fix: headscale

jz8132543 · Aug 29, 2024 · 751892d · 751892d
1 parent 6dfa5f7
commit 751892d
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 83 deletions.
diff --git a/lib/data/data.json b/lib/data/data.json
@@ -96,10 +96,6 @@
       "on": "dfw0",
       "proxy": false
     },
-    "hs": {
-      "on": "dfw0",
-      "proxy": false
-    },
     "ldap": {
       "on": "dfw0",
       "proxy": false
@@ -128,6 +124,10 @@
       "on": "dfw0",
       "proxy": false
     },
+    "ts": {
+      "on": "dfw0",
+      "proxy": false
+    },
     "vault": {
       "on": "dfw0",
       "proxy": true

diff --git a/nixos/hosts/arx8/hardware-configuration.nix b/nixos/hosts/arx8/hardware-configuration.nix
@@ -96,4 +96,5 @@ in {
   };
   # home-manager.users.tippy.wayland.dpi = 144;
   utils.disk = "/dev/nvme0n1";
+  nix.gc.automatic = lib.mkForce false;
 }
diff --git a/nixos/modules/services/headscale.nix b/nixos/modules/services/headscale.nix
@@ -1,10 +1,14 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   services = {
     headscale = {
       enable = true;
       port = config.ports.headscale;
       settings = {
-        server_url = "https://hs.dora.im";
+        server_url = "https://ts.dora.im";
         metrics_listen_addr = "localhost:${toString config.ports.headscale_metrics}";
         grpc_listen_addr = "localhost:${toString config.ports.headscale_grpc}";
         grpc_allow_insecure = true;
@@ -14,7 +18,7 @@
         };
         dns = {
           override_local_dns = true;
-          base_domain = "t.dora.im";
+          base_domain = "mag";
           magic_dns = true;
           domains = config.environment.domains;
           nameservers.global = [
@@ -53,24 +57,24 @@
           paths = ["/run/credentials/headscale.service/map.yaml"];
           urls = [];
         };
-        policy.path = "/run/credentials/headscale.service/acl.yaml";
+        policy.path = "/run/credentials/headscale.service/acl.json";
       };
     };
   };
   services.traefik.dynamicConfigOptions.http = {
     routers = {
       headscale = {
-        rule = "Host(`headscale.dora.im`) && PathPrefix(`/`)";
+        rule = "Host(`ts.dora.im`) && PathPrefix(`/`)";
         entryPoints = ["https"];
         service = "headscale";
       };
-      headscale_metrics = {
-        rule = "Host(`headscale.dora.im`) && PathPrefix(`/metrics`)";
-        entryPoints = ["https"];
-        service = "headscale_metrics";
-      };
+      # headscale_metrics = {
+      #   rule = "Host(`ts.dora.im`) && PathPrefix(`/metrics`)";
+      #   entryPoints = ["https"];
+      #   service = "headscale_metrics";
+      # };
       headscale_grpc = {
-        rule = "Host(`headscale.dora.im`) && PathPrefix(`/headscale`)";
+        rule = "Host(`ts.dora.im`) && PathPrefix(`/headscale.`)";
         entryPoints = ["https"];
         service = "headscale_grpc";
       };
@@ -79,11 +83,12 @@
       headscale.loadBalancer = {
         passHostHeader = true;
         servers = [{url = "http://localhost:${toString config.services.headscale.port}";}];
