From 05891cdd1d3c79f84b76195b60160cbc2e6dd4d5 Mon Sep 17 00:00:00 2001
From: Hadi <112569860+anotherhadi@users.noreply.github.com>
Date: Tue, 22 Apr 2025 09:51:46 +0200
Subject: [PATCH] init headscale

---
 hosts/server/configuration.nix |  1 +
 server-modules/headscale.nix   | 59 ++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 server-modules/headscale.nix

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index b63ea04..ce9c8c0 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -20,6 +20,7 @@
     ../../server-modules/mealie.nix
     ../../server-modules/meilisearch.nix
     ../../server-modules/search-nixos-api.nix
+    ../../server-modules/headscale.nix
 
     # You should let those lines as is
     ./hardware-configuration.nix
diff --git a/server-modules/headscale.nix b/server-modules/headscale.nix
new file mode 100644
index 0000000..833c9f7
--- /dev/null
+++ b/server-modules/headscale.nix
@@ -0,0 +1,59 @@
+{ config, ... }:
+let
+  derpPort = 3478;
+  domain = "hadi.diy";
+in {
+  services = {
+    headscale = {
+      enable = true;
+      port = 8085;
+      address = "127.0.0.1";
+      settings = {
+        dns = {
+          override_local_dns = true;
+          base_domain = "ts.${domain}";
+          magic_dns = true;
+          nameservers.global = [ "9.9.9.9" ];
+          # extra_records = [{
+          #   name = "merope.${domain}";
+          #   type = "A";
+          #   value = "100.77.0.5";
+          # }];
+        };
+        server_url = "https://tailscale.${domain}";
+        metrics_listen_addr = "127.0.0.1:8095";
+        logtail = { enabled = false; };
+        log = { level = "warn"; };
+        ip_prefixes = [ "100.77.0.0/24" "fd7a:115c:a1e0:77::/64" ];
+        derp.server = {
+          enable = true;
+          region_id = 999;
+          stun_listen_addr = "0.0.0.0:${toString derpPort}";
+        };
+      };
+    };
+
+    nginx.virtualHosts = {
+      "tailscale.${domain}" = {
+        useACMEHost = "hadi.diy";
+        forceSSL = true;
+        locations = {
+          "/" = {
+            proxyPass =
+              "http://localhost:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+          "/metrics" = {
+            proxyPass =
+              "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
+          };
+        };
+      };
+    };
+  };
+
+  # Derp server
+  networking.firewall.allowedUDPPorts = [ derpPort ];
+
+  environment.systemPackages = [ config.services.headscale.package ];
+}