add headscale

author: quentin@aristote.fr <quentin@aristote.fr> 2025-01-18 19:36:31 +0100
committer: quentin@aristote.fr <quentin@aristote.fr> 2025-01-26 22:44:50 +0100
commit: 66d20b789ee1f53898196ace7f7f717cfdd2abe2 (patch)
tree: fe6f7a27abaf2d1545e29d1b30a30b187ce92af9 /config
parent: 429e2c9fb1c7f981fe562b80feb270c40758d3da (diff)
3 files changed, 69 insertions, 27 deletions
diff --git a/config/services/default.nix b/config/services/default.nix
index e1dcb81..5cabb7a 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -1,5 +1,3 @@
-{ ... }:
-
-{
-  imports = [ ./web ];
+{...}: {
+  imports = [./mesh ./web];
 }
diff --git a/config/services/mesh/default.nix b/config/services/mesh/default.nix
new file mode 100644
index 0000000..791a5a6
--- /dev/null
+++ b/config/services/mesh/default.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.headscale;
+  url = "mesh.${config.networking.domain}";
+in {
+  networking.firewall.allowedUDPPorts = [3478];
+
+  services.headscale = {
+    enable = true;
+    port = 8001;
+    settings = {
+      server_url = "https://${url}:443";
+      derps = {
+        server = {
+          enabled = true;
+          stun_listen_addr = "0.0.0.0:3478";
+        };
+        urls = [];
+      };
+      dns.base_domain = "aristote.mesh";
+    };
+  };
+
+  services.nginx.virtualHosts.mesh = lib.mkIf cfg.enable {
+    serverName = "${url}";
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${cfg.address}:${toString cfg.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+      '';
+    };
+  };
+}
diff --git a/config/services/web/searx/filtron/default.nix b/config/services/web/searx/filtron/default.nix
index cc637c3..da4f1e6 100644
--- a/config/services/web/searx/filtron/default.nix
+++ b/config/services/web/searx/filtron/default.nix
@@ -1,8 +1,7 @@
-{ ... }:
-
-{
+{...}: {
   services.filtron = {
     enable = true;
+    target.port = 8000;
     rules = [
       {
         name = "roboagent limit";
@@ -12,10 +11,10 @@
         limit = 0;
         stop = true;
         actions = [
-          { name = "log"; }
+          {name = "log";}
           {
             name = "block";
-            params = { message = "Rate limit exceeded"; };
+            params = {message = "Rate limit exceeded";};
           }
         ];
       }
@@ -27,37 +26,37 @@
         limit = 0;
         stop = true;
         actions = [
-          { name = "log"; }
+          {name = "log";}
           {
             name = "block";
-            params = { message = "Rate limit exceeded"; };
+            params = {message = "Rate limit exceeded";};
           }
         ];
       }
       {
         name = "suspiciously frequent IP";
-        filters = [ ];
+        filters = [];
         interval = 600;
         limit = 30;
-        aggregations = [ "Header:X-Forwarded-For" ];
-        actions = [{ name = "log"; }];
+        aggregations = ["Header:X-Forwarded-For"];
+        actions = [{name = "log";}];
       }
       {
         name = "search request";
-        filters = [ "Param:q" "Path=^(/|/search)$" ];
+        filters = ["Param:q" "Path=^(/|/search)$"];
         interval = 61;
         limit = 999;
         subrules = [
           {
             name = "missing Accept-Language";
-            filters = [ "!Header:Accept-Language" ];
+            filters = ["!Header:Accept-Language"];
             limit = 0;
             stop = true;
             actions = [
-              { name = "log"; }
+              {name = "log";}
               {
                 name = "block";
-                params = { message = "Rate limit exceeded"; };
+                params = {message = "Rate limit exceeded";};
               }
             ];
           }
@@ -79,26 +78,26 @@
             interval = 61;
             limit = 9;
             stop = true;
-            aggregations = [ "Header:X-Forwarded-For" ];
+            aggregations = ["Header:X-Forwarded-For"];
             actions = [
-              { name = "log"; }
+              {name = "log";}
               {
                 name = "block";
-                params = { message = "Rate limit exceeded"; };
+                params = {message = "Rate limit exceeded";};
               }
             ];
           }
           {
             name = "rss/json limit";
-            filters = [ "Param:format=(csv|json|rss)" ];
+            filters = ["Param:format=(csv|json|rss)"];
             interval = 121;
             limit = 2;
             stop = true;
             actions = [
-              { name = "log"; }
+              {name = "log";}
               {
                 name = "block";
-                params = { message = "Rate limit exceeded"; };
+                params = {message = "Rate limit exceeded";};
               }
             ];
           }
@@ -106,12 +105,12 @@
             name = "useragent limit";
             interval = 61;
             limit = 199;
-            aggregations = [ "Header:User-Agent" ];
+            aggregations = ["Header:User-Agent"];
             actions = [
-              { name = "log"; }
+              {name = "log";}
               {
                 name = "block";
-                params = { message = "Rate limit exceeded"; };
+                params = {message = "Rate limit exceeded";};
               }
             ];
           }
author	quentin@aristote.fr <quentin@aristote.fr>	2025-01-18 19:36:31 +0100
committer	quentin@aristote.fr <quentin@aristote.fr>	2025-01-26 22:44:50 +0100
commit	66d20b789ee1f53898196ace7f7f717cfdd2abe2 (patch)
tree	fe6f7a27abaf2d1545e29d1b30a30b187ce92af9 /config
parent	429e2c9fb1c7f981fe562b80feb270c40758d3da (diff)