commit 14375fef15bd1df03cd9cb0375b48c947fa8879b
author Skyler Grey <minion@clicks.codes> Sat Jun 22 14:43:44 2024 +0000
committer Skyler Grey <minion@clicks.codes> Thu Jul 04 01:56:50 2024 +0000
tree 0da20b5f3c13c1c046775d2d3c49ffd557904ea9
parent bed35f19b11fe397525d65e6ead86e573b562310

feat(headscale)!: Use nginx rather than open ports

Previously, the headscale module opened a port for you and hosted
directly on it. This was not ideal, as it avoided anything else from
being placed on the same port.

With the new nginx module, we can avoid that!

Change-Id: Id45ac9088c3f334838b7ace436bd67a4ac256650
BREAKING-CHANGE: This will close your port again, even if you are hosting on 0.0.0.0
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/791
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>

modules/nixos/clicks/services/headscale/default.nix

diff --git a/modules/nixos/clicks/services/headscale/default.nix b/modules/nixos/clicks/services/headscale/default.nix
index b540acb..2d104bd 100644
--- a/modules/nixos/clicks/services/headscale/default.nix
+++ b/modules/nixos/clicks/services/headscale/default.nix
@@ -21,12 +21,12 @@
     addr = lib.mkOption {
       type = lib.types.str;
       description = "Where to host headscale";
-      default = "0.0.0.0";
+      default = "127.0.0.1";
     };
     port = lib.mkOption {
       type = lib.types.int;
       description = "Port to host headscale on";
-      default = 80;
+      default = 1024;
     };
     oidc = {
       enable = lib.mkEnableOption "Enable OIDC";
@@ -74,6 +74,13 @@
       services.postgres.enable = true;
       services.postgres.databases.headscale = cfg.database_password_path;
       services.postgres.secretRequiredGroups = [ "headscale" ];
+      services.nginx.enable = true;
+      services.nginx.hosts.${cfg.domain} = {
+        service = lib.clicks.nginx.http.reverseProxy cfg.addr cfg.port;
+        www = false;
+        # TODO: disable http when we have changed a1d2's reverse proxy config to allow us to terminate HTTPS
+        enableHttp = true;
+      };
     };
 
     services.headscale = {
@@ -125,9 +132,9 @@
       );
     };
 
-    systemd.services.headscale.requires = [ "postgresql.service" ];
-    systemd.services.headscale.after = [ "postgresql.service" ];
-
-    networking.firewall.allowedTCPPorts = lib.mkIf (cfg.addr == "0.0.0.0") [ cfg.port ];
+    systemd.services.headscale.requires = [ "postgresql.service" ] ++
+                                          (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
+    systemd.services.headscale.after = [ "postgresql.service" ] ++
+                                       (if config.clicks.services.nginx.enable then [ "nginx.service" ] else []);
   };
 }