🔒 Setting Up Headscale & Tailscale on NixOS: A Zero-Trust Networking Guide for ❄️ NixOS - YouTube (youtube.com)
from ruffsl@programming.dev to selfhosted@lemmy.world on 10 Jul 2025 13:27
https://programming.dev/post/33674640

Cross-posted from: programming.dev/post/33674513

Any general suggestions when getting started with headscale?

#selfhosted

threaded - newest

ruffsl@programming.dev on 10 Jul 2025 13:56 next collapse

Looks like they introduce the use Traefik with NixOS here:

How does Traefik compare to a reverse proxy like Caddy?

Object@sh.itjust.works on 10 Jul 2025 15:05 collapse

In terms of setup, Caddy is a lot simpler in syntax, but you will find more tutorials for Traefik and it has better integration with Docker. You can add labels to a container and Traefik uses that as config, whereas in Caddy, you need to set up both the container and the config file. If you want to drop a service, then it is easier in Traefik for this reason. But with decent Nix code, you can basically replicate this in Caddy. Once you set them up, they’re pretty much the same. I’ve seen some people saying Traefik is faster, but realistically, I don’t think it’s meaningful.

DarkSirrush@lemmy.ca on 10 Jul 2025 22:18 collapse

Note that its also possible to set up service auto discovery with traefik, the only traefik related config I do on new containers is

Traefik.enabled=true
Vendetta9076@sh.itjust.works on 11 Jul 2025 16:25 collapse

Shit there is? How do I set up auto discovery?

DarkSirrush@lemmy.ca on 11 Jul 2025 17:10 collapse

I can share my traefik setup - note I am doing this on my phone at work, so I might miss something

compose.yaml

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.middlewares=authwares@file"

  GNU nano 7.2                      /config/traefik/dynamic/middlewares.yaml
http:
  middlewares:

    limit:
      buffering:
        memRequestBodyBytes: 5000000000
        memResponseBodyBytes: 5000000000
        maxRequestBodyBytes: 5000000000
        maxResponseBodyBytes: 5000000000

    authwares:
      chain:
        middlewares:
          - default-headers
          - authelia
          - limit

    default-headers:
      headers:
        accessControlAllowHeaders: "content-type,authorization"
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - DELETE
        frameDeny: true
        accessControlAllowOriginList: "*"
        accessControlMaxAge: 100
        addVaryHeader: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: "strict-origin-when-cross-origin"
        customRequestHeaders:
          X-Forwarded-Proto: https
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
          server: ""
          X-Forwarded-Proto: "https,wss"
        hostsProxyHeaders:
          - "X-Forwarded-Host"

    authelia:
      forwardAuth:
        address: http://auth/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"
          - "Remote-Email"
          - "Remote-Name"

  GNU nano 7.2                            /config/traefik/traefik.yaml
global:
  checkNewVersion: false
  sendAnonymousUsage: false

entryPoints:
  web:
    address: :80
    proxyProtocol:
      insecure: false
      trustedIPs:
        -
paperd@lemmy.zip on 10 Jul 2025 20:31 collapse

I have been wanting to set this up for a while, but didn’t know what I was doing, so this tutorial helps a lot and I will give it a go, thanks!