blob: f7627c5f83994da80ae6f06632fb271988d06c92 [file] [log] [blame]
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
# SPDX-FileCopyrightText: 2024 Clicks Codes
#
# SPDX-License-Identifier: GPL-3.0-only
{
pkgs,
modulesPath,
lib,
config,
...
}:
{
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.timeZone = "Etc/UTC";
environment.systemPackages = with pkgs; [ neovim ];
clicks = {
nix.enable = true;
security = {
doas.enable = true;
acme = {
enable = true;
email = "minion@clicks.codes";
};
};
services = {
ssh.enable = true;
headscale = {
enable = true;
url = "clicks.domains";
oidc = {
enable = true;
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_secret_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
};
database_password_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
noise_private_key_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
private_key_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
acl = {
groups."group:users" = [
"minion"
"coded"
"pineafan"
];
groups."group:areas" = [
# Some phonetic alphabet names are excluded here to avoid confusing
# them with given names
"alpha"
"bravo"
"delta"
"echo"
"foxtrot"
"golf"
"hotel"
"india"
"kilo"
"lima"
"november"
"papa"
"quebec"
"sierra"
"tango"
"uniform"
"whiskey"
"xray"
"yankee"
"zulu"
];
acls = [
{
action = "accept";
src = [ "group:users" ];
dst = [ "group:users:*" "group:areas:*" ];
}
{
action = "accept";
src = [ "group:areas" ];
dst = [ "group:areas:*" ];
}
];
};
};
};
networking.tailscale = {
enable = true;
authKeyFile =
config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
};
storage = {
raid.enable = true;
impermanence = {
enable = true;
devices = {
root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
persist = "/dev/md/a1d1:persist";
};
};
};
};
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"uas"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
fsType = "btrfs";
options = [ "subvol=@nix" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/880D-BBAB";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
networking.useDHCP = true;
system.stateVersion = "24.05";
clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
file = ./headscale.sops.json;
group = "headscale";
keys = [
"oidc_client_secret"
"database_password"
"noise_private_key"
"private_key"
];
neededForUsers = false;
};
clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
file = ./tailscale.sops.json;
keys = [ "authKey" ];
};
}