feat(os/kay): init headscale

6 files changed, 152 insertions, 21 deletions

diff --git a/os/common/modules/nix/nix.patch b/os/common/modules/nix/nix.patch
index 4f565d8..606e61d 100644
--- a/os/common/modules/nix/nix.patch
+++ b/os/common/modules/nix/nix.patch
@@ -1,8 +1,8 @@
 diff --git a/develop.cc b/develop.cc
-index ed25e655d8f..f78eee59abc 100644
+index c27c254fb..e914d5f6c 100644
 --- a/develop.cc
 +++ b/develop.cc
-@@ -627,13 +627,12 @@ struct CmdDevelop : Common, MixEnvironment
+@@ -629,13 +629,12 @@ struct CmdDevelop : Common, MixEnvironment
                      fmt("[ -n \"$PS1\" ] && PS1+=%s;\n", escapeShellArgAlways(developSettings.bashPromptSuffix.get()));
          }
  
@@ -10,14 +10,14 @@ index ed25e655d8f..f78eee59abc 100644
 -
          setEnviron();
          // prevent garbage collection until shell exits
-         setEnv("NIX_GCROOT", gcroot.c_str());
+         setEnv("NIX_GCROOT", store->printStorePath(gcroot).c_str());
  
          Path shell = "bash";
 +        bool foundInteractive = false;
  
          try {
              auto state = getEvalState();
-@@ -656,19 +655,17 @@ struct CmdDevelop : Common, MixEnvironment
+@@ -658,19 +657,17 @@ struct CmdDevelop : Common, MixEnvironment
                  Strings{"legacyPackages." + settings.thisSystem.get() + "."},
                  nixpkgsLockFlags);
  
@@ -39,7 +39,7 @@ index ed25e655d8f..f78eee59abc 100644
                  throw Error("package 'nixpkgs#bashInteractive' does not provide a 'bin/bash'");
  
          } catch (Error &) {
-@@ -678,6 +675,11 @@ struct CmdDevelop : Common, MixEnvironment
+@@ -680,6 +677,11 @@ struct CmdDevelop : Common, MixEnvironment
          // Override SHELL with the one chosen for this environment.
          // This is to make sure the system shell doesn't leak into the build environment.
          setEnv("SHELL", shell.c_str());
diff --git a/os/kay/configuration.nix b/os/kay/configuration.nix
index ff9b225..6c2c618 100644
--- a/os/kay/configuration.nix
+++ b/os/kay/configuration.nix
@@ -20,6 +20,7 @@
     ./modules/observability
     ./modules/alina.nix
     ./modules/minio.nix
+    ./modules/headscale.nix
   ];
 
   networking.hostName = "kay";
diff --git a/os/kay/modules/dns/sinanmohd.com.zone b/os/kay/modules/dns/sinanmohd.com.zone
index 0307cd6..dcbdf6c 100644
--- a/os/kay/modules/dns/sinanmohd.com.zone
+++ b/os/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
 $TTL 2d
 
 @	IN	SOA	ns1	hostmaster (
-			2025062100 ; serial
+			2025101400 ; serial
 			2h         ; refresh
 			5m         ; retry
 			1d         ; expire
@@ -37,17 +37,18 @@ mta-sts	IN	CNAME	@
 _mta-sts     IN	TXT	"v=STSv1; id=2024022500"
 _smtp._tls   IN	TXT	"v=TLSRPTv1; rua=mailto:reports@sinanmohd.com"
 
-www	 IN	CNAME	@
-git	 IN	CNAME	@
-bin	 IN	CNAME	@
-static	 IN	CNAME	@
-home	 IN	CNAME	@
-nixbin	 IN	CNAME	@
-immich	 IN	CNAME	@
-sliding	 IN	CNAME	@
-grafana	 IN	CNAME	@
-stalwart IN	CNAME	@
-minio	 IN	CNAME	@
-s3	 IN	CNAME	@
+www	 	IN	CNAME	@
+git	 	IN	CNAME	@
+bin	 	IN	CNAME	@
+static	 	IN	CNAME	@
+home	 	IN	CNAME	@
+nixbin	 	IN	CNAME	@
+immich	 	IN	CNAME	@
+sliding	 	IN	CNAME	@
+grafana	 	IN	CNAME	@
+stalwart 	IN	CNAME	@
+minio	 	IN	CNAME	@
+s3	 	IN	CNAME	@
+headscale	IN	CNAME	@
 