+        # servers = [{url = "http://localhost:${toString config.ports.headscale_metrics}";}];
       };
-      headscale_metrics.loadBalancer = {
-        passHostHeader = true;
-        servers = [{url = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";}];
-      };
+      # headscale_metrics.loadBalancer = {
+      #   passHostHeader = true;
+      #   servers = [{url = "http://${toString config.services.headscale.settings.metrics_listen_addr}/metrics";}];
+      # };
       headscale_grpc.loadBalancer = {
         passHostHeader = true;
         servers = [{url = "https://${toString config.services.headscale.settings.grpc_listen_addr}";}];
@@ -94,13 +99,16 @@
     TimeoutStopSec = "5s";
     LoadCredential = [
       "map.yaml:/etc/headscale/map.yaml"
-      "acl.yaml:/etc/headscale/acl.yaml"
+      "acl.json:/etc/headscale/acl.json"
     ];
   };
-  environment.systemPackages = [config.services.headscale.package];
+  environment.systemPackages = [
+    config.services.headscale.package
+    pkgs.sqlite
+  ];
   services.restic.backups.borgbase.paths = [
     "/etc/headscale/map.yaml"
-    "/etc/headscale/acl.yaml"
+    "/etc/headscale/acl.json"
     "/var/lib/headscale"
   ];
   environment.global-persistence = {

diff --git a/secrets/terraform-outputs.yaml b/secrets/terraform-outputs.yaml
@@ -273,10 +273,6 @@ service_cname_mappings:
         - ENC[AES256_GCM,data:AWHrB//1,iv:72D5RHG1IhgGqy85IPy0dS/DUJ16/i4CTyEpfRnt810=,tag:4C8kwkUSQA79aAFfbEIhzQ==,type:str]
         - "on": ENC[AES256_GCM,data:eGjR3KHe,iv:H8JO6u4fSzqtrhNF4IaO1csliBMtdzIjwneFkLFM3dM=,tag:Bk51zyEoa/C/PAlVIp/uSQ==,type:str]
           proxy: ENC[AES256_GCM,data:ieL9ng==,iv:a/9VobSJzRgB5sIlaO4VmEVnE0ogJftGn6UBsr5UEBc=,tag:h6J0rTNoT+jgfgZFY77vmA==,type:str]
-      hs:
-        - ENC[AES256_GCM,data:7N3NTbuy,iv:U8lXttFRXWTYcytqeEHmT0IlW/bKy0okLDIQMMr9bZY=,tag:gAbFIaKh/p0HqxVyv4MuNg==,type:str]
-        - "on": ENC[AES256_GCM,data:V5ljyPqC,iv:9xmG34vc3KI4dK5NdDYbP+S7SUs8FJek1xaZmG9h7PY=,tag:z0EmeuNFCNE0Z7vKvJHsGA==,type:str]
-          proxy: ENC[AES256_GCM,data:TNR66A==,iv:xrdUCCjuoajNfRob9fFtp1BX26IWPHTZHnC4sFDsBzQ=,tag:KhN2nAUnGbipCu5H6XSZ+w==,type:str]
       ldap:
         - ENC[AES256_GCM,data:rkOHq3uu,iv:cjF2HHZt79p05XlvALIQck/2SMHBQm3gg8nktTY+cDY=,tag:DCrQRNePKB1ggX1Tlh4rlw==,type:str]
         - "on": ENC[AES256_GCM,data:qmf4ReL9,iv:reFLfMC/a+HnF13w9tzZesZXl8zT809GN8RCBYoG03Y=,tag:5NEMOPWGZUdeTND65JXrlA==,type:str]
@@ -305,6 +301,10 @@ service_cname_mappings:
         - ENC[AES256_GCM,data:67l11n3x,iv:Lu/DBh0e/wYSyHdoMLEZTVeCWVGxcIfiILk1itFqgVg=,tag:W+c6JKPds6qHoumxxuu/Iw==,type:str]
         - "on": ENC[AES256_GCM,data:sJ4On2tY,iv:IA26sHlfDBr1LYYw1ZujTLwec9Z5Bioor0aYzi78fHg=,tag:x7a895mQFe+UuFyqy/25XQ==,type:str]
           proxy: ENC[AES256_GCM,data:GFs0jg==,iv:C3wohm0vT/m12Xr2e10+ubHxpB71AghqZiTyt0TR6ks=,tag:8Dx0SXUWlF69FeKzN6DKlw==,type:str]
+      ts:
+        - ENC[AES256_GCM,data:SV1aTzuO,iv:b+7NuEEhoVETHwOqY6BLHIviFgLb5uXRptEzQsv4pwg=,tag:HKybQx1Vmp/3Xv8lvH5t/w==,type:str]
+        - "on": ENC[AES256_GCM,data:fnyzp+SK,iv:w2oL4q+O872KdE74qz/KyH8UermDQ2GJ0TKMh51Mb7M=,tag:cwBdNjqPgpLkdNdR9hno7g==,type:str]
