owncast: Resolve port number clash

common/default.nix

@@ -14,5 +14,6 @@
     ./sanoid.nix
     ./security.nix
     ./steam.nix
+    ./tailscale.nix
   ];
 }

common/tailscale.nix

@@ -0,0 +1,8 @@
+{
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually
+    extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
+  };
+}

common/users/default.nix

@@ -27,7 +27,6 @@ in
     users.users = genAttrs cfg.admins
       (name: {
         extraGroups = [ "wheel" ];
-      }
-      );
+      });
   };
 }

hosts/kalessin/default.nix

@@ -15,9 +15,9 @@ in
   networking.domain = "birdsong.network";
 
   fountain.users.qenya.enable = true;
-  fountain.admins = [ "qenya" ];
   fountain.users.randomcat.enable = true;
   fountain.users.trungle.enable = true;
+  fountain.admins = [ "qenya" "randomcat" ];
 
   qenya.base-server.enable = true;
 
@@ -28,6 +28,7 @@ in
 
   randomcat.services.zfs.datasets = {
     "rpool_kalessin/state" = { mountpoint = "none"; };
+    "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; };
     "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; };
   };
 
@@ -43,5 +44,11 @@ in
     dataDir = "/var/lib/owncast";
   };
 
+  qenya.services.headscale = {
+    enable = true;
+    domain = "headscale.unspecified.systems";
+    dataDir = "/var/lib/headscale";
+  };
+
   system.stateVersion = "23.11";
 }

services/audiobookshelf.nix

@@ -21,11 +21,7 @@ in
           enableACME = true;
           locations."/" = {
             proxyPass = "http://127.0.0.1:8234/";
-            extraConfig = ''
-              proxy_http_version 1.1;
-              proxy_set_header Upgrade $http_upgrade;
-              proxy_set_header Connection "upgrade";
-            '';
+            proxyWebsockets = true;
           };
         };
       };

services/default.nix

@@ -4,6 +4,7 @@
     ./audiobookshelf.nix
     ./distributed-builds.nix
     ./forgejo.nix
+    ./headscale.nix
     ./jellyfin.nix
     ./navidrome.nix
     ./owncast.nix

services/headscale.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  cfg = config.qenya.services.headscale;
+in
+{
+  options.qenya.services.headscale = {
+    enable = mkEnableOption "Headscale";
+    domain = mkOption {
+      type = types.str;
+    };
+    dataDir = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:32770/";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    services.headscale = {
+      enable = true;
+      address = "0.0.0.0"; # required to disable built-in ACME client for some reason
+      port = 32770;
+      settings = {
+        server_url = "https://${cfg.domain}:443";
+        prefixes.allocation = "random";
+        dns.magic_dns = false;
+
+        # disable built-in ACME client
+        tls_cert_path = null;
+        tls_key_path = null;
+      };
+    };
+  };
+}

services/owncast.nix

@@ -22,7 +22,7 @@ in
         ${cfg.domain} = {
           forceSSL = true;
           enableACME = true;
-          locations."/".proxyPass = "http://127.0.0.1:8080/";
+          locations."/".proxyPass = "http://127.0.0.1:32769/";
         };
       };
     };
@@ -30,6 +30,7 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp
 
     services.owncast.enable = true;
+    services.owncast.port = 32769;
     services.owncast.dataDir = cfg.dataDir;
   };
 }