Advertisement
Guest User

Untitled

a guest
Jan 14th, 2024
57
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
  1. let dnskeys = pkgs.writeText "dnskeys.conf"
  2. ''
  3. '';
  4. headscaledemocom = pkgs.writeText "headscale.demo.com"
  5. ''
  6. $ORIGIN headscale.demo.com.
  7. $TTL 1d
  8. ns1 IN A 0.0.0.0
  9.  
  10. @ IN SOA ns1.headscale.demo.com. admin.headscale.demo.com. (
  11. 2024011402 ; Serial
  12. 1h ; Refresh
  13. 15m ; Retry
  14. 1w ; Expire
  15. 3h ; Negative Cache TTL
  16. )
  17.  
  18. @ IN NS ns1.headscale.demo.com.
  19. '';
  20. pdnsconf = pkgs.writeText "certs.secret"
  21. ''
  22. PDNS_API_KEY="ce3d5b4c6bc08a0057244149e1d8716c6008916b66a5cc8f4ee875a56bf51a4b"
  23. PDNS_API_URL="http://localhost:8081"
  24. '';
  25. enable_bind = false;
  26. #domain = "myheadscale.demo.com";
  27. #in
  28. this = {
  29. domain = "myheadscale.demo.com";
  30. #dns = import (builtins.fetchTarball "https://github.com/kirelagin/dns.nix/archive/master.zip");
  31. };
  32. in
  33. {
  34.  
  35. #security.pki.certificateFiles = ["/home/spiderunderurbed/crt/headscale.crt"];
  36. security.pki.certificates = [ ''
  37. #CERT GOES HERE
  38. '' ];
  39. networking = {
  40. nameservers = ["8.8.8.8"];
  41. };
  42.  
  43. #}
  44. security.acme = {
  45. server = "https://localhost:14000";
  46. preliminarySelfsigned = true;
  47. acceptTerms = true;
  48. email = "SpiderUnderUrBed@proton.me";
  49. certs."demo.com" = {
  50. dnsProvider = "pdns";
  51. dnsResolver = "localhost:53"; # This should be pdns.
  52. dnsPropagationCheck = true;
  53. credentialsFile = pdnsconf;
  54. # webroot = "/var/lib/acme/challenges-de";
  55. group = "nginx";
  56. email = "SpiderUnderUrBed@proton.me";
  57. };
  58. certs."headscale.demo.com" = {
  59. dnsProvider = "pdns";
  60. dnsResolver = "localhost:53"; # This should be pdns.
  61. dnsPropagationCheck = true;
  62. credentialsFile = pdnsconf;
  63. # webroot = "/var/lib/acme/challenges-de";
  64. group = "nginx";
  65. email = "SpiderUnderUrBed@proton.me";
  66. };
  67. };
  68.  
  69. services.tailscale.enable = true;
  70. networking.firewall = {
  71. checkReversePath = "loose";
  72. trustedInterfaces = [ "tailscale0" ];
  73. allowedUDPPorts = [ config.services.tailscale.port ];
  74. };
  75.  
  76. services = {
  77. headscale = {
  78. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
  79. enable = true;
  80. address = "0.0.0.0";
  81. port = 8080;
  82. serverUrl = "https://${this.domain}";
  83. dns = { baseDomain = "demo.com"; };
  84. settings = { logtail.enabled = false; server_url = "https://${this.domain}"; };
  85. };
  86.  
  87. # nginx.enable = true;
  88. nginx = {
  89. enable = true;
  90. virtualHosts.${this.domain} = {
  91. ## enable = true;
  92. forceSSL = true;
  93. # enableACME = true;
  94. useACMEHost = "demo.com";
  95. locations."/" = {
  96. proxyPass =
  97. "http://localhost:${toString config.services.headscale.port}";
  98. proxyWebsockets = true;
  99. };
  100. };
  101. };
  102. powerdns = {
  103. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
  104. enable = true;
  105. # Enable PowerDNS
  106. # authoritative = true;
  107. # zones = {
  108.  
  109. # };
  110. };
  111. powerdns-admin.config = {
  112. enable = true;
  113. BIND_ADDRESS = "0.0.0.0";
  114. PORT = 8000;
  115. };
  116. bind = {
  117. # allowQuery = [ "127.0.0.1" ]; # Allow queries from localhost
  118. # allowTransfer = [ "127.0.0.1" ]; # Allow zone transfers from localhost
  119. #listenOn = [ "127.0.0.1" ]; # Listen on localhost
  120. forwarders = [ "8.8.8.8" "127.0.0.1" ]; # Use Google's public DNS as a forwarder (optional)
  121. forward = "first";
  122. listenOn =
  123. [
  124. "127.0.0.1"
  125. ];
  126. ipv4Only = true;
  127. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
  128. enable = enable_bind;
  129. # extraConfig = ''
  130. # include dnskeys;
  131. # '';
  132. zones = [
  133. {
  134. name = "headscale.demo.com";
  135. allowQuery = ["127.0.0.1"];
  136. file = headscaledemocom;
  137. master = true;
  138. extraConfig = "allow-update { key pdns.headscale.demo.com.; };";
  139. }
  140. ];
  141. };
  142.  
  143. # services.powerdns = {
  144. # enable = true;
  145.  
  146. # }
  147. };
  148.  
  149. environment.systemPackages = with pkgs; [
  150. pkgs.librewolf pkgs.yakuake config.services.headscale.package pkgs.nginx
  151. ];
  152. #environment.systemPackages = [ pkgs.librewolf ];
  153.  
  154. virtualisation.docker.enable = true;
  155.  
  156. virtualisation.oci-containers = {
  157. backend = "docker";
  158. containers = {
  159. coweire = {};
  160. pebble = {
  161. image = "letsencrypt/pebble";
  162. ports = ["14000:14000"]; # Expose the Pebble challenge test server port
  163.  
  164. # Additional configurations for Pebble
  165. environment = {
  166. PEBBLE_VA_NOSLEEP = "1"; # Optional: Disable sleeping in the VA (Validity Authority)
  167. PEBBLE_WFE_NONCEREJECT = "true"; # Optional: Allow nonces to be reused
  168. };
  169.  
  170. };
  171. # headscale = {};
  172. # coweire.image = "cowrie:latest"
  173. };
  174. };
  175.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement