nixy/server-modules/headscale.nix

{ config, pkgs, ... }:
let
  derpPort = 3478;
  domain = "hadi.diy";
  headscale-ui-src = pkgs.fetchFromGitHub {
    owner = "gurucomputing";
    repo = "headscale-ui";
    rev = "63041fd673d81da56e60d2b528a4991981eab746";
    sha256 = "pz7oDRfBf/dN+PMEqbMe+es6deQ4QP3pC191ASlyV7U=";
  };
  headscale-ui = pkgs.buildNpmPackage {
    pname = "headscale-ui";
    version = "0.0.1";
    src = headscale-ui-src;
    npmDepsHash = "MePNbOPSe5wB8/6T3DLs+4+Qlr8f+7cCPs301il7iX8=";
    buildPhase = ''
      runHook preBuild
      mkdir -p $out
      npm run build
      runHook postBuild
    '';
    installPhase = ''
      mv ./build $out/dist
    '';
    makeCacheWritable = true;
    dontFixup = true;
    dontNpmBuild = true;
  };
in {
  services = {
    headscale = {
      enable = true;
      port = 8085;
      address = "127.0.0.1";
      settings = {
        dns = {
          override_local_dns = true;
          base_domain = "ts.${domain}";
          magic_dns = true;
          nameservers.global = [ "9.9.9.9" ];
          # extra_records = [{
          #   name = "merope.${domain}";
          #   type = "A";
          #   value = "100.77.0.5";
          # }];
        };
        server_url = "https://tailscale.${domain}";
        metrics_listen_addr = "127.0.0.1:8095";
        logtail = { enabled = false; };
        log = { level = "warn"; };
        ip_prefixes = [ "100.77.0.0/24" "fd7a:115c:a1e0:77::/64" ];
        derp.server = {
          enable = true;
          region_id = 999;
          stun_listen_addr = "0.0.0.0:${toString derpPort}";
        };
      };
    };

    nginx.virtualHosts = {
      "tailscale.${domain}" = {
        useACMEHost = "hadi.diy";
        forceSSL = true;
        locations = {
          "/" = {
            proxyPass =
              "http://localhost:${toString config.services.headscale.port}";
            proxyWebsockets = true;
          };
          "/metrics" = {
            proxyPass =
              "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
          };
          "/web" = {
            root = "${headscale-ui}/dist";
            index = "index.html";
            tryFiles = [ "$uri" "/index.html" ];
          };
        };
      };
    };
  };

  # Derp server
  networking.firewall.allowedUDPPorts = [ derpPort ];

  environment.systemPackages = [ config.services.headscale.package ];
}