Migrate from WG to TS/HS

nix/application/containers.nix

@@ -1,5 +1,13 @@
 { config, lib, pkgs, ... }:
 {
+  environment.etc."containers/containers.conf".text = lib.mkForce ''
+    [engine]
+    init_path = "${pkgs.catatonit}/bin/catatonit"
+
+    [network]
+    network_backend = "cni"
+    cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"]
+  '';
   virtualisation.oci-containers = {
     containers = {
 

nix/application/headscale.nix

@@ -0,0 +1,23 @@
+{ pkgs, config, ...}: {
+  services.headscale = {
+    enable = true;
+    address = "0.0.0.0";
+    port = 35893;
+    settings = { 
+      dns.base_domain = "vpn.matri.cx";
+      logtail.enabled = false; 
+      noise.private_key_path = "/var/lib/headscale/noise_private.key";
+      server_url = "https://vpn.matri.cx:443";
+    };
+  };
+  services.tailscale = {
+    enable = true;
+    extraSetFlags = [
+      "--advertise-exit-node"
+    ];
+    extraUpFlags = [
+      "--advertise-tags=tag:home-server"
+    ];
+    useRoutingFeatures = "both";
+  };
+}

nix/application/nginx.nix

@@ -71,11 +71,19 @@
         "jame.su" = static { dir = "/var/www/jame.su"; };
         "matri.cx" = static { dir = "/var/www/matri.cx"; };
         "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
+        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
         "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
         "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
         "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
         "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };
-        "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
+        "vpn.matri.cx" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.headscale.port}";
+            proxyWebsockets = true;
+          };
+        };
       };
   };
 }