blob: e092b7ce5d801caa7d79cc335fa14bead04ac066 [file] [log] [blame]
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
# SPDX-FileCopyrightText: 2024 Clicks Codes
#
# SPDX-License-Identifier: GPL-3.0-only
{
pkgs,
modulesPath,
lib,
config,
...
}:
{
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.timeZone = "Etc/UTC";
environment.systemPackages = with pkgs; [ neovim ];
clicks = {
nix.enable = true;
security = {
doas.enable = true;
acme = {
enable = true;
email = "minion@clicks.codes";
};
};
services = {
ssh.enable = true;
headscale = {
enable = true;
url = "clicks.domains";
oidc = {
enable = true;
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_secret_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
};
database_password_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
noise_private_key_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
private_key_path =
config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
acl =
let
internet = [
"0.0.0.0/5"
"8.0.0.0/7"
"11.0.0.0/8"
"12.0.0.0/6"
"16.0.0.0/4"
"32.0.0.0/3"
"64.0.0.0/3"
"96.0.0.0/6"
"100.0.0.0/10"
"100.128.0.0/9"
"101.0.0.0/8"
"102.0.0.0/7"
"104.0.0.0/5"
"112.0.0.0/4"
"128.0.0.0/3"
"160.0.0.0/5"
"168.0.0.0/8"
"169.0.0.0/9"
"169.128.0.0/10"
"169.192.0.0/11"
"169.224.0.0/12"
"169.240.0.0/13"
"169.248.0.0/14"
"169.252.0.0/15"
"169.255.0.0/16"
"170.0.0.0/7"
"172.0.0.0/12"
"172.32.0.0/11"
"172.64.0.0/10"
"172.128.0.0/9"
"173.0.0.0/8"
"174.0.0.0/7"
"176.0.0.0/4"
"192.0.0.0/9"
"192.128.0.0/11"
"192.160.0.0/13"
"192.169.0.0/16"
"192.170.0.0/15"
"192.172.0.0/14"
"192.176.0.0/12"
"192.192.0.0/10"
"193.0.0.0/8"
"194.0.0.0/7"
"196.0.0.0/6"
"200.0.0.0/5"
"208.0.0.0/4"
"224.0.0.0/3"
"ipv6-internet"
# A nasty hack used because ipv6 colons were messing with dst
# ports
]; # Should be replaceable with autogroup:internet in next release
in
{
groups."group:users" = [
"minion"
"coded"
"pineafan"
];
groups."group:areas" = [
# Some phonetic alphabet names are excluded here to avoid confusing
# them with given names
"alpha"
"bravo"
"delta"
"echo"
"foxtrot"
"golf"
"hotel"
"india"
"kilo"
"lima"
"november"
"papa"
"quebec"
"sierra"
"tango"
"uniform"
"whiskey"
"xray"
"yankee"
"zulu"
];
hosts.ipv6-internet = "2000::/3";
acls = [
{
action = "accept";
src = [ "group:users" ];
dst = [
"group:users:*"
"group:areas:*"
] ++ (lib.forEach internet (host: "${host}:*"));
}
{
action = "accept";
src = [ "group:areas" ];
dst = [ "group:areas:*" ];
}
];
};
};
};
networking.tailscale = {
enable = true;
authKeyFile =
config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
};
storage = {
raid.enable = true;
impermanence = {
enable = true;
devices = {
root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
persist = "/dev/md/a1d1:persist";
};
};
};
};
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"uas"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
fsType = "btrfs";
options = [ "subvol=@nix" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/880D-BBAB";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
networking.useDHCP = true;
system.stateVersion = "24.05";
clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
file = ./headscale.sops.json;
group = "headscale";
keys = [
"oidc_client_secret"
"database_password"
"noise_private_key"
"private_key"
];
neededForUsers = false;
};
clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
file = ./tailscale.sops.json;
keys = [ "authKey" ];
};
}