 _acme-challenge	IN	NS	ns1
diff --git a/os/kay/modules/headscale.nix b/os/kay/modules/headscale.nix
new file mode 100644
index 0000000..24df170
--- /dev/null
+++ b/os/kay/modules/headscale.nix
@@ -0,0 +1,112 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  domain = "headscale.${config.global.userdata.domain}";
+  stunPort = 3478;
+
+  # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`.
+  settings = lib.recursiveUpdate config.services.headscale.settings {
+    tls_cert_path = "/dev/null";
+    tls_key_path = "/dev/null";
+    policy.path = "/dev/null";
+  };
+  format = pkgs.formats.yaml { };
+  headscaleConfig = format.generate "headscale.yml" settings;
+
+  policyFormat = pkgs.formats.json { };
+  policy = {
+    groups = {
+      "group:owner" = [ "sinan@" ];
+      "group:bud" = [
+        "sinan@"
+        "ann@"
+      ];
+    };
+    tagOwners = {
+      "tag:bud_clients" = [ "group:bud" ];
+      "tag:internal" = [ "group:owner" ];
+      "tag:cusat" = [ "group:owner" ];
+      "tag:gaijin" = [ "group:owner" ];
+    };
+    acls = [
+      {
+        action = "accept";
+        src = [ "group:owner" ];
+        dst = [ "*:*" ];
+      }
+
+      {
+        action = "accept";
+        src = [ "group:bud" ];
+        dst = [ "tag:bud_clients:*" ];
+      }
+    ];
+  };
+in
+{
+  sops.secrets = {
+    "headplane/cookie_secret".owner = config.services.headscale.user;
+    "headplane/preauth_key".owner = config.services.headscale.user;
+    "headscale/noise_private_key".owner = config.services.headscale.user;
+    "headscale/derp_private_key".owner = config.services.headscale.user;
+  };
+
+  networking.firewall.interfaces.ppp0.allowedUDPPorts = [ stunPort ];
+
+  services = {
+    headscale = {
+      enable = true;
+      port = 8139;
+
+      settings = {
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+        noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path;
+        dns = {
+          base_domain = "tsnet.${config.global.userdata.domain}";
+          override_local_dns = false;
+        };
+        derp = {
+          server = {
+            enabled = true;
+            private_key_path = config.sops.secrets."headscale/derp_private_key".path;
+            region_code = config.networking.hostName;
+            region_name = config.networking.hostName;
+            stun_listen_addr = "0.0.0.0:${toString stunPort}";
+            region_id = 6969;
+            automatically_add_embedded_derp_region = true;
+          };
+          urls = [ ];
+        };
+        policy = {
+          mode = "file";
+          path = policyFormat.generate "acl.json" policy;
+        };
+      };
+    };
+
+    headplane = {
+      enable = true;
+      settings = {
+        server = {
+          port = 8140;
+          cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path;
+        };
+        headscale = {
+          url = "https://${domain}";
+          config_path = "${headscaleConfig}";
+        };
+        integration.agent = {
+          enabled = true;
+          pre_authkey_path = config.sops.secrets."headplane/preauth_key".path;
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = [ config.services.headscale.package ];
+}
diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix
index 6b8e285..e64c65c 100644
--- a/os/kay/modules/www.nix
+++ b/os/kay/modules/www.nix
@@ -112,6 +112,17 @@ in
           };
         };
 
