Add tailscale and headscale

flake.nix

@@ -87,7 +87,10 @@
       ];
 
       perSystem = {pkgs, ...}: {
-        packages.rpi_export = pkgs.callPackage ./pkgs/rpi_export {};
+        packages = {
+          rpi_export = pkgs.callPackage ./pkgs/rpi_export {};
+          headscale-alpha = pkgs.callPackage ./pkgs/headscale {};
+        };
         formatter =
           inputs.treefmt-nix.lib.mkWrapper
           pkgs

hosts/archimedes/blocky.nix

@@ -50,8 +50,14 @@
         upstream = "192.168.1.1:5353";
         singleNameOrder = [1];
         clients = {
+          # local network
           router = ["192.168.1.1"];
           access-point = ["192.168.1.2"];
+          # tailscale addresses
+          pixel = ["100.64.0.1"];
+          zeus = ["100.64.0.3"];
+          archimedes = ["100.64.0.3"];
+          x1 = ["100.64.0.4"];
         };
       };
 

hosts/archimedes/configuration.nix

@@ -33,6 +33,11 @@
     };
   };
 
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+  };
+
   nixpkgs.hostPlatform = "aarch64-linux";
   networking.hostName = "archimedes";
   system.stateVersion = "24.05";

hosts/hetzner/apollo/configuration.nix

@@ -43,9 +43,15 @@ in {
     };
   };
 
+  users.users."${user.name}".extraGroups = [
+    "headscale"
+    "atticd"
+  ];
+
   environment.systemPackages = with pkgs; [
     busybox
     inputs.attic.packages.${pkgs.system}.attic-client
+    config.services.headscale.package
   ];
 
   services.your_spotify = {
@@ -66,12 +72,16 @@ in {
     authentication = lib.mkForce ''
       local all all trust
     '';
-    ensureDatabases = ["atticd"];
+    ensureDatabases = ["atticd" "headscale"];
     ensureUsers = [
       {
         name = "atticd";
         ensureDBOwnership = true;
       }
+      {
+        name = "headscale";
+        ensureDBOwnership = true;
+      }
     ];
   };
 
@@ -137,14 +147,43 @@ in {
     };
   };
 
+  services.headscale = {
+    enable = true;
+    port = 8085;
+    package = pkgs.callPackage ../../../pkgs/headscale {};
+    settings = {
+      server_url = "https://portal.joinemm.dev";
+      metrics_listen_addr = "127.0.0.1:8095";
+      prefixes = {
+        v4 = "100.64.0.0/10";
+        v6 = "fd7a:115c:a1e0::/48";
+      };
+      database = {
+        type = "postgres";
+        postgres = {
+          host = "/run/postgresql";
+          name = "headscale";
+          user = "headscale";
+        };
+      };
+      dns_config = {
+        override_local_dns = true;
+        base_domain = "portal.joinemm.dev";
+        magic_dns = true;
+        nameservers = ["100.64.0.3"];
+      };
+      unix_socket_permission = "0770";
+      disable_check_updates = true;
+    };
+  };
+
   services.nginx.virtualHosts = let
     ssl = {
       enableACME = true;
       forceSSL = true;
     };
     mkRedirect = to:
       {
-        serverAliases = ["acme-rate-limit.joinemm.dev"];
         locations."/" = {
           return = "302 ${to}";
         };
@@ -189,9 +228,9 @@ in {
     "fm.joinemm.dev" =
       {
         locations."/api/" = {
-          proxyPass = "http://localhost:${toString config.services.your_spotify.settings.PORT}/";
+          proxyPass = "http://127.0.0.1:${toString config.services.your_spotify.settings.PORT}/";
           extraConfig = ''
-            proxy_set_header  X-Script-Name /api;
+            proxy_set_header X-Script-Name /api;
             proxy_pass_header Authorization;
           '';
         };
@@ -202,14 +241,26 @@ in {
       {
         extraConfig = ''
           client_header_buffer_size 64k;
-          client_max_body_size 100M;
+          client_max_body_size 500M;
         '';
         locations."/" = {
           proxyPass = "http://127.0.0.1:8080";
         };
       }
       // ssl;
 
+    "portal.joinemm.dev" =
+      {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+          proxyWebsockets = true;
+        };
+        locations."/metrics" = {
+          proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
+        };
+      }
+      // ssl;
+
     "digitalocean.joinemm.dev" = mkRedirect "https://m.do.co/c/7251aebbc5e0";
 
     "vultr.joinemm.dev" = mkRedirect "https://vultr.com/?ref=8569244-6G";

hosts/x1/configuration.nix

@@ -18,8 +18,9 @@
       laptop
       locale
       remotebuild
-      transmission
       syncthing
+      tailscale
+      transmission
       work
       yubikey
     ])
@@ -51,8 +52,6 @@
       "documents".enable = true;
       "share".enable = true;
     };
-
-    tailscale.enable = true;
   };
 
   home-manager.users."${user.name}" = {

hosts/zeus/configuration.nix

@@ -15,10 +15,10 @@
       docker
       gaming
       home
-      keyd
       locale
       remotebuild
       syncthing
+      tailscale
       transmission
       work
       yubikey
@@ -43,50 +43,48 @@
     hostId = "c5a9072d";
   };
 
