✨ [pi4] Headscale config with Postgres

2025-06-23 17:42:15 +00:00
parent a545b4a45c
commit c29acb0902
5 changed files with 82 additions and 3 deletions
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -7,10 +7,12 @@
    ./caddy.nix
    ./forgejo.nix
    ./hardware.nix
+    ./headscale.nix
    ./mailserver.nix
    ./nextcloud.nix
    ./nginx.nix
    ./podman.nix
+    ./postgres.nix
    ./security
  ];
 }
--- a/hosts/pi4/headscale.nix
+++ b/hosts/pi4/headscale.nix
@ -0,0 +1,67 @@
+{
+  pkgs,
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}
--- a/hosts/pi4/nextcloud.nix
+++ b/hosts/pi4/nextcloud.nix
@ -63,7 +63,6 @@ in
    };

    postgresql = {
-      enable = true;
      ensureDatabases = [ dbname ];
      ensureUsers = [
        {
--- a/hosts/pi4/postgres.nix
+++ b/hosts/pi4/postgres.nix
@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}
--- a/shared/secrets/secrets.yaml
+++ b/shared/secrets/secrets.yaml
@ -36,7 +36,7 @@ sops:
        SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
        YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-06-02T17:06:40Z"
-  mac: ENC[AES256_GCM,data:gwYDPAicJCWdCwW5hikEUkByf0KtSBGNOzfqyTdtsMvTi2HCOiKL2JgBnqjDF82o2XfbHalzzYTstxfWla62lLzF/xPWWoWOtAVB7w2YcEkptr66qU4q3iQi7t878B/+VVHva35TEho8b2JL2vgJNpBp3l06XeWMYCpupc5P7pM=,iv:ZaTpfjfcMeeExySTfI2wMSmFBFi6aoH83yYiucZXRQM=,tag:XwAvMtrX1bUumEaRf3T7Cg==,type:str]
+  lastmodified: "2025-06-23T17:39:10Z"
+  mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
  unencrypted_suffix: _unencrypted
  version: 3.10.2