self-hosting/profiles/relay1.nix

{
  modulesPath,
  ...
}:
{
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ../environment.nix
    ../modules/openssh.nix
  ];

  networking.useDHCP = true;
  nixpkgs.hostPlatform = "x86_64-linux";

  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
  };

  time.timeZone = "Europe/Amsterdam";

  boot.tmp.cleanOnBoot = true;
  networking.firewall.allowPing = true;
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.usePredictableInterfaceNames = false;
  custom.services.openssh.enable = true;
  services.openssh.openFirewall = true;

  services.nscd.enableNsncd = true;
  zramSwap.enable = true;

  security.acme = {
    acceptTerms = true;
    defaults.email = "letsencrypt.account@banditlair.com";
    certs."ws.banditlair.com" = {
      listenHTTP = "0.0.0.0:80";
      reloadServices = [ "wstunnel-server-relay.service" ];
    };
  };

  services.wstunnel = {
    enable = true;
    servers.relay = {
      listen = {
        host = "0.0.0.0";
        port = 443;
        enableHTTPS = true;
      };
      useACMEHost = "ws.banditlair.com";
      settings = {
        log-lvl = "INFO";
        restrict-to = [
          {
            host = "127.0.0.1";
            port = 51820;
          }
        ];
      };
    };
  };

  systemd.services.wstunnel-server-relay = {
    after = [ "acme-ws.banditlair.com.service" ];
    wants = [ "acme-ws.banditlair.com.service" ];
  };

  networking.wireguard.enable = true;
  networking.wireguard.interfaces.wg-relay = {
    ips = [ "10.250.250.1/30" ];
    listenPort = 51820;
    privateKeyFile = "/var/lib/wireguard/wg-relay.key";
    generatePrivateKeyFile = true;
    peers = [
      {
        publicKey = "EX3QEJYNzs3sA3FUEIc9YGAhEup20qOCzUe+nMRrljQ=";
        allowedIPs = [
          "10.250.250.2/32"
          "10.33.0.0/16"
          "10.46.0.0/16"
          "10.133.0.0/16"
          "10.134.0.0/16"
          "10.161.0.0/16"
          "10.200.0.0/16"
        ];
      }
    ];
  };

  services.tailscale = {
    enable = true;
    useRoutingFeatures = "server";
    extraSetFlags = [
      "--advertise-routes=10.250.250.2/32,10.33.0.0/16,10.46.0.0/16,10.133.0.0/16,10.134.0.0/16,10.161.0.0/16,10.200.0.0/16"
    ];
  };

  boot.kernel.sysctl."net.ipv4.ip_forward" = true;

  networking.nat = {
    enable = true;
    internalInterfaces = [ "tailscale0" ];
    externalInterface = "wg-relay";
  };

  disko.devices = {
    disk.disk1 = {
      device = "/dev/sda";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "500M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "lvm_pv";
              vg = "pool";
            };
          };
        };
      };
    };
    lvm_vg = {
      pool = {
        type = "lvm_vg";
        lvs = {
          root = {
            size = "100%FREE";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
              mountOptions = [
                "defaults"
              ];
            };
          };
        };
      };
    };
  };
}
Setup relay server 2026-03-24 13:18:01 +01:00			`{`
			`modulesPath,`
			`...`
			`}:`
			`{`
			`imports = [`
			`(modulesPath + "/installer/scan/not-detected.nix")`
			`(modulesPath + "/profiles/qemu-guest.nix")`
			`../environment.nix`
			`../modules/openssh.nix`
			`];`

			`networking.useDHCP = true;`
			`nixpkgs.hostPlatform = "x86_64-linux";`

			`boot.loader.grub = {`
			`efiSupport = true;`
			`efiInstallAsRemovable = true;`
			`};`

			`time.timeZone = "Europe/Amsterdam";`

			`boot.tmp.cleanOnBoot = true;`
			`networking.firewall.allowPing = true;`
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
Setup relay server 2026-03-24 13:18:01 +01:00			`networking.usePredictableInterfaceNames = false;`
			`custom.services.openssh.enable = true;`
			`services.openssh.openFirewall = true;`

