4 files changed, 80 insertions, 17 deletions

diff --git a/flake.lock b/flake.lock
index 7e0e6bc..396345d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -226,6 +226,26 @@
         "type": "github"
       }
     },
+    "namescale": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760768972,
+        "narHash": "sha256-bNnfcWlRJ8HWxzyjMyFz0zb7RNyZ2NJdGPIu03Ds3lY=",
+        "owner": "sinanmohd",
+        "repo": "namescale",
+        "rev": "12e26359e79cd3c88508b0f770d0e5136e53b176",
+        "type": "github"
+      },
+      "original": {
+        "owner": "sinanmohd",
+        "repo": "namescale",
+        "type": "github"
+      }
+    },
     "nix": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -345,6 +365,7 @@
         "determinate": "determinate",
         "headplane": "headplane",
         "home-manager": "home-manager",
+        "namescale": "namescale",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_3",
         "sops-nix": "sops-nix"
diff --git a/flake.nix b/flake.nix
index cb746da..fceb721 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,6 +25,11 @@
       url = "github:sinanmohd/alina";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    namescale = {
+      url = "github:sinanmohd/namescale";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -37,6 +42,7 @@
       alina,
       determinate,
       headplane,
+      namescale,
     }:
     let
       lib = nixpkgs.lib;
@@ -48,6 +54,8 @@
 
           specialArgs = {
             inherit alina;
+            inherit namescale;
+            inherit headplane;
             inherit determinate;
             inherit nixos-hardware;
           };
@@ -75,12 +83,6 @@
           ./os/${host}/configuration.nix
           sops-nix.nixosModules.sops
           home-manager.nixosModules.home-manager
-
-          headplane.nixosModules.headplane
-          {
-            # provides `pkgs.headplane`
-            nixpkgs.overlays = [ headplane.overlays.default ];
-          }
         ];
       });
 
diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix
index 48481f4..fc465d8 100644
--- a/os/cez/modules/headscale.nix
+++ b/os/cez/modules/headscale.nix
@@ -6,7 +6,7 @@ in
   sops.secrets."misc/headscale" = { };
   networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
 
-  tailscale = {
+  services.tailscale = {
     enable = true;
     interfaceName = "headscale";
     openFirewall = true;
@@ -14,6 +14,7 @@ in
     authKeyFile = config.sops.secrets."misc/headscale".path;
     extraUpFlags = [
       "--login-server=${headScaleUrl}"
+      "--accept-routes"
     ];
   };
 }
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix
index 3e44108..14fcee3 100644
--- a/os/kay/modules/network/headscale.nix
+++ b/os/kay/modules/network/headscale.nix
@@ -2,6 +2,8 @@
   config,
   pkgs,
   lib,
+  headplane,
+  namescale,
   ...
 }:
 let
@@ -27,8 +29,9 @@ let
       ];
     };
     tagOwners = {
-      "tag:bud_clients" = [ "group:bud" ];
+      "tag:namescale" = [ "group:owner" ];
       "tag:internal" = [ "group:owner" ];
+      "tag:bud_clients" = [ "group:bud" ];
       "tag:cusat" = [ "group:owner" ];
       "tag:gaijin" = [ "group:owner" ];
     };
@@ -51,6 +54,12 @@ let
     acls = [
       {
         action = "accept";
+        src = [ "headplane@" ];
+        dst = [ "*:*" ];
+      }
+
+      {
+        action = "accept";
         src = [ "group:owner" ];
         dst = [ "*:*" ];
       }
@@ -60,10 +69,24 @@ let
         src = [ "group:bud" ];
         dst = [ "tag:bud_clients:*" ];
       }
+
+      {
+        action = "accept";
+        src = [ "*" ];
+        dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ];
+      }
     ];
   };
 in
 {
+  imports = [
+    headplane.nixosModules.headplane
+    namescale.nixosModules.namescale
+  ];
+
+  nixpkgs.overlays = [ headplane.overlays.default ];
+  environment.systemPackages = [ config.services.headscale.package ];
+
   sops.secrets = {
     # server
     "headplane/cookie_secret".owner = config.services.headscale.user;
@@ -74,9 +97,19 @@ in
     "headscale/pre_auth_key" = { };
   };
 
-  networking.firewall = {
-    interfaces.ppp0.allowedUDPPorts = [ stunPort ];
-    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+  networking = {
+    nameservers = [ "100.100.100.100" ];
+    search = [ config.services.headscale.settings.dns.base_domain ];
+
+    firewall = {
+      interfaces.ppp0.allowedUDPPorts = [ stunPort ];
+      trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    };
+  };
+  # for exit node only
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
   };
 
   services = {
@@ -91,6 +124,9 @@ in
         dns = {
           base_domain = "tsnet.${config.global.userdata.domain}";
           override_local_dns = false;
+          nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [
+            config.services.namescale.settings.host
+          ];
         };
         derp = {
           server = {
@@ -139,14 +175,17 @@ in
         "--login-server=${url}"
         "--advertise-exit-node"
         "--advertise-routes=192.168.43.0/24,192.168.38.0/24"
+        "--advertise-tags=tag:internal,tag:namescale"
       ];
     };
-  };
 
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = true;
-    "net.ipv6.conf.all.forwarding" = true;
+    namescale = {
+      enable = true;
+      settings = {
+        host = "100.64.0.6";
+        port = 53;
+        base_domain = config.services.headscale.settings.dns.base_domain;
+      };
+    };
   };
-
-  environment.systemPackages = [ config.services.headscale.package ];
 }