From 3893ba3de19711d1f2dc01b2a64a00c62a44b8d8 Mon Sep 17 00:00:00 2001
From: Paul-Henri Froidmont <git.contact-57n2p@froidmont.org>
Date: Fri, 29 Aug 2025 16:08:14 +0200
Subject: [PATCH] Add headscale

---
 modules/default.nix   |  1 +
 modules/headscale.nix | 55 +++++++++++++++++++++++++++++++++++++++++++
 profiles/hel.nix      |  1 +
 terraform/dns.tf      |  8 +++++++
 4 files changed, 65 insertions(+)
 create mode 100644 modules/headscale.nix

diff --git a/modules/default.nix b/modules/default.nix
index 0f7b98b..c590769 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -24,5 +24,6 @@
     ./foundryvtt.nix
     ./immich.nix
     ./forgejo.nix
+    ./headscale.nix
   ];
 }
diff --git a/modules/headscale.nix b/modules/headscale.nix
new file mode 100644
index 0000000..08e92c4
--- /dev/null
+++ b/modules/headscale.nix
@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.custom.services.headscale;
+  domain = "hs.${config.networking.domain}";
+in
+{
+  options.custom.services.headscale = {
+    enable = mkEnableOption "headscale";
+  };
+
+  config = mkIf cfg.enable {
+
+    services.headscale = {
+      enable = true;
+      port = 28080;
+      settings = {
+        server_url = "https://${domain}";
+        derp = {
+          server = {
+            enabled = true;
+            stun_listen_addr = "0.0.0.0:4478";
+          };
+          # urls = [ ];
+          auto_update_enabled = false;
+        };
+        dns = {
+          base_domain = "ts.net";
+          nameservers = {
+            split = {
+              "foyer.cloud" = "10.33.0.100";
+              "foyer.lu" = "10.33.0.100";
+              "lefoyer.lu" = "10.33.0.100";
+            };
+          };
+        };
+      };
+    };
+
+    services.nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    networking = {
+      firewall.allowedUDPPorts = [
+        4478
+      ];
+    };
+  };
+}
diff --git a/profiles/hel.nix b/profiles/hel.nix
index 04e0bc3..18eadbc 100644
--- a/profiles/hel.nix
+++ b/profiles/hel.nix
@@ -233,6 +233,7 @@
     monitoring-exporters.enable = true;
     immich.enable = true;
     forgejo.enable = true;
+    headscale.enable = true;
 
     backup-job = {
       enable = true;
diff --git a/terraform/dns.tf b/terraform/dns.tf
index 6674457..d9f06f5 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -229,6 +229,14 @@ resource "hetznerdns_record" "ch_a" {
   ttl     = 600
 }
 
+resource "hetznerdns_record" "hs_a" {
+  zone_id = data.hetznerdns_zone.banditlair_zone.id
+  name    = "hs"
+  value   = local.hel1_ip
+  type    = "A"
+  ttl     = 600
+}
+
 # Email
 resource "hetznerdns_record" "mail_mx" {
   zone_id = data.hetznerdns_zone.banditlair_zone.id