From 66d20b789ee1f53898196ace7f7f717cfdd2abe2 Mon Sep 17 00:00:00 2001
From: "quentin@aristote.fr" <quentin@aristote.fr>
Date: Sat, 18 Jan 2025 19:36:31 +0100
Subject: add headscale

---
 config/services/mesh/default.nix | 45 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 config/services/mesh/default.nix

(limited to 'config/services/mesh/default.nix')

diff --git a/config/services/mesh/default.nix b/config/services/mesh/default.nix
new file mode 100644
index 0000000..791a5a6
--- /dev/null
+++ b/config/services/mesh/default.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.headscale;
+  url = "mesh.${config.networking.domain}";
+in {
+  networking.firewall.allowedUDPPorts = [3478];
+
+  services.headscale = {
+    enable = true;
+    port = 8001;
+    settings = {
+      server_url = "https://${url}:443";
+      derps = {
+        server = {
+          enabled = true;
+          stun_listen_addr = "0.0.0.0:3478";
+        };
+        urls = [];
+      };
+      dns.base_domain = "aristote.mesh";
+    };
+  };
+
+  services.nginx.virtualHosts.mesh = lib.mkIf cfg.enable {
+    serverName = "${url}";
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${cfg.address}:${toString cfg.port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+      '';
+    };
+  };
+}
-- 
cgit v1.2.3