			`services.nscd.enableNsncd = true;`
			`zramSwap.enable = true;`

relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "letsencrypt.account@banditlair.com";`
			`certs."ws.banditlair.com" = {`
			`listenHTTP = "0.0.0.0:80";`
			`reloadServices = [ "wstunnel-server-relay.service" ];`
Setup relay server 2026-03-24 13:18:01 +01:00			`};`
			`};`

relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`services.wstunnel = {`
			`enable = true;`
			`servers.relay = {`
			`listen = {`
			`host = "0.0.0.0";`
			`port = 443;`
			`enableHTTPS = true;`
			`};`
			`useACMEHost = "ws.banditlair.com";`
			`settings = {`
			`log-lvl = "INFO";`
			`restrict-to = [`
			`{`
			`host = "127.0.0.1";`
			`port = 51820;`
			`}`
			`];`
			`};`
			`};`
			`};`
Setup relay server 2026-03-24 13:18:01 +01:00
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`systemd.services.wstunnel-server-relay = {`
			`after = [ "acme-ws.banditlair.com.service" ];`
			`wants = [ "acme-ws.banditlair.com.service" ];`
			`};`
Setup relay server 2026-03-24 13:18:01 +01:00
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`networking.wireguard.enable = true;`
			`networking.wireguard.interfaces.wg-relay = {`
			`ips = [ "10.250.250.1/30" ];`
			`listenPort = 51820;`
			`privateKeyFile = "/var/lib/wireguard/wg-relay.key";`
			`generatePrivateKeyFile = true;`
			`peers = [`
			`{`
			`publicKey = "EX3QEJYNzs3sA3FUEIc9YGAhEup20qOCzUe+nMRrljQ=";`
			`allowedIPs = [`
			`"10.250.250.2/32"`
			`"10.33.0.0/16"`
			`"10.46.0.0/16"`
			`"10.133.0.0/16"`
			`"10.134.0.0/16"`
			`"10.161.0.0/16"`
			`"10.200.0.0/16"`
			`];`
			`}`
			`];`
			`};`
Setup relay server 2026-03-24 13:18:01 +01:00
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`services.tailscale = {`
			`enable = true;`
			`useRoutingFeatures = "server";`
			`extraSetFlags = [`
			`"--advertise-routes=10.250.250.2/32,10.33.0.0/16,10.46.0.0/16,10.133.0.0/16,10.134.0.0/16,10.161.0.0/16,10.200.0.0/16"`
			`];`
			`};`
Setup relay server 2026-03-24 13:18:01 +01:00
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`boot.kernel.sysctl."net.ipv4.ip_forward" = true;`
Setup relay server 2026-03-24 13:18:01 +01:00
relay1: migrate to wstunnel + WireGuard subnet relay via Headscale Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access. 2026-03-25 14:54:08 +01:00			`networking.nat = {`
			`enable = true;`
			`internalInterfaces = [ "tailscale0" ];`
			`externalInterface = "wg-relay";`
			`};`
Setup relay server 2026-03-24 13:18:01 +01:00
			`disko.devices = {`
			`disk.disk1 = {`
			`device = "/dev/sda";`
			`type = "disk";`
			`content = {`
			`type = "gpt";`
			`partitions = {`
			`boot = {`
			`name = "boot";`
			`size = "1M";`
			`type = "EF02";`
			`};`
			`esp = {`
			`name = "ESP";`
			`size = "500M";`
			`type = "EF00";`
			`content = {`
			`type = "filesystem";`
			`format = "vfat";`
			`mountpoint = "/boot";`
			`};`
			`};`
			`root = {`
			`name = "root";`
			`size = "100%";`
			`content = {`
			`type = "lvm_pv";`
			`vg = "pool";`
			`};`
			`};`
			`};`
			`};`
			`};`
			`lvm_vg = {`
			`pool = {`
			`type = "lvm_vg";`
			`lvs = {`
			`root = {`
			`size = "100%FREE";`
			`content = {`
			`type = "filesystem";`
			`format = "ext4";`
			`mountpoint = "/";`
			`mountOptions = [`
			`"defaults"`
			`];`
			`};`
			`};`
			`};`
			`};`
			`};`
			`};`
			`}`