Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / c6f6303c7878e4e33c4112a4ce665177a6752faf / . / systems / x86_64-linux / teal / default.nix
blob: 8ccb0778ed03536758efaa0481cfe40f7e7dd80d [file] [log] [blame]
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
# SPDX-FileCopyrightText: 2024 Clicks Codes
#
# SPDX-License-Identifier: GPL-3.0-only
{
pkgs,
modulesPath,
lib,
config,
...
}:
{
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPkKdPSPxsLdx3GUjjyibRLjLl3XfaXmfrrvemDFkjI3";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
time.timeZone = "Etc/UTC";
environment.systemPackages = with pkgs; [ neovim ];
clicks = {
nix.enable = true;
backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
security = {
doas.enable = true;
acme = {
enable = true;
defaults = {
email = "minion@clicks.codes";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets."clicks.security.acme.defaults.environmentFile".path;
};
};
};
sites."docs.auxolotl.org".enable = true;
sites."a.starrysky.blog".enable = true;
# sites."blog.thecoded.prof".enable = true;
services = {
ssh.enable = true;
headscale = {
enable = true;
domain = "clicks.domains";
server_url = "vpn.clicks.codes";
addr = lib.clicks.constants.hosts.generic;
oidc = {
enable = true;
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_secret_path =
config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
noise_private_key_path =
config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
acl = let
permitted_area_names = [
# Some phonetic alphabet names are excluded here to avoid confusing
# them with given names
"alpha"
"bravo"
"delta"
"echo"
"foxtrot"
"golf"
"hotel"
"india"
"kilo"
"lima"
"november"
"papa"
"quebec"
"sierra"
"tango"
"uniform"
"whiskey"
"xray"
"yankee"
"zulu"
];
assigned_areas = {
"alpha" = "coded";
"bravo" = "minion";
"echo" = "maddie";
"sierra" = "pineafan";
"tango" = "mostlyturquoise";
"zulu" = "zanderp25";
};
users = [
"coded"
"maddie"
"minion"
"pineafan"
"zanderp25"
"mostlyturquoise"
];
friends = [
"sirdigalot"
];
in
{
groups."group:maintainer" = [
"coded"
"minion"
];
groups."group:users" = users;
groups."group:friends" = friends;
acls = [
{
action = "accept";
src = [ "group:users" ];
dst = [
"group:users:*"
"group:friends:*"
"autogroup:internet:*"
] ++ (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
src = [ "group:friends" ];
dst = [
"group:users:*"
"group:friends:*"
];
}
{
action = "accept";
src = (map (tag: "tag:${tag}") permitted_area_names);
dst = (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
src = [ "zulu" ];
dst = [ "zanderp25:3000" ];
}
];
ssh = [
{
action = "check";
src = ["group:users"];
dst = (map (tag: "tag:${tag}") permitted_area_names);
checkPeriod = "8h";
acceptEnv = [
"BAT_THEME"
"COLORTERM"
"JQ_COLORS"
"LANG"
"LS_COLORS"
"LSCOLORS"
"TERM"
];
}
] ++ (lib.attrsets.mapAttrsToList (area: user: {
action = "check";
src = [ user ];
dst = [ "tag:${area}" ];
checkPeriod = "2h";
users = [ "root" "autogroup:nonroot" ];
acceptEnv = [ "*" ];
}) assigned_areas) ++ (map (user: {
action = "check";
src = [ user ];
dst = [ user ];
checkPeriod = "2h";
users = [ "root" "autogroup:nonroot" ];
acceptEnv = [ "*" ];
}) (users ++ friends));
tagOwners = (lib.pipe permitted_area_names [
(map (area: {
name = "tag:${area}";
value = [ "group:maintainer" ];
}))
lib.listToAttrs
]) // (lib.attrsets.mapAttrs' (area: user: {
name = "tag:${area}";
value = [ "group:maintainer" user ];
}) assigned_areas);
};
};
fava = {
enable = true;
extraPythonPackages = [
pkgs.clicks.beancount-autobean
pkgs.clicks.beancount-beancount_share
pkgs.clicks.beancount-smart_importer
];
tailscaleAuth = true;
credentials = {
truelayer_client_secret = config.age.secrets."clicks.services.fava.credentials.truelayer_client_secret".path;
};
accounts = {
"clicks" = lib.home-manager.hm.dag.entryAnywhere {
name = "Clicks Codes";
beancountExtraOptions.operating_currency = "GBP";
};
"coded" = lib.home-manager.hm.dag.entryBetween [ "testing" ] [ "clicks" ] {
name = "Samuel Shuert";
beancountExtraOptions.operating_currency = "USD";
};
"minion" = lib.home-manager.hm.dag.entryBetween [ "testing" ] [ "clicks" ] {
name = "Skyler Grey";
beancountExtraOptions.operating_currency = "GBP";
favaExtraOptions = {
invert-income-liabilities-equity = "true";
auto-reload = "true";
fiscal-year-end = "04-05";
import-config = builtins.toString (pkgs.writeText "minion-imports.py" ''
import autobean.truelayer
from smart_importer import apply_hooks, PredictPayees, PredictPostings
import os
import pathlib
with open(pathlib.Path(os.environ["CREDENTIALS_DIRECTORY"]) / pathlib.Path("truelayer_client_secret")) as f:
truelayer_client_secret = f.read().strip()
CONFIG = [
apply_hooks(
autobean.truelayer.Importer(
"fava-228732",
truelayer_client_secret
),
[
PredictPayees(),
PredictPostings(),
]
)
]
'');
import-dirs = "/var/lib/private/fava/minion/";
};
extraConfig = ''
plugin "fava.plugins.tag_discovered_documents"
plugin "fava.plugins.link_documents"
plugin "beancount.plugins.pedantic"
plugin "beancount.plugins.unrealized" "Unrealized"
plugin "beancount.plugins.implicit_prices"
plugin "beancount_share.share" "{
'mark_name': 'share',
'meta_name': 'shared',
'account_debtors': 'Assets:People',
'account_creditors': 'Liabilities:People',
'open_date': '1970-01-01',
'quantize': '0.01'
}"
'';
};
"testing" = lib.home-manager.hm.dag.entryAfter [ "clicks" ] {
name = "Test Data - May Be Wiped At Any Time";
};
};
domain = "fava.clicks.codes";
};
silverbullet = {
enable = true;
domain = "silverbullet.clicks.codes";
tailscaleAuth = true;
};
};
networking.tailscale = {
enable = true;
authKeyFile =
config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
};
storage = {
raid.enable = true;
impermanence = {
enable = true;
devices = {
root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
persist = "/dev/md/a1d1:persist";
};
};
};
};
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"uas"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
fsType = "btrfs";
options = [ "subvol=@nix" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/880D-BBAB";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
swapDevices = [ ];
networking.useDHCP = true;
system.stateVersion = "24.05";
age.secrets."clicks.networking.tailscale.authKeyFile".rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
age.secrets."clicks.security.acme.defaults.environmentFile".rekeyFile = ./clicks.security.acme.defaults.environmentFile.age;
age.secrets."clicks.services.fava.credentials.truelayer_client_secret".rekeyFile = ./clicks.services.fava.credentials.truelayer_client_secret.age;
age.secrets."clicks.services.headscale.oidc.client_secret_path" = {
rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
group = "headscale";
};
age.secrets."clicks.services.headscale.noise_private_key_path" = {
rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
group = "headscale";
};
}