2 files changed, 41 insertions, 0 deletions

diff --git a/chaski/configuration.nix b/chaski/configuration.nix
index da8fdaf..6339d32 100644
--- a/chaski/configuration.nix
+++ b/chaski/configuration.nix
@@ -12,6 +12,7 @@
       ./services/chat.nix
       ./services/bahnhof-name.nix
       ./services/conduit.nix
+      ./services/headscale.nix
     ];
 
   sops.defaultSopsFile = ../secrets/chaski.yaml;
diff --git a/chaski/services/headscale.nix b/chaski/services/headscale.nix
new file mode 100644
index 0000000..8240d93
--- /dev/null
+++ b/chaski/services/headscale.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.headscale = {
+    enable = true;
+    settings = {
+      server_url = "https://headscale.noms.ing";
+      listen_addr = "127.0.0.1:8323";
+
+      # oidc = {
+      #   only_start_if_oidc_is_available = true;
+      #   issuer = "https://idm.cuties.network/oauth2/openid/headscale";
+      #   client_id = "headscale";
+      #   client_secret_path = "/run/secrets/headscale_oidc_secret";
+      #   strip_email_domain = true;
+      # };
+
+      dns_config.magic_dns = true;
+      dns_config.domains = [ "nodes.headscale.noms.ing" ];
+      # dns_config.base_domain = "ts.cuties.network";
+    };
+  };
+
+  users.users.headscale.extraGroups = [ config.users.groups.keys.name ];
+  # sops.secrets.headscale_oidc_secret = {
+  #   owner = config.users.users.headscale.name;
+  #   sopsFile = ./headscale.sops.yaml;
+  # };
+
+  services.nginx.virtualHosts."headscale.noms.ing" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8323";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.tailscale.enable = true;
+}