summaryrefslogtreecommitdiff
path: root/config/services/mesh/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'config/services/mesh/default.nix')
-rw-r--r--config/services/mesh/default.nix45
1 files changed, 45 insertions, 0 deletions
diff --git a/config/services/mesh/default.nix b/config/services/mesh/default.nix
new file mode 100644
index 0000000..791a5a6
--- /dev/null
+++ b/config/services/mesh/default.nix
@@ -0,0 +1,45 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.services.headscale;
+ url = "mesh.${config.networking.domain}";
+in {
+ networking.firewall.allowedUDPPorts = [3478];
+
+ services.headscale = {
+ enable = true;
+ port = 8001;
+ settings = {
+ server_url = "https://${url}:443";
+ derps = {
+ server = {
+ enabled = true;
+ stun_listen_addr = "0.0.0.0:3478";
+ };
+ urls = [];
+ };
+ dns.base_domain = "aristote.mesh";
+ };
+ };
+
+ services.nginx.virtualHosts.mesh = lib.mkIf cfg.enable {
+ serverName = "${url}";
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "http://${cfg.address}:${toString cfg.port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_set_header Host $server_name;
+ proxy_redirect http:// https://;
+ proxy_buffering off;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+ '';
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 05:14:22 +0000