feat(headscale): use only headscale as derp server

hosts/raptus/headscale.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  options,
   ...
 }:
 let
@@ -79,8 +80,31 @@ mkIf config.services.headscale.enable {
               "fritz"
             ];
         };
+
+        derp = {
+          # Reference: https://github.com/juanfont/headscale/issues/1326#issuecomment-1505487881
+          server = {
+            enabled = true;
+            stun_listen_addr = "0.0.0.0:3478";
+
+            # Region code and name are displayed in the Tailscale UI to identify a DERP region
+            region_code = "headscale";
+            region_name = "Headscale Embedded DERP";
+            region_id = 999;
+          };
+
+          urls = [ ];
+          paths = [ ];
+
+          auto_update_enabled = false;
+          update_frequency = "6h";
         };
       };
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      3478 # DERP
+    ];
 
     nginx.virtualHosts."hs.ccnlc.eu" = {
       forceSSL = true;
@@ -127,8 +151,7 @@ mkIf config.services.headscale.enable {
             "tag:client"
             "tag:server"
           ];
-          proto = "rsync"; # optional
-          dst = [ "tag:backup" ];
+          dst = [ "tag:backup:${toString options.modules.services.rsync-daemon.port.default}" ];
         }
       ];
 
@@ -151,6 +174,7 @@ mkIf config.services.headscale.enable {
           tags = map (name: "tag:${name}") [
             "server"
             "client"
+            "backup"
           ];
         in
         lib.genAttrs tags (_: users);