| # SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors |
| # SPDX-FileCopyrightText: 2024 Clicks Codes |
| # |
| # SPDX-License-Identifier: GPL-3.0-only |
| |
| { |
| pkgs, |
| modulesPath, |
| lib, |
| config, |
| ... |
| }: |
| { |
| boot.loader.systemd-boot.enable = true; |
| boot.loader.efi.canTouchEfiVariables = true; |
| |
| time.timeZone = "Etc/UTC"; |
| |
| environment.systemPackages = with pkgs; [ neovim ]; |
| |
| clicks = { |
| nix.enable = true; |
| |
| security = { |
| doas.enable = true; |
| |
| acme = { |
| enable = true; |
| email = "minion@clicks.codes"; |
| }; |
| }; |
| |
| services = { |
| ssh.enable = true; |
| headscale = { |
| enable = true; |
| url = "clicks.domains"; |
| oidc = { |
| enable = true; |
| issuer = "https://login.clicks.codes/realms/master"; |
| allowed_groups = [ "/clicks" ]; |
| client_secret_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret; |
| }; |
| database_password_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password; |
| noise_private_key_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key; |
| private_key_path = |
| config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key; |
| acl = { |
| groups."group:users" = [ |
| "minion" |
| "coded" |
| "pineafan" |
| ]; |
| groups."group:areas" = [ |
| "alpha" |
| "bravo" |
| "charlie" |
| ]; |
| |
| acls = [ |
| { |
| action = "accept"; |
| src = [ "group:users" ]; |
| dst = [ "*:*" ]; |
| } |
| { |
| action = "accept"; |
| src = [ "group:areas" ]; |
| dst = [ "group:areas:*" ]; |
| } |
| ]; |
| }; |
| }; |
| }; |
| |
| networking.tailscale = { |
| enable = true; |
| authKeyFile = |
| config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey; |
| }; |
| |
| storage = { |
| raid.enable = true; |
| impermanence = { |
| enable = true; |
| devices = { |
| root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c"; |
| persist = "/dev/md/a1d1:persist"; |
| }; |
| }; |
| }; |
| }; |
| |
| boot.initrd.availableKernelModules = [ |
| "nvme" |
| "xhci_pci" |
| "ahci" |
| "usbhid" |
| "uas" |
| "usb_storage" |
| "sd_mod" |
| ]; |
| boot.initrd.kernelModules = [ ]; |
| boot.kernelModules = [ "kvm-amd" ]; |
| boot.extraModulePackages = [ ]; |
| |
| fileSystems."/nix" = { |
| device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c"; |
| fsType = "btrfs"; |
| options = [ "subvol=@nix" ]; |
| }; |
| |
| fileSystems."/boot" = { |
| device = "/dev/disk/by-uuid/880D-BBAB"; |
| fsType = "vfat"; |
| options = [ |
| "fmask=0022" |
| "dmask=0022" |
| ]; |
| }; |
| |
| swapDevices = [ ]; |
| |
| networking.useDHCP = true; |
| |
| system.stateVersion = "24.05"; |
| |
| clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = { |
| file = ./headscale.sops.json; |
| group = "headscale"; |
| keys = [ |
| "oidc_client_secret" |
| "database_password" |
| "noise_private_key" |
| "private_key" |
| ]; |
| neededForUsers = false; |
| }; |
| |
| clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = { |
| file = ./tailscale.sops.json; |
| keys = [ "authKey" ]; |
| }; |
| } |