diff --git a/modules/headscale.nix b/modules/headscale.nix new file mode 100644 index 0000000..a43146d --- /dev/null +++ b/modules/headscale.nix @@ -0,0 +1,66 @@ +{ pkgs, lib, ... }: +let + headscalePort = "6969"; + headscaleDomain = "vpn.mc-fucker.cool"; +in +{ + environment = { + systemPackages = with pkgs; [ headscale wireguard ]; + etc = { + "headscale/config.yaml".text = '' + --- + disable_check_updates: true + server_url: http://${headscaleDomain}:${headscalePort} + listen_addr: 0.0.0.0:${headscalePort} + ephemeral_node_inactivity_timeout: "30m" + private_key_path: /etc/nixos/keys/headscale-key + db_type: sqlite3 + db_path: db.sqlite + derp: + urls: + - https://controlplane.tailscale.com/derpmap/default + paths: + - /etc/headscale/derp-example.yaml + auto_update_enabled: true + update_frequency: 24h + dns_config: + magic_dns: true + base_domain: ${headscaleDomain} + nameservers: + - 9.9.9.9 + ''; + "headscale/derp-example.yaml".text = '' + regions: + 900: + regionid: 900 + regioncode: custom + regionname: My Region + nodes: + - name: 1a + regionid: 1 + hostname: myderp.mydomain.no + ipv4: 123.123.123.123 + ipv6: "2604:a880:400:d1::828:b001" + stunport: 0 + stunonly: false + derptestport: 0 + ''; + }; + }; + + systemd.services.headscale = { + description = "Headscale VPN Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + ExecStart = "${pkgs.headscale}/bin/headscale serve"; + ExecReload = "/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + Type = "simple"; + }; + }; + + networking.firewall.allowedTCPPorts = [ (lib.strings.toInt headscalePort) ]; +} + +# vim: set et ts=2 sw=2 ai: diff --git a/systems/vpn/configuration.nix b/systems/vpn/configuration.nix index 267300a..be6ef74 100644 --- a/systems/vpn/configuration.nix +++ b/systems/vpn/configuration.nix @@ -4,6 +4,7 @@ [ ./hardware-configuration.nix ./modules/generic.nix + ./modules/headscale.nix ]; system.stateVersion = "21.11"; }