| # SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors |
| # SPDX-FileCopyrightText: 2024 Clicks Codes |
| # |
| # SPDX-License-Identifier: GPL-3.0-only |
| |
| { |
| pkgs, |
| modulesPath, |
| lib, |
| config, |
| ... |
| }: |
| { |
| boot.loader.systemd-boot.enable = true; |
| boot.loader.efi.canTouchEfiVariables = true; |
| |
| time.timeZone = "Etc/UTC"; |
| |
| environment.systemPackages = with pkgs; [ neovim ]; |
| |
| clicks = { |
| nix.enable = true; |
| |
| backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion"; |
| |
| security = { |
| doas.enable = true; |
| |
| acme = { |
| enable = true; |
| email = "minion@clicks.codes"; |
| }; |
| }; |
| |
| services = { |
| ssh.enable = true; |
| headscale = { |
| enable = true; |
| url = "clicks.domains"; |
| oidc = { |
| enable = true; |
| issuer = "https://login.clicks.codes/realms/master"; |
| allowed_groups = [ "/clicks" ]; |
| client_secret_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret; |
| }; |
| database_password_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password; |
| noise_private_key_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key; |
| private_key_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key; |
| acl = |
| let |
| internet = [ |
| "0.0.0.0/5" |
| "8.0.0.0/7" |
| "11.0.0.0/8" |
| "12.0.0.0/6" |
| "16.0.0.0/4" |
| "32.0.0.0/3" |
| "64.0.0.0/3" |
| "96.0.0.0/6" |
| "100.0.0.0/10" |
| "100.128.0.0/9" |
| "101.0.0.0/8" |
| "102.0.0.0/7" |
| "104.0.0.0/5" |
| "112.0.0.0/4" |
| "128.0.0.0/3" |
| "160.0.0.0/5" |
| "168.0.0.0/8" |
| "169.0.0.0/9" |
| "169.128.0.0/10" |
| "169.192.0.0/11" |
| "169.224.0.0/12" |
| "169.240.0.0/13" |
| "169.248.0.0/14" |
| "169.252.0.0/15" |
| "169.255.0.0/16" |
| "170.0.0.0/7" |
| "172.0.0.0/12" |
| "172.32.0.0/11" |
| "172.64.0.0/10" |
| "172.128.0.0/9" |
| "173.0.0.0/8" |
| "174.0.0.0/7" |
| "176.0.0.0/4" |
| "192.0.0.0/9" |
| "192.128.0.0/11" |
| "192.160.0.0/13" |
| "192.169.0.0/16" |
| "192.170.0.0/15" |
| "192.172.0.0/14" |
| "192.176.0.0/12" |
| "192.192.0.0/10" |
| "193.0.0.0/8" |
| "194.0.0.0/7" |
| "196.0.0.0/6" |
| "200.0.0.0/5" |
| "208.0.0.0/4" |
| "224.0.0.0/3" |
| "ipv6-internet" |
| # A nasty hack used because ipv6 colons were messing with dst |
| # ports |
| ]; # Should be replaceable with autogroup:internet in next release |
| in |
| { |
| groups."group:users" = [ |
| "minion" |
| "coded" |
| "pineafan" |
| ]; |
| groups."group:areas" = [ |
| # Some phonetic alphabet names are excluded here to avoid confusing |
| # them with given names |
| "alpha" |
| "bravo" |
| "delta" |
| "echo" |
| "foxtrot" |
| "golf" |
| "hotel" |
| "india" |
| "kilo" |
| "lima" |
| "november" |
| "papa" |
| "quebec" |
| "sierra" |
| "tango" |
| "uniform" |
| "whiskey" |
| "xray" |
| "yankee" |
| "zulu" |
| ]; |
| hosts.ipv6-internet = "2000::/3"; |
| |
| acls = [ |
| { |
| action = "accept"; |
| src = [ "group:users" ]; |
| dst = [ |
| "group:users:*" |
| "group:areas:*" |
| ] ++ (lib.forEach internet (host: "${host}:*")); |
| } |
| { |
| action = "accept"; |
| src = [ "group:areas" ]; |
| dst = [ "group:areas:*" ]; |
| } |
| ]; |
| }; |
| }; |
| }; |
| |
| networking.tailscale = { |
| enable = true; |
| authKeyFile = |
| config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey; |
| }; |
| |
| storage = { |
| raid.enable = true; |
| impermanence = { |
| enable = true; |
| devices = { |
| root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c"; |
| persist = "/dev/md/a1d1:persist"; |
| }; |
| }; |
| }; |
| }; |
| |
| boot.initrd.availableKernelModules = [ |
| "nvme" |
| "xhci_pci" |
| "ahci" |
| "usbhid" |
| "uas" |
| "usb_storage" |
| "sd_mod" |
| ]; |
| boot.initrd.kernelModules = [ ]; |
| boot.kernelModules = [ "kvm-amd" ]; |
| boot.extraModulePackages = [ ]; |
| |
| fileSystems."/nix" = { |
| device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c"; |
| fsType = "btrfs"; |
| options = [ "subvol=@nix" ]; |
| }; |
| |
| fileSystems."/boot" = { |
| device = "/dev/disk/by-uuid/880D-BBAB"; |
| fsType = "vfat"; |
| options = [ |
| "fmask=0022" |
| "dmask=0022" |
| ]; |
| }; |
| |
| swapDevices = [ ]; |
| |
| networking.useDHCP = true; |
| |
| system.stateVersion = "24.05"; |
| |
| clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = { |
| file = ./headscale.sops.json; |
| group = "headscale"; |
| keys = [ |
| "oidc_client_secret" |
| "database_password" |
| "noise_private_key" |
| "private_key" |
| ]; |
| neededForUsers = false; |
| }; |
| |
| clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = { |
| file = ./tailscale.sops.json; |
| keys = [ "authKey" ]; |
| }; |
| } |