2026-04-03 14:15:36 +02:00
3 changed files with 38 additions and 12 deletions
--- a/constants.nix
+++ b/constants.nix
@ -3,12 +3,15 @@ rec {
  hosts = {
    sid = {
      ip = "100.64.0.6";
      domain = "sid.tail";
    };
    rx4 = {
      ip = "100.64.0.10";
      domain = "rx4.tail";
    };
    vde = {
      ip = "100.64.0.1";
      domain = "vde.tail";
    };
  };
  services = {
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@ -1,10 +1,9 @@
 {
  inputs,
  constants,
  ...
 }:
 # TODO: use constants.nix
 {
  imports = [
    inputs.synix.nixosModules.headplane
@ -14,20 +13,20 @@
  services.resolved.enable = false;
  networking.resolvconf.enable = false;
-  networking.nameservers = [ "100.64.0.6" ];
+  networking.nameservers = [ constants.hosts.sid.ip ];
  services.coredns = {
    enable = true;
-    config = ''
+    config = with constants; ''
      .:53 {
-        bind 100.64.0.6
+        bind ${hosts.sid.ip}
        hosts {
-          100.64.0.6 sid.tail
+          ${hosts.sid.ip} sid.tail
-          100.64.0.6 netdata.sid.tail
+          ${hosts.sid.ip} netdata.sid.tail
-          100.64.0.10 rx4.tail
+          ${hosts.rx4.ip} rx4.tail
-          100.64.0.10 dav.rx4.tail
+          ${hosts.rx4.ip} dav.rx4.tail
-          100.64.0.10 pw.rx4.tail
+          ${hosts.rx4.ip} pw.rx4.tail
-          100.64.0.1 vde.tail
+          ${hosts.vde.ip} vde.tail
          fallthrough
        }
        forward . 1.1.1.1
@ -62,7 +61,7 @@
        nameservers = {
          global = [ "1.1.1.1" ];
          split = {
-            "tail" = [ "100.64.0.6" ];
+            "tail" = [ constants.hosts.sid.ip ];
          };
        };
      };
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@ -1,5 +1,6 @@
 {
  inputs,
  config,
  constants,
  lib,
  ...
@ -15,10 +16,33 @@ in
    inputs.synix.nixosModules.nginx
  ];
  users.users.nginx.extraGroups = [ "tailscale" ];
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "tailscale" ];
    Requires = [ "tailscaled.service" ];
    After = [ "tailscaled.service" ];
  };
  systemd.services."generate-tailscale-certs-${constants.hosts.sid.domain}" = {
    wantedBy = [ "multi-user.target" ];
    before = [ "nginx.service" ];
    after = [ "tailscaled.service" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${config.services.tailscale.package}/bin/tailscale cert ${constants.hosts.sid.domain}";
      User = "root";
    };
  };
  services.nginx = {
    enable = true;
    openFirewall = true;
    forceSSL = ssl;
    virtualHosts."${constants.hosts.sid.domain}" = {
      sslCertificate = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.crt";
      sslCertificateKey = "/var/lib/tailscale/certs/${constants.hosts.sid.domain}.key";
      forceSSL = true;
    };
    virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
      inherit ssl;
      address = constants.hosts.rx4.ip;