feat(os/fscusat): init headscaleHEADmaster

2 files changed, 46 insertions, 0 deletions

diff --git a/os/fscusat/modules/network/headscale.nix b/os/fscusat/modules/network/headscale.nix
new file mode 100644
index 0000000..906080a
--- /dev/null
+++ b/os/fscusat/modules/network/headscale.nix
@@ -0,0 +1,23 @@
+{ config, ... }:
+let
+  headScaleUrl = "https://headscale.${config.global.userdata.domain}";
+  user = config.global.userdata.name;
+in
+{
+  sops.secrets."misc/headscale" = { };
+  networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
+
+  services.tailscale = {
+    enable = true;
+    interfaceName = "headscale";
+    openFirewall = true;
+
+    authKeyFile = config.sops.secrets."misc/headscale".path;
+    extraUpFlags = [
+      "--login-server=${headScaleUrl}"
+      "--operator=${user}"
+      "--accept-routes=false"
+      "--advertise-exit-node"
+    ];
+  };
+}
diff --git a/os/fscusat/modules/network/lan.nix b/os/fscusat/modules/network/lan.nix
new file mode 100644
index 0000000..fefcd14
--- /dev/null
+++ b/os/fscusat/modules/network/lan.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+let
+  wan = "ens18";
+in
+{
+  networking = {
+    interfaces.${wan}.ipv4.addresses = [
+      {
+        address = "10.0.8.101";
+        prefixLength = 16;
+      }
+    ];
+    defaultGateway = {
+      address = "10.0.0.1";
+      interface = wan;
+    };
+    nameservers = [
+      "10.0.0.2"
+      "10.0.0.3"
+    ];
+  };
+}