Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- let dnskeys = pkgs.writeText "dnskeys.conf"
- ''
- '';
- headscaledemocom = pkgs.writeText "headscale.demo.com"
- ''
- $ORIGIN headscale.demo.com.
- $TTL 1d
- ns1 IN A 0.0.0.0
- @ IN SOA ns1.headscale.demo.com. admin.headscale.demo.com. (
- 2024011402 ; Serial
- 1h ; Refresh
- 15m ; Retry
- 1w ; Expire
- 3h ; Negative Cache TTL
- )
- @ IN NS ns1.headscale.demo.com.
- '';
- pdnsconf = pkgs.writeText "certs.secret"
- ''
- PDNS_API_KEY="ce3d5b4c6bc08a0057244149e1d8716c6008916b66a5cc8f4ee875a56bf51a4b"
- PDNS_API_URL="http://localhost:8081"
- '';
- enable_bind = false;
- #domain = "myheadscale.demo.com";
- #in
- this = {
- domain = "myheadscale.demo.com";
- #dns = import (builtins.fetchTarball "https://github.com/kirelagin/dns.nix/archive/master.zip");
- };
- in
- {
- #security.pki.certificateFiles = ["/home/spiderunderurbed/crt/headscale.crt"];
- security.pki.certificates = [ ''
- #CERT GOES HERE
- '' ];
- networking = {
- nameservers = ["8.8.8.8"];
- };
- #}
- security.acme = {
- server = "https://localhost:14000";
- preliminarySelfsigned = true;
- acceptTerms = true;
- email = "SpiderUnderUrBed@proton.me";
- certs."demo.com" = {
- dnsProvider = "pdns";
- dnsResolver = "localhost:53"; # This should be pdns.
- dnsPropagationCheck = true;
- credentialsFile = pdnsconf;
- # webroot = "/var/lib/acme/challenges-de";
- group = "nginx";
- email = "SpiderUnderUrBed@proton.me";
- };
- certs."headscale.demo.com" = {
- dnsProvider = "pdns";
- dnsResolver = "localhost:53"; # This should be pdns.
- dnsPropagationCheck = true;
- credentialsFile = pdnsconf;
- # webroot = "/var/lib/acme/challenges-de";
- group = "nginx";
- email = "SpiderUnderUrBed@proton.me";
- };
- };
- services.tailscale.enable = true;
- networking.firewall = {
- checkReversePath = "loose";
- trustedInterfaces = [ "tailscale0" ];
- allowedUDPPorts = [ config.services.tailscale.port ];
- };
- services = {
- headscale = {
- # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
- enable = true;
- address = "0.0.0.0";
- port = 8080;
- serverUrl = "https://${this.domain}";
- dns = { baseDomain = "demo.com"; };
- settings = { logtail.enabled = false; server_url = "https://${this.domain}"; };
- };
- # nginx.enable = true;
- nginx = {
- enable = true;
- virtualHosts.${this.domain} = {
- ## enable = true;
- forceSSL = true;
- # enableACME = true;
- useACMEHost = "demo.com";
- locations."/" = {
- proxyPass =
- "http://localhost:${toString config.services.headscale.port}";
- proxyWebsockets = true;
- };
- };
- };
- powerdns = {
- # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
- enable = true;
- # Enable PowerDNS
- # authoritative = true;
- # zones = {
- # };
- };
- powerdns-admin.config = {
- enable = true;
- BIND_ADDRESS = "0.0.0.0";
- PORT = 8000;
- };
- bind = {
- # allowQuery = [ "127.0.0.1" ]; # Allow queries from localhost
- # allowTransfer = [ "127.0.0.1" ]; # Allow zone transfers from localhost
- #listenOn = [ "127.0.0.1" ]; # Listen on localhost
- forwarders = [ "8.8.8.8" "127.0.0.1" ]; # Use Google's public DNS as a forwarder (optional)
- forward = "first";
- listenOn =
- [
- "127.0.0.1"
- ];
- ipv4Only = true;
- # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
- enable = enable_bind;
- # extraConfig = ''
- # include dnskeys;
- # '';
- zones = [
- {
- name = "headscale.demo.com";
- allowQuery = ["127.0.0.1"];
- file = headscaledemocom;
- master = true;
- extraConfig = "allow-update { key pdns.headscale.demo.com.; };";
- }
- ];
- };
- # services.powerdns = {
- # enable = true;
- # }
- };
- environment.systemPackages = with pkgs; [
- pkgs.librewolf pkgs.yakuake config.services.headscale.package pkgs.nginx
- ];
- #environment.systemPackages = [ pkgs.librewolf ];
- virtualisation.docker.enable = true;
- virtualisation.oci-containers = {
- backend = "docker";
- containers = {
- coweire = {};
- pebble = {
- image = "letsencrypt/pebble";
- ports = ["14000:14000"]; # Expose the Pebble challenge test server port
- # Additional configurations for Pebble
- environment = {
- PEBBLE_VA_NOSLEEP = "1"; # Optional: Disable sleeping in the VA (Validity Authority)
- PEBBLE_WFE_NONCEREJECT = "true"; # Optional: Allow nonces to be reused
- };
- };
- # headscale = {};
- # coweire.image = "cowrie:latest"
- };
- };
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement