let dnskeys = pkgs.writeText "dnskeys.conf" '''';headscaledemocom = pkgs.w

1. let dnskeys = pkgs.writeText "dnskeys.conf"
2. ''
3. '';
4. headscaledemocom = pkgs.writeText "headscale.demo.com"
5. ''
6. $ORIGIN headscale.demo.com.
7. $TTL 1d
8. ns1 IN A 0.0.0.0
9.  
10. @ IN SOA ns1.headscale.demo.com. admin.headscale.demo.com. (
11. 2024011402 ; Serial
12. 1h ; Refresh
13. 15m ; Retry
14. 1w ; Expire
15. 3h ; Negative Cache TTL
16. )
17.  
18. @ IN NS ns1.headscale.demo.com.
19. '';
20. pdnsconf = pkgs.writeText "certs.secret"
21. ''
22. PDNS_API_KEY="ce3d5b4c6bc08a0057244149e1d8716c6008916b66a5cc8f4ee875a56bf51a4b"
23. PDNS_API_URL="http://localhost:8081"
24. '';
25. enable_bind = false;
26. #domain = "myheadscale.demo.com";
27. #in
28. this = {
29. domain = "myheadscale.demo.com";
30. #dns = import (builtins.fetchTarball "https://github.com/kirelagin/dns.nix/archive/master.zip");
31. };
32. in
33. {
34.  
35. #security.pki.certificateFiles = ["/home/spiderunderurbed/crt/headscale.crt"];
36. security.pki.certificates = [ ''
37. #CERT GOES HERE
38. '' ];
39. networking = {
40. nameservers = ["8.8.8.8"];
41. };
42.  
43. #}
44. security.acme = {
45. server = "https://localhost:14000";
46. preliminarySelfsigned = true;
47. acceptTerms = true;
48. email = "SpiderUnderUrBed@proton.me";
49. certs."demo.com" = {
50. dnsProvider = "pdns";
51. dnsResolver = "localhost:53"; # This should be pdns.
52. dnsPropagationCheck = true;
53. credentialsFile = pdnsconf;
54. # webroot = "/var/lib/acme/challenges-de";
55. group = "nginx";
56. email = "SpiderUnderUrBed@proton.me";
57. };
58. certs."headscale.demo.com" = {
59. dnsProvider = "pdns";
60. dnsResolver = "localhost:53"; # This should be pdns.
61. dnsPropagationCheck = true;
62. credentialsFile = pdnsconf;
63. # webroot = "/var/lib/acme/challenges-de";
64. group = "nginx";
65. email = "SpiderUnderUrBed@proton.me";
66. };
67. };
68.  
69. services.tailscale.enable = true;
70. networking.firewall = {
71. checkReversePath = "loose";
72. trustedInterfaces = [ "tailscale0" ];
73. allowedUDPPorts = [ config.services.tailscale.port ];
74. };
75.  
76. services = {
77. headscale = {
78. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
79. enable = true;
80. address = "0.0.0.0";
81. port = 8080;
82. serverUrl = "https://${this.domain}";
83. dns = { baseDomain = "demo.com"; };
84. settings = { logtail.enabled = false; server_url = "https://${this.domain}"; };
85. };
86.  
87. # nginx.enable = true;
88. nginx = {
89. enable = true;
90. virtualHosts.${this.domain} = {
91. ## enable = true;
92. forceSSL = true;
93. # enableACME = true;
94. useACMEHost = "demo.com";
95. locations."/" = {
96. proxyPass =
97. "http://localhost:${toString config.services.headscale.port}";
98. proxyWebsockets = true;
99. };
100. };
101. };
102. powerdns = {
103. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
104. enable = true;
105. # Enable PowerDNS
106. # authoritative = true;
107. # zones = {
108.  
109. # };
110. };
111. powerdns-admin.config = {
112. enable = true;
113. BIND_ADDRESS = "0.0.0.0";
114. PORT = 8000;
115. };
116. bind = {
117. # allowQuery = [ "127.0.0.1" ]; # Allow queries from localhost
118. # allowTransfer = [ "127.0.0.1" ]; # Allow zone transfers from localhost
119. #listenOn = [ "127.0.0.1" ]; # Listen on localhost
120. forwarders = [ "8.8.8.8" "127.0.0.1" ]; # Use Google's public DNS as a forwarder (optional)
121. forward = "first";
122. listenOn =
123. [
124. "127.0.0.1"
125. ];
126. ipv4Only = true;
127. # serviceConfig.BindReadOnlyPaths = [ "/etc/ssl/certs" ];
128. enable = enable_bind;
129. # extraConfig = ''
130. # include dnskeys;
131. # '';
132. zones = [
133. {
134. name = "headscale.demo.com";
135. allowQuery = ["127.0.0.1"];
136. file = headscaledemocom;
137. master = true;
138. extraConfig = "allow-update { key pdns.headscale.demo.com.; };";
139. }
140. ];
141. };
142.  
143. # services.powerdns = {
144. # enable = true;
145.  
146. # }
147. };
148.  
149. environment.systemPackages = with pkgs; [
150. pkgs.librewolf pkgs.yakuake config.services.headscale.package pkgs.nginx
151. ];
152. #environment.systemPackages = [ pkgs.librewolf ];
153.  
154. virtualisation.docker.enable = true;
155.  
156. virtualisation.oci-containers = {
157. backend = "docker";
158. containers = {
159. coweire = {};
160. pebble = {
161. image = "letsencrypt/pebble";
162. ports = ["14000:14000"]; # Expose the Pebble challenge test server port
163.  
164. # Additional configurations for Pebble
165. environment = {
166. PEBBLE_VA_NOSLEEP = "1"; # Optional: Disable sleeping in the VA (Validity Authority)
167. PEBBLE_WFE_NONCEREJECT = "true"; # Optional: Allow nonces to be reused
168. };
169.  
170. };
171. # headscale = {};
172. # coweire.image = "cowrie:latest"
173. };
174. };
175.