diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix index a40eee6..3ef13b6 100644 --- a/hosts/pi4/default.nix +++ b/hosts/pi4/default.nix @@ -7,10 +7,12 @@ ./caddy.nix ./forgejo.nix ./hardware.nix + ./headscale.nix ./mailserver.nix ./nextcloud.nix ./nginx.nix ./podman.nix + ./postgres.nix ./security ]; } diff --git a/hosts/pi4/headscale.nix b/hosts/pi4/headscale.nix new file mode 100644 index 0000000..6546b47 --- /dev/null +++ b/hosts/pi4/headscale.nix @@ -0,0 +1,67 @@ +{ + pkgs, + config, + common, + ... +}: +let + cfg = config.services.headscale; + + domain = "beta.vpn.${common.domain}"; + dnsDomain = "secure.${common.domain}"; +in +{ + networking.firewall = { + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + + services = { + headscale = { + enable = true; + address = "0.0.0.0"; + port = 8083; + settings = { + database = { + postgres = { + host = "/run/postgresql"; + name = "headscale"; + port = config.services.postgresql.settings.port; + user = cfg.user; + }; + type = "postgres"; + }; + dns = { + base_domain = dnsDomain; + magic_dns = true; + }; + logtail.enabled = false; + server_url = "https://${domain}"; + }; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + + postgresql = + let + psql = cfg.settings.database.postgres; + in + { + ensureDatabases = [ psql.name ]; + ensureUsers = [ + { + name = psql.user; + ensureDBOwnership = true; + } + ]; + }; + }; + +} diff --git a/hosts/pi4/nextcloud.nix b/hosts/pi4/nextcloud.nix index 5d143a0..eb1f2be 100644 --- a/hosts/pi4/nextcloud.nix +++ b/hosts/pi4/nextcloud.nix @@ -63,7 +63,6 @@ in }; postgresql = { - enable = true; ensureDatabases = [ dbname ]; ensureUsers = [ { diff --git a/hosts/pi4/postgres.nix b/hosts/pi4/postgres.nix new file mode 100644 index 0000000..1709af6 --- /dev/null +++ b/hosts/pi4/postgres.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +{ + services.postgresql = { + enable = true; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + }; +} diff --git a/shared/secrets/secrets.yaml b/shared/secrets/secrets.yaml index bbfefc3..15b0d85 100644 --- a/shared/secrets/secrets.yaml +++ b/shared/secrets/secrets.yaml @@ -36,7 +36,7 @@ sops: SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-02T17:06:40Z" - mac: ENC[AES256_GCM,data:gwYDPAicJCWdCwW5hikEUkByf0KtSBGNOzfqyTdtsMvTi2HCOiKL2JgBnqjDF82o2XfbHalzzYTstxfWla62lLzF/xPWWoWOtAVB7w2YcEkptr66qU4q3iQi7t878B/+VVHva35TEho8b2JL2vgJNpBp3l06XeWMYCpupc5P7pM=,iv:ZaTpfjfcMeeExySTfI2wMSmFBFi6aoH83yYiucZXRQM=,tag:XwAvMtrX1bUumEaRf3T7Cg==,type:str] + lastmodified: "2025-06-23T17:39:10Z" + mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2