126 lines
3.6 KiB
Nix
126 lines
3.6 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
let
|
|
svc_domain = config.mine.shared.settings.headscale.domain;
|
|
|
|
sources = import ./../../../../shared/sources;
|
|
flake-compat = sources.flake-compat;
|
|
|
|
newpkgs = (import (builtins.fetchTarball {
|
|
url = "https://github.com/NixOS/nixpkgs/archive/c2a03962b8e24e669fb37b7df10e7c79531ff1a4.tar.gz";
|
|
}) {});
|
|
|
|
|
|
headplanesrc = let
|
|
tmppkgs = (import (builtins.fetchTarball {
|
|
url = "https://github.com/NixOS/nixpkgs/archive/ab7b6889ae9d484eed2876868209e33eb262511d.tar.gz";
|
|
}) {});
|
|
|
|
src = builtins.fetchTarball {
|
|
url = "https://github.com/tale/headplane/archive/2f316176c8c37ad63946d7075c727478f81303b2.tar.gz";
|
|
};
|
|
in tmppkgs.applyPatches {
|
|
src = src;
|
|
name = "headplane-patched";
|
|
patches = [
|
|
(tmppkgs.writeText "headplane-package-pnpm-hash.patch" ''
|
|
diff --git a/nix/package.nix b/nix/package.nix
|
|
index bb430d7..11349c4 100644
|
|
--- a/nix/package.nix
|
|
+++ b/nix/package.nix
|
|
@@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: {
|
|
|
|
pnpmDeps = pnpm_10.fetchDeps {
|
|
inherit (finalAttrs) pname version src;
|
|
- hash = "sha256-OOWgYaGwa5PtWhFEEkRCojCDmkPIR6tJ5cfFMOLND3I=";
|
|
+ hash = "sha256-xjjkqbgjYaAGYAmlTFE+Lq3Hp6myZKaW3br0YTDNhQA=";
|
|
};
|
|
'')
|
|
];
|
|
};
|
|
|
|
headplane = import flake-compat { src = headplanesrc; };
|
|
in {
|
|
imports = [
|
|
headplane.defaultNix.nixosModules.headplane
|
|
];
|
|
|
|
services.headplane = {
|
|
enable = true;
|
|
agent.enable = false;
|
|
|
|
settings = {
|
|
server = {
|
|
host = "127.0.0.1";
|
|
port = 53874;
|
|
cookie_secret = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; # replaced in env
|
|
cookie_secure = true;
|
|
};
|
|
|
|
headscale = {
|
|
url = "https://${svc_domain}";
|
|
config_strict = false;
|
|
};
|
|
|
|
oidc = {
|
|
issuer = "https://${config.mine.shared.settings.authelia.domain}";
|
|
client_id = "headplane";
|
|
client_secret = "<from_env>";
|
|
redirect_uri = "https://${svc_domain}/admin/oidc/callback";
|
|
|
|
# headscale API key for authenticating users
|
|
headscale_api_key = "<from_env>";
|
|
|
|
# default to state directory
|
|
user_storage_file = "/var/lib/headplane/users.json";
|
|
|
|
# set to the default authelia auth method
|
|
token_endpoint_auth_method = "client_secret_basic";
|
|
|
|
# disable authenticating with headscale api key
|
|
disable_api_key_login = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
# headplane module does not allow setting package,
|
|
# so we have to add headplane to pkgs
|
|
nixpkgs.overlays = [
|
|
(self: super: {
|
|
headplane = headplane.defaultNix.packages.x86_64-linux.headplane;
|
|
})
|
|
];
|
|
|
|
systemd.services.headplane.serviceConfig = {
|
|
# setup state directory
|
|
StateDirectory = "headplane";
|
|
|
|
# load configs from env file
|
|
EnvironmentFile = [ config.age.secrets.headplane-env.path ];
|
|
};
|
|
|
|
# setup for oidc
|
|
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
|
|
client_id = "headplane";
|
|
client_name = "Headplane";
|
|
client_secret = "$pbkdf2-sha512$310000$h7Te42JTu4Xsqz/8CGan7Q$qDd183LHmEsgNvVAI8Xf.1DpRMeS8DqNmDpkkjkxgRR/lZYQgAkXYzL2MyvLqNFFSVKAdMTsD/Jxk72g9fxnew";
|
|
consent_mode = "implicit";
|
|
redirect_uris = [ "https://${svc_domain}/admin/oidc/callback" ];
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
}];
|
|
|
|
# nginx
|
|
services.nginx.virtualHosts."${svc_domain}".locations."/admin" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString config.services.headplane.settings.server.port}";
|
|
priority = 5;
|
|
};
|
|
|
|
# persistence
|
|
environment.persistence.root.directories = [
|
|
"/var/lib/headplane"
|
|
];
|
|
}
|