+        "headscale.${domain}" = defaultOpts // {
+          locations = {
+            "/" = {
+              proxyWebsockets = true;
+              proxyPass = "http://localhost:${toString config.services.headscale.port}";
+            };
+            "= /".return = "307 https://headscale.${domain}/admin";
+            "/admin".proxyPass = "http://localhost:${toString config.services.headplane.settings.server.port}";
+          };
+        };
+
         "${config.services.grafana.settings.server.domain}" = defaultOpts // {
           extraConfig = ''
             proxy_buffering off;
diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml
index da4f9ca..68998c0 100644
--- a/os/kay/secrets.yaml
+++ b/os/kay/secrets.yaml
@@ -17,6 +17,12 @@ mail.sinanmohd.com:
 github-runner:
     nocodb-registration-token: ENC[AES256_GCM,data:QJ2wGjyzBV0Xmsanc8dpvmi5Iv8ICShpQH0qC7E=,iv:s+IeTdz3cQ22vQiUZlSjFR7xTFwwKVnBvwkyxVeCw4s=,tag:ADeouBMAJiJjCvqLKHTVIw==,type:str]
     age-master-key: ENC[AES256_GCM,data:wvhr+iYnjAZh4u+PNtRw3/O/7FAtWAdpC0nOifX8Pf6aB0njLOyhmCo3h8Ti8p4oInvHrJGYCtfUenvACUZSrHVykdDZKC5DgAo=,iv:miFWVbVlpTNV6TZys4tb/WNXiDfC/tobcaM3L9MMytk=,tag:wadOdhXSNZsAlSubVDpqtA==,type:str]
+headplane:
+    cookie_secret: ENC[AES256_GCM,data:ZhUYeusYNPSkuA+CEHHmeRlCB3Y030J+1EpPs88coFs=,iv:Ck3CfLtkwskkwo8Ind+CuLtVARjHI4y3mZITfzCKPso=,tag:yhupLPeAyfBF6LtNqbJs2g==,type:str]
+    preauth_key: ENC[AES256_GCM,data:XBtitZ0fb8mU7Z7aSP+RxUSDvyxqcfKYiq4bLa9WnKef1xEnQK0+l7QfrQAVRyqI,iv:G82b9GcdTTLF/+jVh4nx6Fu7mnMmKarF6Rc+AabaLwE=,tag:x7HMaJknnrA/SjTfYu6B4w==,type:str]
+headscale:
+    noise_private_key: ENC[AES256_GCM,data:pqh0alokNqQsG9Ghi/qZl3lEi45om8GV4uron4a5JriLrR/QiRKcZQFbMK2u1m4wLwAw57ugN/jXynATlW15vUWw4SAU+PtC,iv:j74JLjGDGbmN65YfARYisSa20ExBXVPUm+QKU4qk4rw=,tag:UUgthumk2/a4xJ14Ucok+A==,type:str]
+    derp_private_key: ENC[AES256_GCM,data:EMt3RtQzqIY4i5S2S1kK0kxu0wMt3/bBcpaEc3YP0Cmj8F4yZECOaDUYk4dM2QsfmoP84plktAqIrM4MSiY94lQpqRoCvTru,iv:NU/nVFQxBQTou0mf5xvLmlda8hzJfoCRiU1vCgJGyyc=,tag:IEDCDy6ifL+ulYzp7qr3vg==,type:str]
 misc:
     wireguard: ENC[AES256_GCM,data:zwctPH+ScqRWUD4Jjcu/dTTGwxGl6rCEsp5D4+EfXPEIhECL2vjyTtcy5cM=,iv:yfv6fV5zxAbsVf+veTJYLmAwhJbaqFt89s3jlU+HO2k=,tag:vZldtANCKvMWW5pXRUv+vA==,type:str]
     default_password: ENC[AES256_GCM,data:xON6jifcv8k8tKA=,iv:Kk3Ax/GGvCvAbTAhNnlkoNh1BzsrZVptchRuQi+vqhc=,tag:9vYn1Gslr+1pAYdKvwRhnA==,type:str]
@@ -42,7 +48,7 @@ sops:
             bGRaOE1Mc3VqVnYyd0xIVGl5ckpqRFkKpT2gTC4lf9HRQNJDykdGjPdfH+V8og7X
             XHq1XqIRoRbulZifuZlmzN/RWMPIoBYkXeHfqaMjmTz5HIBcnO/t9g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-25T06:56:01Z"
-    mac: ENC[AES256_GCM,data:loRxlNwS3ShMhm5r8J+2lG3xR5t3RWDJzwdQmzE7aaONHxeYAhyq6EF8uBZl9Q81aYw6xnpcyKdS2FqH7cHM2JacBG5QE5Iy/of34SVU92Vo1ar57VfKo7K35Vl5Ybx77LGv1Yn7TIpXGPHlWCDMJ0c1oZokSW9zvThUYnJWXes=,iv:ZBeD1HCrFAUk35nwDBzcUK2rnNSG/fdhftF3To/tqmc=,tag:vPb28lHfT+6KEdSIqXeFig==,type:str]
+    lastmodified: "2025-10-17T02:46:27Z"
+    mac: ENC[AES256_GCM,data:DEFPWr+mjPG7AGmtBLEi1X6JukiMgHCAyp3qxjh9Fn2pgNKGLvsINe+z8eG9oR1wb7It1wFfDd0TN5Z5Jp21DyWt3LNTOCGD2ggfubtePMnctRgLtHcjopJ973ONhJ+UljU7FidbMd6BnGftSrmcx1zRcuZKV5w3yjQ3mlfXBkI=,iv:n6/+FQmQZb10zct997MuwvEhjhBnDbCrvkAvvec01wc=,tag:RA+cPFzbT7VtEkAmNBielQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0