Skip to content

deploy headscale and tailscale for laptop to access homelab #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sunziping2016 merged 1 commit into from
Jun 22, 2026
Merged

deploy headscale and tailscale for laptop to access homelab #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .cursorignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
.decrypted~*
.env
.env.*
4 changes: 4 additions & 0 deletions flake/hosts.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ let
services.coredns
services.fail2ban
services.sing-box
services.tailscale
system.disko
system.systemd-boot
];
Expand All @@ -76,6 +77,7 @@ let
hosts.laptop
system.disko
services.sing-box
services.tailscale
system.systemd-boot
];

Expand All @@ -84,9 +86,11 @@ let
networking.wireguard
services.blog
services.coredns
services.headscale
services.nginx
services.rke2-hasee.gateway
services.sing-box
services.tailscale
system.disko
system.systemd-boot
];
Expand Down
3 changes: 0 additions & 3 deletions nixos/hosts/desktop/network.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@
DHCP = "yes";
dhcpV4Config.RoutesToDNS = false;
linkConfig.MTUBytes = 9000;
networkConfig.UseDomains = true;
};
systemd.network.networks."40-svc" = {
matchConfig.Name = "svc";
Expand All @@ -40,7 +39,6 @@
"10.112.35.1"
"10.112.35.2"
];
domains = [ "nodes.szp.io" ];
networkConfig.IPv6AcceptRA = false;
};
systemd.network.networks."40-wlan0" = {
Expand All @@ -51,7 +49,6 @@
RouteMetric = 1025;
};
ipv6AcceptRAConfig.RouteMetric = 1025;
networkConfig.UseDomains = true;
};
networking.hosts."10.112.8.1" = [
"router.nodes.szp.io"
Expand Down
7 changes: 4 additions & 3 deletions nixos/hosts/router/network.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,8 +114,6 @@
"10.112.35.2"
];
EmitRouter = true;
EmitDomain = true;
Domain = "nodes.szp.io";
PoolOffset = 100;
PoolSize = 100;
};
Expand Down Expand Up @@ -148,6 +146,8 @@
networking.firewall.interfaces.svc.allowedTCPPorts = [ 53 ];
networking.firewall.interfaces.vm.allowedUDPPorts = [ 53 ];
networking.firewall.interfaces.vm.allowedTCPPorts = [ 53 ];
networking.firewall.interfaces.tailscale0.allowedUDPPorts = [ 53 ];
networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 53 ];

services.fail2ban.ignoreIP = [
"10.112.8.5" # desktop
Expand Down Expand Up @@ -225,7 +225,8 @@
# allow traffic from VM and wireguard to service
networking.firewall.extraForwardRules = ''
iifname "lan" ip daddr {10.112.10.0/24, 10.112.12.0/24} accept
iifname {"vm", "wg0"} ip daddr 10.112.10.0/24 accept
iifname {"vm", "wg0", "tailscale0"} ip daddr 10.112.10.0/24 accept
iifname "tailscale0" ip saddr 100.112.36.128/25 ip daddr 10.112.0.0/19 accept
'';

networking.nftables.tables.mss-clamping = {
Expand Down
105 changes: 51 additions & 54 deletions nixos/services/coredns/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,45 +23,48 @@ let
in
{
config = lib.mkMerge [
{
services.coredns.enable = true;
services.coredns.config = ''
(snip) {
errors
loadbalance
log
minimal
}
o.szp.io {
import snip
rewrite name suffix .o.szp.io .szp.io answer auto
forward . /run/systemd/resolve/resolv.conf
}
o.szp15.com {
import snip
rewrite name suffix .o.szp15.com .szp15.com answer auto
forward . /run/systemd/resolve/resolv.conf
}
'';
}
(lib.mkIf (name == primary) {
services.coredns = {
enable = true;
config = ''
(snip) {
errors
loadbalance
log
minimal
root /etc/coredns/zones
transfer {
to ${lib.concatStringsSep " " secondaryAddresses}
}
}
szp15.com {
import snip
file szp15.com.zone {
reload 30s
}
services.coredns.config = ''
(authoritative) {
root /etc/coredns/zones
transfer {
to ${lib.concatStringsSep " " secondaryAddresses}
}
szp.io {
import snip
file szp.io.zone {
reload 30s
}
}
szp15.com {
import authoritative
file szp15.com.zone {
reload 30s
}
o.szp.io {
import snip
rewrite name suffix .o.szp.io .szp.io answer auto
forward . /run/systemd/resolve/resolv.conf
}
szp.io {
import authoritative
file szp.io.zone {
reload 30s
}
o.szp15.com {
import snip
rewrite name suffix .o.szp15.com .szp15.com answer auto
forward . /run/systemd/resolve/resolv.conf
}
'';
};

}
'';
environment.etc."coredns/zones/szp15.com.zone".source = ./szp15.com.zone;
environment.etc."coredns/zones/szp.io.zone".source = ./szp.io.zone;

