🔒 Setting Up Headscale & Tailscale on NixOS: A Zero-Trust Networking Guide for ❄️ NixOS - YouTube (youtube.com)

submitted 1 day ago by [email protected] to c/[email protected]

6 comments fedilink hide all child comments

Cross-posted from: https://programming.dev/post/33674513

Any general suggestions when getting started with headscale?

you are viewing a single comment's thread
view the rest of the comments

[-] [email protected] 1 points 14 hours ago

Shit there is? How do I set up auto discovery?

[-] [email protected] 1 points 13 hours ago* (last edited 13 hours ago)

I can share my traefik setup - note I am doing this on my phone at work, so I might miss something

compose.yaml

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.middlewares=authwares@file"

  GNU nano 7.2                      /config/traefik/dynamic/middlewares.yaml
http:
  middlewares:

    limit:
      buffering:
        memRequestBodyBytes: 5000000000
        memResponseBodyBytes: 5000000000
        maxRequestBodyBytes: 5000000000
        maxResponseBodyBytes: 5000000000

    authwares:
      chain:
        middlewares:
          - default-headers
          - authelia
          - limit

    default-headers:
      headers:
        accessControlAllowHeaders: "content-type,authorization"
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - DELETE
        frameDeny: true
        accessControlAllowOriginList: "*"
        accessControlMaxAge: 100
        addVaryHeader: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: "strict-origin-when-cross-origin"
        customRequestHeaders:
          X-Forwarded-Proto: https
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https,wss"
        hostsProxyHeaders:
          - "X-Forwarded-Host"

    authelia:
      forwardAuth:
        address: http://auth/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"

  GNU nano 7.2                            /config/traefik/traefik.yaml
global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80
    proxyProtocol:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    forwardedHeaders:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: :443
    proxyProtocol:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    forwardedHeaders:
      insecure: false
      trustedIPs:
        - 172.32.0.0/16
        - 192.168.1.0/24
    http:
      tls:
        options: modern@file
        certResolver: letsencrypt
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"

  providers:
  docker:
    exposedByDefault: false
    network: compose_proxied
    allowEmptyServices: true
    endpoint: "http://socket:2375/"
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
  file:
    directory: /config/dynamic
    watch: true

api:
  insecure: false
  dashboard: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: [email protected]
      storage: /certificates/acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: DEBUG
  filePath: /config/logs/traefik.log
  format: json
accesslog:
  filepath: /config/logs/access.log
  bufferingSize: 100
  format: json

this post was submitted on 10 Jul 2025

67 points (94.7% liked)

Selfhosted

49359 readers

483 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]