nixos/headscale: remove much-loosened-up server_url check

motiejus · motiejus · commit de0a499a56ee · 2025-01-17T08:03:26.000+02:00
server_url check [has been loosened upstream][1] and backported to NixOS[2]. The new, much looser check, is not practical to be implemented in Nix (you are welcome to give it a try; I've implemented the original one). Since the surface area is much smaller now (and the scenario much less common), I think we can remove this assertion altogether. [1]: juanfont/headscale#2248 [2]: NixOS#358255
diff --git a/nixos/modules/services/networking/headscale.nix b/nixos/modules/services/networking/headscale.nix
@@ -559,16 +559,6 @@ in
 
   config = lib.mkIf cfg.enable {
     assertions = [
-      {
-        # This is stricter than it needs to be but is exactly what upstream does:
-        # https://github.com/kradalby/headscale/blob/adc084f20f843d7963c999764fa83939668d2d2c/hscontrol/types/config.go#L799
-        assertion =
-          with cfg.settings;
-          dns.use_username_in_magic_dns or false
-          || dns.base_domain == ""
-          || !lib.hasInfix dns.base_domain server_url;
-        message = "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.";
-      }
       {
         assertion = with cfg.settings; dns.magic_dns -> dns.base_domain != "";
         message = "dns.base_domain must be set when using MagicDNS";
