feat: apply permanent headscale configuration with OIDC and IP overrides

2026-01-28 20:37:00 -07:00 · 2026-01-28 20:37:00 -07:00 · e9509ca91e
commit e9509ca91e
parent 7c1bdb2c54
1 changed files with 54 additions and 34 deletions
--- a/headscale.nix
+++ b/headscale.nix
@ -22,46 +22,66 @@ in
    address = "0.0.0.0";
    port = 8085;
    settings = {
-        dns = {
-          override_local_dns = true;
-          base_domain = "hs.${domain}";
-          magic_dns = true;
-          domains = [ "hs.${domain}" ];
-          nameservers = {
+      server_url = "https://headscale.${domain}";
+      metrics_listen_addr = "127.0.0.1:8095";
+      disable_check_updates = true;
+      logtail = {
+        enabled = false;
+      };
+      
+      ip_prefixes = [
+        "10.200.0.0/16"
+        "fd7a:115c:a1e0::/48"
+      ];
+
+      prefixes = {
+        allocation = "sequential";
+        v4 = "10.200.0.0/16";
+        v6 = "fd7a:115c:a1e0::/48";
+      };
+
+      derp = {
+        server = {
+          enable = true;
+          region_id = 999;
+          stun_listen_addr = "0.0.0.0:${toString derpPort}";
+          private_key_path = "/var/lib/headscale/derp_server_private.key";
+        };
+        urls = [
+          "https://controlplane.tailscale.com/derpmap/default"
+        ];
+      };
+
+      # Restored 'dns' key for compatibility, merging desired settings
+      dns = {
+        magic_dns = true;
+        base_domain = "hs.${domain}";
+        override_local_dns = true;
+        domains = [ "hs.${domain}" ];
+        nameservers = {
            global = [
                "1.1.1.1"
                "9.9.9.9"
            ];
-          };
-        };
-        server_url = "https://headscale.${domain}";
-        metrics_listen_addr = "127.0.0.1:8095";
-        logtail = {
-          enabled = false;
-        };
-        log = {
-          level = "info";
-        };
-        node_update_check_interval = "10s";
-        derp.server = {
-          enable = true;
-          region_id = 999;
-          stun_listen_addr = "0.0.0.0:${toString derpPort}";
-        };
-        ip_prefixes = [
-          "100.64.0.0/10"
-          "fd7a:115c:a1e0::/48"
-        ];
-        grpc_listen_addr = "127.0.0.1:50443";  # Required for Headplane communication
-        api_key_path = "/etc/headscale/apikey";
-        policy.mode = "database";
-        oidc = {
-          issuer = "https://auth.kennys.mom/realms/headscale";
-          client_id = "headplane";
-          client_secret_path = "/var/lib/headscale/oidc_client_secret";
-          strip_email_domain = true;
        };
      };
+
+      oidc = {
+        issuer = "https://auth.kennys.mom/realms/headscale";
+        client_id = "headplane";
+        client_secret_path = "/var/lib/headscale/oidc_client_secret";
+        scope = [ "openid" "profile" "email" ];
+        strip_email_domain = true;
+      };
+
+      log.level = "info";
+      node_update_check_interval = "10s";
+      
+      # Critical settings for Headplane integration
+      grpc_listen_addr = "127.0.0.1:50443";
+      api_key_path = "/etc/headscale/apikey";
+      policy.mode = "database";
+    };
  };
  # Put strict config as file for headplane
  environment.etc."headscale-strict.yml".source = headscaleConfigFile;