Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 2154d2208807dbe7f5579138a2a8595b99a66a3c / . / systems / x86_64-linux / teal / default.nix
blob: 7448b929d0e67ff3ba4634ed252d3ee3f769710a [file] [log] [blame]
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]6{
7 pkgs,
8 modulesPath,
9 lib,
10 config,
11 ...
12}:
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]13{
14 boot.loader.systemd-boot.enable = true;
15 boot.loader.efi.canTouchEfiVariables = true;
16
17 time.timeZone = "Etc/UTC";
18
19 environment.systemPackages = with pkgs; [ neovim ];
20
21 clicks = {
22 nix.enable = true;
23
24 security = {
25 doas.enable = true;
26
27 acme = {
28 enable = true;
29 email = "minion@clicks.codes";
30 };
31 };
32
33 services = {
34 ssh.enable = true;
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]35 headscale = {
36 enable = true;
37 url = "clicks.domains";
38 oidc = {
39 enable = true;
40 issuer = "https://login.clicks.codes/realms/master";
41 allowed_groups = [ "/clicks" ];
42 client_secret_path =
43 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
44 };
45 database_password_path =
46 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
47 noise_private_key_path =
48 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
49 private_key_path =
50 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame^]51 acl = {
52 groups."group:users" = [
53 "minion"
54 "coded"
55 "pineafan"
56 ];
57 groups."group:areas" = [
58 "alpha"
59 "bravo"
60 "charlie"
61 ];
62
63 acls = [
64 {
65 action = "accept";
66 src = [ "group:users" ];
67 dst = [ "*:*" ];
68 }
69 {
70 action = "accept";
71 src = [ "group:areas" ];
72 dst = [ "group:areas:*" ];
73 }
74 ];
75 };
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]76 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]77 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]78
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]79 networking.tailscale = {
80 enable = true;
81 authKeyFile =
82 config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
83 };
84
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]85 storage = {
Skyler Greyf4d05f02024-06-06 21:25:39 +0000[diff] [blame]86 raid.enable = true;
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]87 impermanence = {
88 enable = true;
Skyler Greyd3377402024-06-06 22:01:26 +0000[diff] [blame]89 devices = {
90 root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
91 persist = "/dev/md/a1d1:persist";
92 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]93 };
94 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]95 };
96
97 boot.initrd.availableKernelModules = [
98 "nvme"
99 "xhci_pci"
100 "ahci"
101 "usbhid"
102 "uas"
103 "usb_storage"
104 "sd_mod"
105 ];
106 boot.initrd.kernelModules = [ ];
107 boot.kernelModules = [ "kvm-amd" ];
108 boot.extraModulePackages = [ ];
109
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]110 fileSystems."/nix" = {
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]111 device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
112 fsType = "btrfs";
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]113 options = [ "subvol=@nix" ];
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]114 };
115
116 fileSystems."/boot" = {
117 device = "/dev/disk/by-uuid/880D-BBAB";
118 fsType = "vfat";
119 options = [
120 "fmask=0022"
121 "dmask=0022"
122 ];
123 };
124
125 swapDevices = [ ];
126
127 networking.useDHCP = true;
128
129 system.stateVersion = "24.05";
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]130
131 clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
132 file = ./headscale.sops.json;
133 group = "headscale";
134 keys = [
135 "oidc_client_secret"
136 "database_password"
137 "noise_private_key"
138 "private_key"
139 ];
140 neededForUsers = false;
141 };
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]142
143 clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
144 file = ./tailscale.sops.json;
145 keys = [ "authKey" ];
146 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]147}