evan/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: headscale acl, chore: upgrade pi coding agent

Browse Source
This commit is contained in:
Evan Reichard
2026-06-19 21:42:18 -04:00
parent edc68d4660
commit cfe0975055
4 changed files with 49 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/nixos/services/headscale/default.nix
View File

@@ -1,13 +1,14 @@
{ config, lib, namespace, ... }: { config, lib, namespace, ... }:
let let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption types;
cfg = config.${namespace}.services.headscale; cfg = config.${namespace}.services.headscale;
inherit (lib.${namespace}) mkBoolOpt; inherit (lib.${namespace}) mkBoolOpt mkOpt;
in in
{ {
options.${namespace}.services.headscale = { options.${namespace}.services.headscale = {
enable = mkEnableOption "enable headscale service"; enable = mkEnableOption "enable headscale service";
openFirewall = mkBoolOpt false "Open firewall"; openFirewall = mkBoolOpt false "Open firewall";
policy = mkOpt (types.nullOr types.path) null "Path to a HuJSON ACL policy file (file mode).";
}; };
options.services.headscale.settings.dns.nameservers.split = lib.mkOption { options.services.headscale.settings.dns.nameservers.split = lib.mkOption {
@@ -30,6 +31,10 @@ in
address = "0.0.0.0"; address = "0.0.0.0";
settings = { settings = {
server_url = "https://headscale.reichard.io"; server_url = "https://headscale.reichard.io";
policy = mkIf (cfg.policy != null) {
mode = "file";
path = toString cfg.policy;
};
dns = { dns = {
base_domain = "reichard.dev"; base_domain = "reichard.dev";
nameservers = { nameservers = {

6
packages/pi-coding-agent/default.nix
View File

@@ -18,16 +18,16 @@
buildNpmPackage rec { buildNpmPackage rec {
pname = "pi-coding-agent"; pname = "pi-coding-agent";
version = "0.79.6"; version = "0.79.8";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "earendil-works"; owner = "earendil-works";
repo = "pi-mono"; repo = "pi-mono";
rev = "v${version}"; rev = "v${version}";
hash = "sha256-ZJv4YCqt10DnuS3oCwwJ9Byix0u4CDFuiVaQd01Ryhs="; hash = "sha256-eH1+vHrKBu1GcUXnTdvRtNuLuf0EdReAnFit8UqiXB4=";
}; };
npmDepsHash = "sha256-7QMIlG96nSd8J4M63PhCikUYh/84Hn1eaCuDBMBR3/A="; npmDepsHash = "sha256-xrTpu4TkRmlflg7pMaw/QVsN+poQ41slVA5PET+NDoI=";
nativeBuildInputs = [ pkg-config makeWrapper ]; nativeBuildInputs = [ pkg-config makeWrapper ];

35
systems/aarch64-linux/lin-o1-headscale/acl.hujson Normal file
View File

@@ -0,0 +1,35 @@
{
"tagOwners": {
"tag:mobile": ["evan@"],
},
"hosts": {
"lan-route": "10.0.0.0/16",
},
"acls": [
// 10.0.0.0/16
{
"action": "accept",
"src": ["tag:mobile"],
"dst": ["lan-route:*"],
},
// Main Net
{
"action": "accept",
"src": ["*"],
"dst": [
"100.64.0.0/10:*",
"fd7a:115c:a1e0::/48:*",
],
},
// Exit Nodes
{
"action": "accept",
"src": ["*"],
"dst": ["autogroup:internet:*"],
},
],
}

7
systems/aarch64-linux/lin-o1-headscale/default.nix
View File

@@ -1,5 +1,4 @@
{ namespace { namespace
, config
, pkgs , pkgs
, lib , lib
, modulesPath , modulesPath
@@ -7,8 +6,6 @@
}: }:
let let
inherit (lib.${namespace}) enabled; inherit (lib.${namespace}) enabled;
cfg = config.${namespace}.user;
in in
{ {
imports = [ imports = [
@@ -23,6 +20,9 @@ in
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
}; };
# Legacy Partion Name
fileSystems."/boot".device = lib.mkForce "/dev/disk/by-partlabel/disk-main-ESP";
reichard = { reichard = {
nix = enabled; nix = enabled;
@@ -39,6 +39,7 @@ in
headscale = { headscale = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
policy = ./acl.hujson;
}; };
tailscale = { tailscale = {
enable = true; enable = true;