From 12c25bcde8d2bbbe94ae1e38d972a914c201aed8 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Wed, 13 May 2026 08:42:46 +0200
Subject: [PATCH] refactor(attic): move headscale from mx to attic

Headscale is moving off the mx mailserver onto the attic cache host.
The new public URL is https://headscale.hoyer.world.

- Switch from useACMEHost = "hoyer.xyz" (mx wildcard DNS-01) to
  enableACME = true, since attic only has HTTP-01 configured.
- Move headscale port to 8081 to avoid clashing with atticd on 8080.
- Drop the 192.168.178.254 LAN nameserver from dns.nameservers.global,
  which isn't reachable from the Hetzner instance.

Operational steps still required on attic:
- Provision /var/lib/headscale/client_secret
- Migrate the headscale state DB from mx
- Point headscale.hoyer.world DNS at attic
- Update the Nextcloud OIDC client's redirect URI
---
 systems/x86_64-linux/attic/default.nix           | 1 +
 systems/x86_64-linux/{mx => attic}/headscale.nix | 7 +++----
 systems/x86_64-linux/mx/default.nix              | 1 -
 3 files changed, 4 insertions(+), 5 deletions(-)
 rename systems/x86_64-linux/{mx => attic}/headscale.nix (90%)

diff --git a/systems/x86_64-linux/attic/default.nix b/systems/x86_64-linux/attic/default.nix
index b6ecf43..56a8aca 100644
--- a/systems/x86_64-linux/attic/default.nix
+++ b/systems/x86_64-linux/attic/default.nix
@@ -6,6 +6,7 @@
   imports = [
     ./hardware-configuration.nix
     ./atticd.nix
+    ./headscale.nix
   ];
 
   metacfg = {
diff --git a/systems/x86_64-linux/mx/headscale.nix b/systems/x86_64-linux/attic/headscale.nix
similarity index 90%
rename from systems/x86_64-linux/mx/headscale.nix
rename to systems/x86_64-linux/attic/headscale.nix
index ffadd1b..f8b9d5e 100644
--- a/systems/x86_64-linux/mx/headscale.nix
+++ b/systems/x86_64-linux/attic/headscale.nix
@@ -1,19 +1,18 @@
 { config, ... }:
 let
-  domain = "headscale.hoyer.xyz";
+  domain = "headscale.hoyer.world";
 in
 {
   services = {
     headscale = {
       enable = true;
       address = "0.0.0.0";
-      port = 8080;
+      port = 8081;
       settings = {
         server_url = "https://${domain}";
         dns = {
           base_domain = "hoyer.tail";
           nameservers.global = [
-            "192.168.178.254"
             "1.1.1.1"
             "1.0.0.1"
             "2606:4700:4700::1111"
@@ -30,8 +29,8 @@ in
     };
 
     nginx.virtualHosts.${domain} = {
-      useACMEHost = "hoyer.xyz";
       forceSSL = true;
+      enableACME = true;
       locations."/" = {
         proxyPass = "http://localhost:${toString config.services.headscale.port}";
         proxyWebsockets = true;
diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix
index ec2fd89..4b0c4a5 100644
--- a/systems/x86_64-linux/mx/default.nix
+++ b/systems/x86_64-linux/mx/default.nix
@@ -13,7 +13,6 @@
     ./disk-check.nix
     ./forgejo.nix
     ./hardware-configuration.nix
-    ./headscale.nix
     ./kicker.nix
     ./mailserver.nix
     ./network.nix