service/vpn: init headscale

2025-05-24 01:44:40 +02:00 · 2025-01-20 23:46:00 +01:00 · 2025-01-20 23:46:00 +01:00 · ed03795561
commit ed03795561
parent 7be56eb5c3
2 changed files with 91 additions and 0 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -41,5 +41,6 @@
    ./sonarr
    ./ssh-server
    ./tandoor-recipes
+    ./vpn
  ];
 }
--- a/modules/services/vpn/default.nix
+++ b/modules/services/vpn/default.nix
@ -0,0 +1,90 @@
+# self-hosted vpn
+{ config, lib, ... }:
+let
+  cfg = config.my.services.vpn;
+  inherit (config.networking) domain;
+in
+{
+  options.my.services.vpn = with lib; {
+    enable = mkEnableOption "Headscale VPN";
+    isMaster = mkEnableOption "Headscale Master";
+    port = mkOption {
+      type = types.port;
+      default = 8099;
+      example = 8080;
+      description = "Internal port";
+    };
+  };
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        services.tailscale.enable = true;
+      }
+
+      (lib.mkIf cfg.isMaster {
+
+        services.headscale = {
+          enable = true;
+          inherit (cfg) port;
+          settings = {
+            dns.base_domain = "buehler.internal";
+            server_url = "https://vpn.${domain}";
+            metrics_listen_addr = "127.0.0.1:8095";
+            log.level = "warn";
+          };
+        };
+
+        services.prometheus = {
+          scrapeConfigs = [
+            {
+              job_name = "headscale";
+              static_configs = [
+                {
+                  targets = [ "localhost:8095" ];
+                  labels = {
+                    instance = config.networking.hostName;
+                  };
+                }
+              ];
+            }
+          ];
+        };
+
+        # Proxy to Headscale
+        my.services = {
+          nginx.virtualHosts = [
+            {
+              subdomain = "vpn";
+              inherit (cfg) port;
+              extraConfig = {
+                locations = {
+                  "/" = {
+                    proxyWebsockets = true;
+                  };
+                };
+              };
+            }
+          ];
+
+          prometheus.rules = {
+            HeadscaleHighErrorRate = {
+              condition = ''rate(headscale_http_requests_total{status=~"5.."}[5m]) > 0.1'';
+              description = "The error rate for Headscale server {{ $labels.instance }} is above 10% in the last 2 minutes.";
+            };
+          };
+        };
+
+        # waiting for a nice web-ui
+        # webapps.apps.vpn = {
+        #   dashboard = {
+        #     name = "VPN";
+        #     category = "infra";
+        #     icon = "shield-halved";
+        #     url = "https://vpn.${domain}";
+        #   };
+        # };
+      })
+    ]
+  );
+}