From 3daa817aada1175171ca6edbfdc123d920b33400 Mon Sep 17 00:00:00 2001
From: Henri Dohmen <henri.dohmen@stud.tu-darmstadt.de>
Date: Wed, 14 May 2025 23:43:38 +0200
Subject: [PATCH] headscale

---
 flake.nix                 |  1 +
 mod/network.nix           | 77 ++++++++++++++++++++-------------------
 mod/server/all.nix        |  8 ++++
 mod/server/networking.nix | 28 ++++++++++++++
 mod/server/security.nix   |  9 +++++
 mod/server/services.nix   | 35 ++++++++++++++++++
 6 files changed, 120 insertions(+), 38 deletions(-)
 create mode 100644 mod/server/all.nix
 create mode 100644 mod/server/networking.nix
 create mode 100644 mod/server/security.nix
 create mode 100644 mod/server/services.nix

diff --git a/flake.nix b/flake.nix
index 508729b..b2d6090 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,7 @@
           imports = [
             ./host/roam
             mod.shared.all
+            mod.server.all
           ];
         };
       };
diff --git a/mod/network.nix b/mod/network.nix
index 5c8df29..1e3d2a1 100644
--- a/mod/network.nix
+++ b/mod/network.nix
@@ -1,51 +1,52 @@
 { ... }:
 {
-  networking.networkmanager.enable = true;
-  networking.networkmanager.wifi.macAddress = "random";
-
   hardware.bluetooth.enable = true;
   services.blueman.enable = true;
+  systemd.services.NetworkManager-wait-online.enable = false;
 
   services.tailscale = {
     enable = true;
     useRoutingFeatures = "client";
   };
 
-  systemd.services.NetworkManager-wait-online.enable = false;
-
-  networking.networkmanager.ensureProfiles.profiles = {
-    "tuda-vpn" = {
-      connection = {
-        autoconnect = "false";
-        id = "tuda-vpn";
-        type = "vpn";
-      };
-      ipv4 = {
-        method = "auto";
-      };
-      ipv6 = {
-        addr-gen-mode = "stable-privacy";
-        method = "auto";
-      };
-      vpn = {
-        authtype = "password";
-        autoconnect-flags = "0";
-        certsigs-flags = "0";
-        cookie-flags = "2";
-        disable_udp = "no";
-        enable_csd_trojan = "no";
-        gateway = "vpn.hrz.tu-darmstadt.de";
-        gateway-flags = "2";
-        gwcert-flags = "2";
-        lasthost-flags = "0";
-        pem_passphrase_fsid = "no";
-        prevent_invalid_cert = "no";
-        protocol = "anyconnect";
-        resolve-flags = "2";
-        service-type = "org.freedesktop.NetworkManager.openconnect";
-        stoken_source = "disabled";
-        xmlconfig-flags = "0";
-        password-flags = 0;
+  networking = {
+    enableIPv6 = true;
+    networkmanager.enable = true;
+    networkmanager.wifi.macAddress = "random";
+    networkmanager.ensureProfiles.profiles = {
+      "tuda-vpn" = {
+        connection = {
+          autoconnect = "false";
+          id = "tuda-vpn";
+          type = "vpn";
+        };
+        ipv4 = {
+          method = "auto";
+        };
+        ipv6 = {
+          addr-gen-mode = "stable-privacy";
+          method = "auto";
+        };
+        vpn = {
+          authtype = "password";
+          autoconnect-flags = "0";
+          certsigs-flags = "0";
+          cookie-flags = "2";
+          disable_udp = "no";
+          enable_csd_trojan = "no";
+          gateway = "vpn.hrz.tu-darmstadt.de";
+          gateway-flags = "2";
+          gwcert-flags = "2";
+          lasthost-flags = "0";
+          pem_passphrase_fsid = "no";
+          prevent_invalid_cert = "no";
+          protocol = "anyconnect";
+          resolve-flags = "2";
+          service-type = "org.freedesktop.NetworkManager.openconnect";
+          stoken_source = "disabled";
+          xmlconfig-flags = "0";
+          password-flags = 0;
+        };
       };
     };
   };
diff --git a/mod/server/all.nix b/mod/server/all.nix
new file mode 100644
index 0000000..fb02e56
--- /dev/null
+++ b/mod/server/all.nix
@@ -0,0 +1,8 @@
+{ mod, ... }:
+{
+  imports = with mod.server; [
+    services
+    networking
+    security
+  ];
+}
diff --git a/mod/server/networking.nix b/mod/server/networking.nix
new file mode 100644
index 0000000..05a80f3
--- /dev/null
+++ b/mod/server/networking.nix
@@ -0,0 +1,28 @@
+{ ... }:
+{
+  networking = {
+    enableIPv6 = true;
+
+    interfaces = {
+      "ens3".ipv6.addresses = [
+        {
+          address = "2a03:4000:3b:f99::";
+          prefixLength = 64;
+        }
+      ];
+    };
+
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
+
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+    };
+  };
+}
diff --git a/mod/server/security.nix b/mod/server/security.nix
new file mode 100644
index 0000000..9c8200d
--- /dev/null
+++ b/mod/server/security.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "acme@henri-dohmen.de";
+    };
+  };
+}
diff --git a/mod/server/services.nix b/mod/server/services.nix
new file mode 100644
index 0000000..9bd0fa0
--- /dev/null
+++ b/mod/server/services.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+let
+  headscale-domain = "headscale.hdohmen.de";
+in
+{
+  services = {
+    # TODO: maybe just use wireguard...
+    headscale = {
+      enable = true;
+      address = "127.0.0.1";
+      port = 8080;
+      settings = {
+        server_url = "https://${headscale-domain}";
+        prefixes.v4 = "100.10.11.0/24";
+        prefixes.v6 = "fd7a:115c:1011::/48";
+        dns = {
+          magic_dns = true;
+          base_domain = "net.hdohmen.de";
+        };
+      };
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts.${headscale-domain} = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}