summaryrefslogtreecommitdiff
path: root/os
diff options
context:
space:
mode:
Diffstat (limited to 'os')
-rw-r--r--os/cez/modules/headscale.nix3
-rw-r--r--os/kay/modules/network/headscale.nix59
2 files changed, 51 insertions, 11 deletions
diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix
index 48481f4..fc465d8 100644
--- a/os/cez/modules/headscale.nix
+++ b/os/cez/modules/headscale.nix
@@ -6,7 +6,7 @@ in
sops.secrets."misc/headscale" = { };
networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
- tailscale = {
+ services.tailscale = {
enable = true;
interfaceName = "headscale";
openFirewall = true;
@@ -14,6 +14,7 @@ in
authKeyFile = config.sops.secrets."misc/headscale".path;
extraUpFlags = [
"--login-server=${headScaleUrl}"
+ "--accept-routes"
];
};
}
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix
index 3e44108..14fcee3 100644
--- a/os/kay/modules/network/headscale.nix
+++ b/os/kay/modules/network/headscale.nix
@@ -2,6 +2,8 @@
config,
pkgs,
lib,
+ headplane,
+ namescale,
...
}:
let
@@ -27,8 +29,9 @@ let
];
};
tagOwners = {
- "tag:bud_clients" = [ "group:bud" ];
+ "tag:namescale" = [ "group:owner" ];
"tag:internal" = [ "group:owner" ];
+ "tag:bud_clients" = [ "group:bud" ];
"tag:cusat" = [ "group:owner" ];
"tag:gaijin" = [ "group:owner" ];
};
@@ -51,6 +54,12 @@ let
acls = [
{
action = "accept";
+ src = [ "headplane@" ];
+ dst = [ "*:*" ];
+ }
+
+ {
+ action = "accept";
src = [ "group:owner" ];
dst = [ "*:*" ];
}
@@ -60,10 +69,24 @@ let
src = [ "group:bud" ];
dst = [ "tag:bud_clients:*" ];
}
+
+ {
+ action = "accept";
+ src = [ "*" ];
+ dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ];
+ }
];
};
in
{
+ imports = [
+ headplane.nixosModules.headplane
+ namescale.nixosModules.namescale
+ ];
+
+ nixpkgs.overlays = [ headplane.overlays.default ];
+ environment.systemPackages = [ config.services.headscale.package ];
+
sops.secrets = {
# server
"headplane/cookie_secret".owner = config.services.headscale.user;
@@ -74,9 +97,19 @@ in
"headscale/pre_auth_key" = { };
};
- networking.firewall = {
- interfaces.ppp0.allowedUDPPorts = [ stunPort ];
- trustedInterfaces = [ config.services.tailscale.interfaceName ];
+ networking = {
+ nameservers = [ "100.100.100.100" ];
+ search = [ config.services.headscale.settings.dns.base_domain ];
+
+ firewall = {
+ interfaces.ppp0.allowedUDPPorts = [ stunPort ];
+ trustedInterfaces = [ config.services.tailscale.interfaceName ];
+ };
+ };
+ # for exit node only
+ boot.kernel.sysctl = {
+ "net.ipv4.ip_forward" = true;
+ "net.ipv6.conf.all.forwarding" = true;
};
services = {
@@ -91,6 +124,9 @@ in
dns = {
base_domain = "tsnet.${config.global.userdata.domain}";
override_local_dns = false;
+ nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [
+ config.services.namescale.settings.host
+ ];
};
derp = {
server = {
@@ -139,14 +175,17 @@ in
"--login-server=${url}"
"--advertise-exit-node"
"--advertise-routes=192.168.43.0/24,192.168.38.0/24"
+ "--advertise-tags=tag:internal,tag:namescale"
];
};
- };
- boot.kernel.sysctl = {
- "net.ipv4.ip_forward" = true;
- "net.ipv6.conf.all.forwarding" = true;
+ namescale = {
+ enable = true;
+ settings = {
+ host = "100.64.0.6";
+ port = 53;
+ base_domain = config.services.headscale.settings.dns.base_domain;
+ };
+ };
};
-
- environment.systemPackages = [ config.services.headscale.package ];
}