Expand All @@ -71,26 +74,20 @@ in
];
})
(lib.mkIf (name != primary) {
services.coredns = {
enable = true;
config = ''
(snip) {
errors
loadbalance
log
minimal
secondary {
transfer from ${primaryAddress}
}
}
szp15.com {
import snip
}
szp.io {
import snip
services.coredns.config = ''
(authoritative) {
import snip
secondary {
transfer from ${primaryAddress}
}
'';
};
}
szp15.com {
import authoritative
}
szp.io {
import authoritative
}
'';
})
{
networking.netns.coredns = {
Expand Down
33 changes: 17 additions & 16 deletions nixos/services/coredns/szp15.com.zone
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
$ORIGIN szp15.com.
$TTL 600
@ IN SOA ns1.szp.io. me.szp.io. (
2026060902 ; serial Tue, 09 Jun 2026 00:28:00 UTC
3H ; refresh
40M ; retry
1W ; expire
30M ; minimum
)
IN NS ns1.szp.io.
IN A 47.96.145.133
IN AAAA 2408:4005:3c4:a40:d5b6:55ed:95b4:4eed
@ IN SOA ns1.szp.io. me.szp.io. (
2026062001 ; serial Sat, 20 Jun 2026 00:14:00 UTC
3H ; refresh
40M ; retry
1W ; expire
30M ; minimum
)
IN NS ns1.szp.io.
IN A 47.96.145.133
IN AAAA 2408:4005:3c4:a40:d5b6:55ed:95b4:4eed

hgh0 IN CNAME @
s3 IN CNAME ingress.k8s.szp.io.
*.s3 IN CNAME ingress.k8s.szp.io.
whoami IN CNAME ingress.k8s.szp.io.
vault IN CNAME ingress.k8s.szp.io.
argocd IN CNAME ingress.k8s.szp.io.
hgh0 IN CNAME hgh0.o
tailnet IN CNAME tailnet.o
s3 IN CNAME ingress.k8s.szp.io.
*.s3 IN CNAME ingress.k8s.szp.io.
whoami IN CNAME ingress.k8s.szp.io.
vault IN CNAME ingress.k8s.szp.io.
argocd IN CNAME ingress.k8s.szp.io.
71 changes: 71 additions & 0 deletions nixos/services/headscale.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
{ pkgs, ... }:
let
domain = "tailnet.szp15.com";
port = 40010;
metricsPort = 40011;
jsonFormat = pkgs.formats.json { };
in
{
# To setup headscale, run the following commands:
#
# headscale users create ziping-sun --email ziping-sun@szp.io --display-name "Ziping Sun"
#
services.headscale = {
enable = true;
settings = {
server_url = "https://${domain}";
listen_addr = "[::1]:${toString port}";
metrics_listen_addr = "[::1]:${toString metricsPort}";
trusted_proxies = [ "::1/128" ];
prefixes = {
v4 = "100.112.36.0/24";
v6 = "fd7a:115c:a1e0:7024::/64";
};

# DERP
derp.server = {
enabled = true;
stun_listen_addr = "0.0.0.0:3478";
};

disable_check_updates = true;

# POLICY
# https://github.com/juanfont/headscale/blob/v0.25.1/hscontrol/policy/acls_types.go
policy = {
mode = "file";
path = jsonFormat.generate "policy.json" {
};
};

# DNS
dns = {
magic_dns = false;
override_local_dns = false;
nameservers.split = {
"szp.io" = [ "10.112.35.1" ];
"szp15.com" = [ "10.112.35.1" ];
};
};
taildrop.enabled = false;
};
};

preservation.preserveAt.default.directories = [
{
directory = "/var/lib/headscale";
mode = "0700";
user = "headscale";
group = "headscale";
}
];

services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
}
33 changes: 33 additions & 0 deletions nixos/services/tailscale.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{ pkgs, ... }:
let
pkg = pkgs.tailscale.overrideAttrs (oldAttrs: {
patches = (oldAttrs.patches or [ ]) ++ [
# Read CGNAT CIDR range from TS_CGNAT_RANGE environment variable if set
(pkgs.fetchpatch {
url = "https://github.com/sunziping2016/tailscale/commit/a3027f992d10b7be3148b04fbe685198445f1b6d.patch";
hash = "sha256-RmfFLlucyKJzQwZxG2WwRG5ER3uIoj1qVVCYBH9g2bQ=";
})
];
});
in
{
services.tailscale = {
enable = true;
package = pkg;
openFirewall = true;
extraDaemonFlags = [ "--no-logs-no-support" ];
};

preservation.preserveAt.default.directories = [
{
directory = "/var/lib/tailscale";
mode = "0700";
}
];

# Limit tailscale to a smaller CIDR
# For Aliyun DNS, and reduce the risk of conflicting with ISP's PPPoE IP
systemd.services.tailscaled.environment = {
TS_CGNAT_RANGE = "100.112.36.0/24";
};
}
7 changes: 7 additions & 0 deletions terraform/aliyun/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,10 @@ module "hgh_vpc" {
resource "alicloud_vpc_ipv6_gateway" "hgh" {
vpc_id = module.hgh_vpc.vpc_id
}

resource "alicloud_route_entry" "hgh_svc" {
route_table_id = module.hgh_vpc.route_table_id
destination_cidrblock = "10.112.32.0/24"
nexthop_type = "Instance"
nexthop_id = alicloud_instance.hgh0.id
}
Loading