From 91594658363e3dd62c992c9403a1dc8338cf1372 Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Tue, 16 Sep 2025 16:30:56 -0400
Subject: [PATCH] add headscale specific node

---
 modules/nixos/services/headscale/default.nix  | 46 +++++++++++++++++++
 .../default.nix                               |  4 ++
 2 files changed, 50 insertions(+)
 create mode 100644 modules/nixos/services/headscale/default.nix
 rename systems/aarch64-linux/{lin-o1-node1 => lin-o1-headscale}/default.nix (93%)

diff --git a/modules/nixos/services/headscale/default.nix b/modules/nixos/services/headscale/default.nix
new file mode 100644
index 0000000..a4ff22e
--- /dev/null
+++ b/modules/nixos/services/headscale/default.nix
@@ -0,0 +1,46 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.headscale;
+  inherit (lib.${namespace}) mkBoolOpt;
+in
+{
+  options.${namespace}.services.headscale = {
+    enable = mkEnableOption "enable headscale service";
+    openFirewall = mkBoolOpt false "Open firewall";
+  };
+
+  options.services.headscale.settings.dns.nameservers.split = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+    default = { };
+    description = ''
+      Split DNS configuration mapping domains to specific nameservers.
+      Each key is a domain suffix, and the value is a list of nameservers
+      to use for that domain.
+    '';
+    example = {
+      "internal.company.com" = [ "10.0.0.1" "10.0.0.2" ];
+      "dev.local" = [ "192.168.1.1" ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      settings = {
+        server_url = "https://headscale.reichard.io";
+        dns = {
+          base_domain = "reichard.dev";
+          nameservers.split = {
+            "va.reichard.io" = [ "10.0.20.20" ];
+          };
+        };
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ 8080 ];
+    };
+  };
+}
diff --git a/systems/aarch64-linux/lin-o1-node1/default.nix b/systems/aarch64-linux/lin-o1-headscale/default.nix
similarity index 93%
rename from systems/aarch64-linux/lin-o1-node1/default.nix
rename to systems/aarch64-linux/lin-o1-headscale/default.nix
index af0a400..6fc0552 100755
--- a/systems/aarch64-linux/lin-o1-node1/default.nix
+++ b/systems/aarch64-linux/lin-o1-headscale/default.nix
@@ -32,6 +32,10 @@ in
 
     services = {
       openssh = enabled;
+      headscale = {
+        enable = true;
+        openFirewall = true;
+      };
       tailscale = {
         enable = true;
         enableRouting = true;