martials/nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[pi4] Headscale config with Postgres

Browse Source
This commit is contained in:
Martin Berg Alstad
2025-06-23 17:42:15 +00:00
parent a545b4a45c
commit c29acb0902
5 changed files with 82 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/pi4/default.nix
View File

@ -7,10 +7,12 @@
./caddy.nix ./caddy.nix
./forgejo.nix ./forgejo.nix
./hardware.nix ./hardware.nix
./headscale.nix
./mailserver.nix ./mailserver.nix
./nextcloud.nix ./nextcloud.nix
./nginx.nix ./nginx.nix
./podman.nix ./podman.nix
./postgres.nix
./security ./security
]; ];
} }

67
hosts/pi4/headscale.nix Normal file
View File

@ -0,0 +1,67 @@
{
pkgs,
config,
common,
...
}:
let
cfg = config.services.headscale;
domain = "beta.vpn.${common.domain}";
dnsDomain = "secure.${common.domain}";
in
{
networking.firewall = {
trustedInterfaces = [ config.services.tailscale.interfaceName ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
services = {
headscale = {
enable = true;
address = "0.0.0.0";
port = 8083;
settings = {
database = {
postgres = {
host = "/run/postgresql";
name = "headscale";
port = config.services.postgresql.settings.port;
user = cfg.user;
};
type = "postgres";
};
dns = {
base_domain = dnsDomain;
magic_dns = true;
};
logtail.enabled = false;
server_url = "https://${domain}";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
postgresql =
let
psql = cfg.settings.database.postgres;
in
{
ensureDatabases = [ psql.name ];
ensureUsers = [
{
name = psql.user;
ensureDBOwnership = true;
}
];
};
};
}

1
hosts/pi4/nextcloud.nix
View File

@ -63,7 +63,6 @@ in
}; };
postgresql = { postgresql = {
enable = true;
ensureDatabases = [ dbname ]; ensureDatabases = [ dbname ];
ensureUsers = [ ensureUsers = [
{ {

11
hosts/pi4/postgres.nix Normal file
View File

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
}

4
shared/secrets/secrets.yaml
View File

@ -36,7 +36,7 @@ sops:
SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-02T17:06:40Z" lastmodified: "2025-06-23T17:39:10Z"
mac: ENC[AES256_GCM,data:gwYDPAicJCWdCwW5hikEUkByf0KtSBGNOzfqyTdtsMvTi2HCOiKL2JgBnqjDF82o2XfbHalzzYTstxfWla62lLzF/xPWWoWOtAVB7w2YcEkptr66qU4q3iQi7t878B/+VVHva35TEho8b2JL2vgJNpBp3l06XeWMYCpupc5P7pM=,iv:ZaTpfjfcMeeExySTfI2wMSmFBFi6aoH83yYiucZXRQM=,tag:XwAvMtrX1bUumEaRf3T7Cg==,type:str] mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2