+          proxy: ENC[AES256_GCM,data:4xYWbw==,iv:wwuEmYahbDMGDm40Mt0RicmpbI02CGzjPX1j8Olppgw=,tag:gg3VGubEoVY5i+FCMlDlfA==,type:str]
       vault:
         - ENC[AES256_GCM,data:r2zMmx8f,iv:KFoc9EyxGf5uonJwvOYFZ5FK4z40rexajfR9lNaYToI=,tag:xDxHQtQ+LC3R6rOQdjNIAA==,type:str]
         - "on": ENC[AES256_GCM,data:JTF2mx9V,iv:OWXyYR8oH9h/zG+bz6Jm3Zq8Z/BiSMwBQ9UtbOhNQJw=,tag:eYDFIvoCw5VoY5o9/WuHVA==,type:str]
@@ -316,9 +316,6 @@ service_cname_mappings:
     atuin:
       "on": ENC[AES256_GCM,data:r43j6g==,iv:qK53jppiu/Sd4qzR33MMzMACziB0w3P51Y5mPyljG6Y=,tag:k2fI3WUSe80mF6UXDWS/lg==,type:str]
       proxy: ENC[AES256_GCM,data:g5BKeOs=,iv:tPt3b5VsnAvTKsxhXT5hkseR0sUikjIzo/7bapVvILc=,tag:0ga5NGit4uRO6LNkoM5lRw==,type:bool]
-    hs:
-      "on": ENC[AES256_GCM,data:xSQDyA==,iv:D0BLcAgrPC6SnzSDdEDLHvYxCY3RMo2WCwBEEngLLyE=,tag:XSfnQJW/NBw+7Xsu0t3sYA==,type:str]
-      proxy: ENC[AES256_GCM,data:83uKBhM=,iv:az+3gf0YRv1OnoXoVaicge8Gvm0gxhOaVscOM5QECN8=,tag:Z4flUQal57Tw9J7DyTw4kg==,type:bool]
     ldap:
       "on": ENC[AES256_GCM,data:Mi+WIQ==,iv:p2FwCXCPJsXQpP6of2RO6wH291lHA3XYdajrOKXTJZs=,tag:tUD9zIfFn3PRQfylUKyhsg==,type:str]
       proxy: ENC[AES256_GCM,data:3E3IILc=,iv:INrfLQlYspjs+ufRQ1BxQhSaeXxL1Wl3szbYEqCIJII=,tag:DRFKkfXnfhWTL+gY3ow3zg==,type:bool]
@@ -340,6 +337,9 @@ service_cname_mappings:
     sso:
       "on": ENC[AES256_GCM,data:+K2pUg==,iv:tEjETG3m2sU7YvKSgzQ1sPqYz0ymwqqCfbRO0z2lhwo=,tag:2vrySIt0GRvqJ4JRCYqBNA==,type:str]
       proxy: ENC[AES256_GCM,data:deA0MKY=,iv:diZkFSTnReQ2Ze1u3vSRW+nVSc7NBQh5dwbApmYuWHs=,tag:5awG65N6OI4G8gSaIrwZ8g==,type:bool]
+    ts:
+      "on": ENC[AES256_GCM,data:FAbpSQ==,iv:Yvr9DrJyxq0+PwYbQRG9GLW6RmoWJpGYTA/wCxYZD/k=,tag:oiDaCCN99md6olXNQayL/A==,type:str]
+      proxy: ENC[AES256_GCM,data:kkZmBLQ=,iv:z7IEDm8PSf+pDja/FdQzFNyrbmx0xPdX99Brq43CXsk=,tag:rmpaddkGkQrXvPLxbhKZkg==,type:bool]
     vault:
       "on": ENC[AES256_GCM,data:hkVG+g==,iv:zSCY4DyI/Y1I2CSyfXx9SryDB4kCbAjveEaYhv4pCSQ=,tag:CqbEey7HTHiCId0/QXgkxA==,type:str]
       proxy: ENC[AES256_GCM,data:5eCvSA==,iv:8B2wYQlba+hF23oyASd0TrzDsOQdVsP1NRjhRvV3dDM=,tag:S1fOCrhD8vVLxcjhghBY6g==,type:bool]
@@ -358,8 +358,8 @@ sops:
         Sk1Fd3hqM0pwWFpqY2d4eW1hWUR1bFEKK9ffnx65jbajKVVBp4jjcweT1qldCjWD
         ZJOFlhxryKDdn6oRW+G/9g133IjrQrXiwhqzC/fm0HA6mk/XiIiSxA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-08-28T17:31:43Z"
-  mac: ENC[AES256_GCM,data:7X5/8LLiSaonawrrduk8C6c/KPOz+xrFjcMmpM3BfpKfmWpF4IwSRnqm2M7rsa1Gm2UhbX+t76JB4+EOoxudWGXJ130TVM1UvdQ/NPauW16aW1Uxv6FwAWBYgDcrKEv4y7dQFyUQ8QJG2ZKztm8/TBfh5NxsTjS+2ssUNYU6MJo=,iv:paWOtA/pGxKwbeNYo+UCUk58mMErSqDGxJaf+NHxe68=,tag:uVu4392hKD7XD7lagkI4wQ==,type:str]
+  lastmodified: "2024-08-28T17:58:55Z"
+  mac: ENC[AES256_GCM,data:cKJY8m0+KyF/BH0hY8V4Icwo02ai/KyKMdMcNUJbuFb4suF/50eWsYvV55ATcP0Cp5txtVwGvWbB8J6OtsOHTP4Mp5KgtEA6udr3a/jj0e7g7vAQVm2Lxj/ccdbfGP5DhzE8fZOiKXS8WmDWROrkYiYKldFNW4er21rO9VOZz8I=,iv:JRBnwwxlkCagBqMxHl1Mlm7A1imBTYpcK4Hd0KfMsaM=,tag:FhSjxSL/75qQudlIsSIXjg==,type:str]
   pgp:
     - created_at: "2023-06-12T05:51:36Z"
       enc: |