feat: headscale acl, chore: upgrade pi coding agent

2026-06-19 21:42:18 -04:00
parent edc68d4660
commit cfe0975055
4 changed files with 49 additions and 8 deletions
--- a/modules/nixos/services/headscale/default.nix
+++ b/modules/nixos/services/headscale/default.nix
@@ -1,13 +1,14 @@
 { config, lib, namespace, ... }:
 let
-  inherit (lib) mkIf mkEnableOption;
+  inherit (lib) mkIf mkEnableOption types;
  cfg = config.${namespace}.services.headscale;
-  inherit (lib.${namespace}) mkBoolOpt;
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
 in
 {
  options.${namespace}.services.headscale = {
    enable = mkEnableOption "enable headscale service";
    openFirewall = mkBoolOpt false "Open firewall";
+    policy = mkOpt (types.nullOr types.path) null "Path to a HuJSON ACL policy file (file mode).";
  };

  options.services.headscale.settings.dns.nameservers.split = lib.mkOption {
@@ -30,6 +31,10 @@ in
      address = "0.0.0.0";
      settings = {
        server_url = "https://headscale.reichard.io";
+        policy = mkIf (cfg.policy != null) {
+          mode = "file";
+          path = toString cfg.policy;
+        };
        dns = {
          base_domain = "reichard.dev";
          nameservers = {
--- a/packages/pi-coding-agent/default.nix
+++ b/packages/pi-coding-agent/default.nix
@@ -18,16 +18,16 @@

 buildNpmPackage rec {
  pname = "pi-coding-agent";
-  version = "0.79.6";
+  version = "0.79.8";

  src = fetchFromGitHub {
    owner = "earendil-works";
    repo = "pi-mono";
    rev = "v${version}";
-    hash = "sha256-ZJv4YCqt10DnuS3oCwwJ9Byix0u4CDFuiVaQd01Ryhs=";
+    hash = "sha256-eH1+vHrKBu1GcUXnTdvRtNuLuf0EdReAnFit8UqiXB4=";
  };

-  npmDepsHash = "sha256-7QMIlG96nSd8J4M63PhCikUYh/84Hn1eaCuDBMBR3/A=";
+  npmDepsHash = "sha256-xrTpu4TkRmlflg7pMaw/QVsN+poQ41slVA5PET+NDoI=";

  nativeBuildInputs = [ pkg-config makeWrapper ];

--- a/systems/aarch64-linux/lin-o1-headscale/acl.hujson
+++ b/systems/aarch64-linux/lin-o1-headscale/acl.hujson
@@ -0,0 +1,35 @@
+{
+  "tagOwners": {
+    "tag:mobile": ["evan@"],
+  },
+
+  "hosts": {
+    "lan-route": "10.0.0.0/16",
+  },
+
+  "acls": [
+    // 10.0.0.0/16
+    {
+      "action": "accept",
+      "src": ["tag:mobile"],
+      "dst": ["lan-route:*"],
+    },
+
+    // Main Net
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": [
+        "100.64.0.0/10:*",
+        "fd7a:115c:a1e0::/48:*",
+      ],
+    },
+
+    // Exit Nodes
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["autogroup:internet:*"],
+    },
+  ],
+}
--- a/systems/aarch64-linux/lin-o1-headscale/default.nix
+++ b/systems/aarch64-linux/lin-o1-headscale/default.nix
@@ -1,5 +1,4 @@
 { namespace
-, config
 , pkgs
 , lib
 , modulesPath
@@ -7,8 +6,6 @@
 }:
 let
  inherit (lib.${namespace}) enabled;
-
-  cfg = config.${namespace}.user;
 in
 {
  imports = [
@@ -23,6 +20,9 @@ in
    efiInstallAsRemovable = true;
  };

+  # Legacy Partion Name
+  fileSystems."/boot".device = lib.mkForce "/dev/disk/by-partlabel/disk-main-ESP";
+
  reichard = {
    nix = enabled;

@@ -39,6 +39,7 @@ in
      headscale = {
        enable = true;
        openFirewall = true;
+        policy = ./acl.hujson;
      };
      tailscale = {
        enable = true;