nixos-config/modules/headscale/default.nix

{ pkgs, config, lib, ... }:
with lib;
let
  cfg = config.eboskma.headscale;
in
{
  options.eboskma.headscale = {
    enable = mkEnableOption "headscale";
    serverUrl = mkOption {
      description = "Server URL";
      type = types.str;
    };
    baseDomain = mkOption {
      description = "Tailscale MagicDNS base domain";
      type = types.str;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    services.headscale = {
      enable = true;
      settings = {
        acl_policy_path = "/var/lib/headscale/acls.hujson";
        dns_config = {
          override_local_dns = true;
          base_domain = cfg.baseDomain;
          nameservers = [
            "1.1.1.1"
          ];
        };

        server_url = cfg.serverUrl;

        ip_prefixes = [
          "fd7a:115c:a1e0::/48"
          "100.64.0.0/10"
        ];
      };
    };

    services.caddy = {
      enable = true;

      email = "erwin@datarift.nl";

      virtualHosts = {
        "${cfg.serverUrl}" = {
          extraConfig = ''
            reverse_proxy localhost:8080
          '';
        };
      };
    };

    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [ 80 443 ];

    environment.systemPackages = [ pkgs.headscale ];

    users.users.${config.eboskma.var.mainUser}.extraGroups = [ "headscale" ];
  };
}