From 62201776f3ad66b554c3ad5a7dc4b373f5843e47 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@subzero.xyz>
Date: Fri, 21 Nov 2025 16:15:51 +0100
Subject: [PATCH] chore(nix): add Headscale service to MX configuration

- Included `headscale.nix` in the MX system configuration for VPN management.
- Added Nginx and ACME configuration to route traffic securely to Headscale.
- Ensures Headscale is enabled with required settings and packaged in the system.
---
 systems/x86_64-linux/mx/default.nix   |  1 +
 systems/x86_64-linux/mx/headscale.nix | 32 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 systems/x86_64-linux/mx/headscale.nix

diff --git a/systems/x86_64-linux/mx/default.nix b/systems/x86_64-linux/mx/default.nix
index 4201096..08b81d1 100644
--- a/systems/x86_64-linux/mx/default.nix
+++ b/systems/x86_64-linux/mx/default.nix
@@ -7,6 +7,7 @@
     ./coturn.nix
     ./forgejo.nix
     ./hardware-configuration.nix
+    ./headscale.nix
     ./kicker.nix
     ./mailserver.nix
     ./network.nix
diff --git a/systems/x86_64-linux/mx/headscale.nix b/systems/x86_64-linux/mx/headscale.nix
new file mode 100644
index 0000000..86f2d56
--- /dev/null
+++ b/systems/x86_64-linux/mx/headscale.nix
@@ -0,0 +1,32 @@
+{ config }:
+let
+  domain = "headscale.hoyer.xyz";
+in
+{
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      server_url = "https://${domain}";
+      dns = {
+        baseDomain = "hoyer.tail";
+      };
+      settings = {
+        logtail.enabled = false;
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      useACMEHost = "hoyer.xyz";
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  environment.systemPackages = [ config.services.headscale.package ];
+}