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/owncast.nix b/services/owncast.nix index aa60223..47173d0 100644 --- a/services/owncast.nix +++ b/services/owncast.nix @@ -22,7 +22,7 @@ in ${cfg.domain} = { forceSSL = true; enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:8080/"; + locations."/".proxyPass = "http://127.0.0.1:32769/"; }; }; }; @@ -30,6 +30,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp services.owncast.enable = true; + services.owncast.port = 32769; services.owncast.dataDir = cfg.dataDir; }; }