feat(headscale)!: Use nginx rather than open ports
Previously, the headscale module opened a port for you and hosted
directly on it. This was not ideal, as it avoided anything else from
being placed on the same port.
With the new nginx module, we can avoid that!
Change-Id: Id45ac9088c3f334838b7ace436bd67a4ac256650
BREAKING-CHANGE: This will close your port again, even if you are hosting on 0.0.0.0
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/791
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/nixos/clicks/services/headscale/README.md b/modules/nixos/clicks/services/headscale/README.md
index 5ac60ff..9e87c05 100644
--- a/modules/nixos/clicks/services/headscale/README.md
+++ b/modules/nixos/clicks/services/headscale/README.md
@@ -24,17 +24,17 @@
```nix
clicks.services.headscale = {
- addr = "0.0.0.0";
- port = 80;
+ addr = "127.0.0.1";
+ port = 1024;
};
```
-By default, we host on port 80 without using SSL. We expect you to host a reverse proxy server, such as caddy or nginx
-to remedy this. To that end, your base URL *must* be accessible only over https.
+Our headscale module integrates with our nginx module, and we will enable it for you unless you explicitly disable it.
+Therefore, we recommend that you don't change the addr to 0.0.0.0: there is no need, headscale will already be available
+if you route traffic from the domain you have set to your server.
-If you keep the default `0.0.0.0` address, we'll also open the port you set.
-
-These defaults will change when we have an nginx module, as the headscale module will automatically create a route.
+If you do change the addr or port, we will reverse proxy to the new addr and port. If you have more services, this may
+help you to avoid port conflicts (e.g. by hosting on `127.0.0.255:1024` or another port)
---
diff --git a/modules/nixos/clicks/services/headscale/default.nix b/modules/nixos/clicks/services/headscale/default.nix
index b540acb..2d104bd 100644
--- a/modules/nixos/clicks/services/headscale/default.nix
+++ b/modules/nixos/clicks/services/headscale/default.nix
@@ -21,12 +21,12 @@
addr = lib.mkOption {
type = lib.types.str;
description = "Where to host headscale";
- default = "0.0.0.0";
+ default = "127.0.0.1";
};
port = lib.mkOption {
type = lib.types.int;
description = "Port to host headscale on";
- default = 80;
+ default = 1024;
};
oidc = {
enable = lib.mkEnableOption "Enable OIDC";
@@ -74,6 +74,13 @@
services.postgres.enable = true;
services.postgres.databases.headscale = cfg.database_password_path;
services.postgres.secretRequiredGroups = [ "headscale" ];
+ services.nginx.enable = true;
+ services.nginx.hosts.${cfg.domain} = {
+ service = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
+ www = false;
+ # TODO: disable http when we have changed a1d2's reverse proxy config to allow us to terminate HTTPS
+ enableHttp = true;
+ };
};
services.headscale = {
@@ -125,9 +132,9 @@
);
};
- systemd.services.headscale.requires = [ "postgresql.service" ];
- systemd.services.headscale.after = [ "postgresql.service" ];
-
- networking.firewall.allowedTCPPorts = lib.mkIf (cfg.addr == "0.0.0.0") [ cfg.port ];
+ systemd.services.headscale.requires = [ "postgresql.service" ] ++
+ (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
+ systemd.services.headscale.after = [ "postgresql.service" ] ++
+ (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
};
}
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index 6d5ffcc..52686a8 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -41,6 +41,7 @@
headscale = {
enable = true;
domain = "clicks.domains";
+ addr = lib.clicks.constants.hosts.generic;
oidc = {
enable = true;
issuer = "https://login.clicks.codes/realms/master";