feat: add headscale
Headscale is an open source implementation of the tailscale server.
We've written a module that will allow you to easily run it with some
basic but sensible options, and set it up for running on a1d1.
Change-Id: If67dd498cbe0b0c3c81c66a0216845d0eaf1282c
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/728
Tested-by: Samuel Shuert <coded@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/systems/x86_64-linux/a1d1/default.nix b/systems/x86_64-linux/a1d1/default.nix
index cd71bbf..11e6f04 100644
--- a/systems/x86_64-linux/a1d1/default.nix
+++ b/systems/x86_64-linux/a1d1/default.nix
@@ -3,7 +3,13 @@
#
# SPDX-License-Identifier: GPL-3.0-only
-{ pkgs, modulesPath, ... }:
+{
+ pkgs,
+ modulesPath,
+ lib,
+ config,
+ ...
+}:
{
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@@ -26,6 +32,23 @@
services = {
ssh.enable = true;
+ headscale = {
+ enable = true;
+ url = "clicks.domains";
+ oidc = {
+ enable = true;
+ issuer = "https://login.clicks.codes/realms/master";
+ allowed_groups = [ "/clicks" ];
+ client_secret_path =
+ config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
+ };
+ database_password_path =
+ config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
+ noise_private_key_path =
+ config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
+ private_key_path =
+ config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
+ };
};
storage = {
@@ -73,4 +96,16 @@
networking.useDHCP = true;
system.stateVersion = "24.05";
+
+ clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
+ file = ./headscale.sops.json;
+ group = "headscale";
+ keys = [
+ "oidc_client_secret"
+ "database_password"
+ "noise_private_key"
+ "private_key"
+ ];
+ neededForUsers = false;
+ };
}