os/fscusat/modules/network/headscale.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

{ config, ... }:
let
  headScaleUrl = "https://headscale.${config.global.userdata.domain}";
  user = config.global.userdata.name;
in
{
  sops.secrets."misc/headscale" = { };
  networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];

  services.tailscale = {
    enable = true;
    interfaceName = "headscale";
    openFirewall = true;

    authKeyFile = config.sops.secrets."misc/headscale".path;
    extraUpFlags = [
      "--login-server=${headScaleUrl}"
      "--operator=${user}"
      "--accept-routes=false"
      "--advertise-exit-node"
    ];
  };
}