Headscale and Tailscale config modules

2025-05-06 13:22:39 +02:00
parent ad87c67161
commit 279d00ae82
6 changed files with 44 additions and 82 deletions
--- a/hosts/m3-atlas/services/headscale.nix
+++ b/hosts/m3-atlas/services/headscale.nix
@ -1,7 +1,7 @@
 {
-  pkgs,
  config,
  lib,
+  pkgs,
  ...
 }: {
  # Define a new option for the admin user
@ -42,14 +42,12 @@
        routes = {
          "0.0.0.0/0" = ["${adminUser}"];
          "10.0.0.0/8" = ["${adminUser}"];
-          "172.16.0.0/12" = ["${adminUser}"];
          "192.168.0.0/16" = ["${adminUser}"];
        };

        exitNode = ["${adminUser}"];
      };
    };
-
    # Convert to HuJSON format with comments
    aclHuJson = ''
      // Headscale ACL Policy - Generated by NixOS
@ -57,14 +55,13 @@

      ${builtins.toJSON aclConfig}
    '';
-
    aclFile = pkgs.writeText "acl-policy.hujson" aclHuJson;
  in {
    services = {
      headscale = {
        enable = true;
-        port = 3009;
        adminUser = "m3tam3re";
+        port = 3009;
        settings = {
          server_url = "https://va.m3tam3re.com";
          dns = {
@ -76,24 +73,6 @@
      };
    };

-    # Traefik configuration
-    services.traefik.dynamicConfigOptions.http = {
-      services.headscale.loadBalancer.servers = [
-        {
-          url = "http://localhost:3009/";
-        }
-      ];
-
-      routers.headscale = {
-        rule = "Host(`va.m3tam3re.com`)";
-        tls = {
-          certResolver = "godaddy";
-        };
-        service = "headscale";
-        entrypoints = "websecure";
-      };
-    };
-
    # Create a systemd service to ensure the admin user exists
    systemd.services.headscale-ensure-admin = lib.mkIf config.services.headscale.enable {
      description = "Ensure Headscale admin user exists";
@ -117,5 +96,23 @@
        fi
      '';
    };
+
+    # Traefik configuration for headscale
+    services.traefik.dynamicConfigOptions.http = {
+      services.headscale.loadBalancer.servers = [
+        {
+          url = "http://localhost:3009/";
+        }
+      ];
+
+      routers.headscale = {
+        rule = "Host(`va.m3tam3re.com`)";
+        tls = {
+          certResolver = "godaddy";
+        };
+        service = "headscale";
+        entrypoints = "websecure";
+      };
+    };
  };
 }
--- a/hosts/m3-atlas/services/tailscale.nix
+++ b/hosts/m3-atlas/services/tailscale.nix
@ -1,45 +1,27 @@
 {
  config,
+  lib,
  pkgs,
  ...
 }: {
  services.tailscale = {
    enable = true;
-    useRoutingFeatures = "both";
    authKeyFile = config.age.secrets.tailscale-key.path;
+    useRoutingFeatures = "both";
    extraUpFlags = [
      "--login-server=${config.services.headscale.settings.server_url}"
      "--advertise-exit-node"
      "--accept-routes"
    ];
  };
-
-  services.networkd-dispatcher = {
+  services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
-        "${pkgs.ethtool} NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") | -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
+        NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")
+        ${pkgs.ethtool}/bin/ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-    "net.core.gro_normal_batch" = 8;
-    "net.core.gro_flush_timeout" = 200000;
-  };
-
-  networking.firewall = {
-    trustedInterfaces = ["tailscale0"];
-    allowedUDPPorts = [41641];
-    checkReversePath = "loose";
-  };
-
-  environment.systemPackages = with pkgs; [
-    ethtool
-    tailscale
-    networkd-dispatcher
-  ];
 }