{ inputs, config, pkgs, lib, ... }: let format = pkgs.formats.yaml { }; settings = lib.recursiveUpdate config.services.headscale.settings { acme_email = "/dev/null"; tls_cert_path = "/dev/null"; tls_key_path = "/dev/null"; policy.path = "/dev/null"; oidc.client_secret_path = "/dev/null"; }; headscaleConfig = format.generate "headscale.yml" settings; in { imports = [ ./disk-config.nix { _module.args.disks = [ "/dev/sda" ]; } inputs.headplane.nixosModules.headplane ../common/servers ./auth ]; time.timeZone = "Europe/Berlin"; networking.hostName = "hosting-01"; networking.nameservers = [ "8.8.8.8" ]; networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; }; nixpkgs.overlays = [ inputs.headplane.overlays.default ]; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; }; services.headscale = { enable = true; address = "0.0.0.0"; port = 8080; settings = { server_url = "https://headscale.escapeangle.com"; dns = { base_domain = "tailnet.escapeangle.com"; }; }; }; services.headplane = { enable = true; agent.enable = false; settings = { server = { host = "127.0.0.1"; port = 8081; cookie_secret = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; # replaced in env cookie_secure = true; }; headscale = { url = "https://headscale.escapeangle.com"; config_path = "${headscaleConfig}"; config_strict = true; }; integration.proc.enabled = true; }; }; services.nginx.virtualHosts."headscale.escapeangle.com" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${toString config.services.headscale.port}"; proxyWebsockets = true; }; locations."/admin" = { proxyPass = "http://127.0.0.1:${toString config.services.headplane.settings.server.port}"; proxyWebsockets = true; }; }; security.acme.defaults.email = "landervandenbulcke@gmail.com"; security.acme.acceptTerms = true; system.stateVersion = "25.05"; }