-  services = {
-    syncthing.settings.folders = {
-      "camera".enable = true;
-      "code".enable = true;
-      "documents".enable = true;
-      "notes".enable = true;
-      "pictures".enable = true;
-      "videos".enable = true;
-      "work".enable = true;
-      "share".enable = true;
-    };
-
-    xserver = {
-      deviceSection = ''
-        Option "VariableRefresh" "true"
-      '';
-      xrandrHeads = [
-        {
-          output = "DisplayPort-0";
-          primary = true;
-          monitorConfig = ''
-            Modeline "3440x1440_144.00"  1086.75  3440 3744 4128 4816  1440 1443 1453 1568 -hsync +vsync
-            Option "PreferredMode" "3440x1440_144.00"
-          '';
-        }
-        {
-          # LG TV that should be off by default.
-          # Option "Enable" "false" is broken, but
-          # Option "Disable" "true" works, even though it's undocumented
-          output = "HDMI-A-0";
-          monitorConfig = ''
-            Option "Disable" "true"
-            Option "RightOf" "DisplayPort-0"
-          '';
-        }
-      ];
-    };
+  services.syncthing.settings.folders = {
+    "camera".enable = true;
+    "code".enable = true;
+    "documents".enable = true;
+    "notes".enable = true;
+    "pictures".enable = true;
+    "videos".enable = true;
+    "work".enable = true;
+    "share".enable = true;
+  };
 
-    # for keyboard config using via
-    udev.extraRules = ''
-      KERNEL=="hidraw*", ATTRS{idVendor}=="6582", ATTRS{idProduct}=="075c", MODE="0666", GROUP="plugdev"
+  services.xserver = {
+    deviceSection = ''
+      Option "VariableRefresh" "true"
     '';
+    xrandrHeads = [
+      {
+        output = "DisplayPort-0";
+        primary = true;
+        monitorConfig = ''
+          Modeline "3440x1440_144.00"  1086.75  3440 3744 4128 4816  1440 1443 1453 1568 -hsync +vsync
+          Option "PreferredMode" "3440x1440_144.00"
+        '';
+      }
+      {
+        # LG TV that should be off by default.
+        # Option "Enable" "false" is broken, but
+        # Option "Disable" "true" works, even though it's undocumented
+        output = "HDMI-A-0";
+        monitorConfig = ''
+          Option "Disable" "true"
+          Option "RightOf" "DisplayPort-0"
+        '';
+      }
+    ];
   };
 
+  # Allow access to keyboard firmware
+  services.udev.extraRules = ''
+    KERNEL=="hidraw*", ATTRS{idVendor}=="6582", ATTRS{idProduct}=="075c", MODE="0666", GROUP="plugdev"
+  '';
+
   users.users.${user.name}.extraGroups = ["plugdev"];
 
   hardware.amdgpu = {

modules/default.nix

@@ -16,6 +16,7 @@
   remotebuild = import ./remotebuild.nix;
   ssh-access = import ./ssh-access.nix;
   syncthing = import ./syncthing.nix;
+  tailscale = import ./tailscale.nix;
   transmission = import ./transmission.nix;
   work = import ./work.nix;
   yubikey = import ./yubikey.nix;

modules/tailscale.nix

@@ -0,0 +1,6 @@
+{
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
+}

pkgs/headscale/default.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  buildGo122Module,
+  fetchFromGitHub,
+  installShellFiles,
+  nixosTests,
+}:
+buildGo122Module rec {
+  pname = "headscale";
+  version = "0.23.0-alpha12";
+
+  src = fetchFromGitHub {
+    owner = "juanfont";
+    repo = "headscale";
+    rev = "v${version}";
+    hash = "sha256-kZZK0cXnFARxblSMz01TDcBbTorkHGAwGpR+a4/mYfU=";
+  };
+
+  vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
+
+  ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
+
+  nativeBuildInputs = [installShellFiles];
+  checkFlags = ["-short"];
+
+  subPackages = ["cmd/headscale"];
+  tags = ["ts2019"];
+
+  postInstall = ''
+    installShellCompletion --cmd headscale \
+      --bash <($out/bin/headscale completion bash) \
+      --fish <($out/bin/headscale completion fish) \
+      --zsh <($out/bin/headscale completion zsh)
+  '';
+
+  passthru.tests = {inherit (nixosTests) headscale;};
+
+  meta = with lib; {
+    homepage = "https://github.com/juanfont/headscale";
+    description = "Open source, self-hosted implementation of the Tailscale control server";
+    longDescription = ''
+      Tailscale is a modern VPN built on top of Wireguard. It works like an
+      overlay network between the computers of your networks - using all kinds
+      of NAT traversal sorcery.
+
+      Everything in Tailscale is Open Source, except the GUI clients for
+      proprietary OS (Windows and macOS/iOS), and the
+      'coordination/control server'.
+
+      The control server works as an exchange point of Wireguard public keys for
+      the nodes in the Tailscale network. It also assigns the IP addresses of
+      the clients, creates the boundaries between each user, enables sharing
+      machines between users, and exposes the advertised routes of your nodes.
+
+      Headscale implements this coordination server.
+    '';
+    license = licenses.bsd3;
+    maintainers = with maintainers; [nkje jk kradalby misterio77 ghuntley];
+  };
+}