Blame - systems/x86_64-linux/teal/default.nix - Infra/NixFiles

blob: 4495bc87f99638f89f4f9fc7778e94426fc24892 [file] [log] [blame]

Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	1	# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
				2	# SPDX-FileCopyrightText: 2024 Clicks Codes
				3	#
				4	# SPDX-License-Identifier: GPL-3.0-only
				5
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	6	{
				7	pkgs,
				8	modulesPath,
				9	lib,
				10	config,
				11	...
				12	}:
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	13	{
				14	boot.loader.systemd-boot.enable = true;
				15	boot.loader.efi.canTouchEfiVariables = true;
				16
				17	time.timeZone = "Etc/UTC";
				18
				19	environment.systemPackages = with pkgs; [ neovim ];
				20
				21	clicks = {
				22	nix.enable = true;
				23
Skyler Grey	05e11c1	2024-06-15 00:02:15 +0000	[diff] [blame^]	24	backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
				25
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	26	security = {
				27	doas.enable = true;
				28
				29	acme = {
				30	enable = true;
				31	email = "minion@clicks.codes";
				32	};
				33	};
				34
				35	services = {
				36	ssh.enable = true;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	37	headscale = {
				38	enable = true;
				39	url = "clicks.domains";
				40	oidc = {
				41	enable = true;
				42	issuer = "https://login.clicks.codes/realms/master";
				43	allowed_groups = [ "/clicks" ];
				44	client_secret_path =
				45	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
				46	};
				47	database_password_path =
				48	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
				49	noise_private_key_path =
				50	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
				51	private_key_path =
				52	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	53	acl =
				54	let
				55	internet = [
				56	"0.0.0.0/5"
				57	"8.0.0.0/7"
				58	"11.0.0.0/8"
				59	"12.0.0.0/6"
				60	"16.0.0.0/4"
				61	"32.0.0.0/3"
				62	"64.0.0.0/3"
				63	"96.0.0.0/6"
				64	"100.0.0.0/10"
				65	"100.128.0.0/9"
				66	"101.0.0.0/8"
				67	"102.0.0.0/7"
				68	"104.0.0.0/5"
				69	"112.0.0.0/4"
				70	"128.0.0.0/3"
				71	"160.0.0.0/5"
				72	"168.0.0.0/8"
				73	"169.0.0.0/9"
				74	"169.128.0.0/10"
				75	"169.192.0.0/11"
				76	"169.224.0.0/12"
				77	"169.240.0.0/13"
				78	"169.248.0.0/14"
				79	"169.252.0.0/15"
				80	"169.255.0.0/16"
				81	"170.0.0.0/7"
				82	"172.0.0.0/12"
				83	"172.32.0.0/11"
				84	"172.64.0.0/10"
				85	"172.128.0.0/9"
				86	"173.0.0.0/8"
				87	"174.0.0.0/7"
				88	"176.0.0.0/4"
				89	"192.0.0.0/9"
				90	"192.128.0.0/11"
				91	"192.160.0.0/13"
				92	"192.169.0.0/16"
				93	"192.170.0.0/15"
				94	"192.172.0.0/14"
				95	"192.176.0.0/12"
				96	"192.192.0.0/10"
				97	"193.0.0.0/8"
				98	"194.0.0.0/7"
				99	"196.0.0.0/6"
				100	"200.0.0.0/5"
				101	"208.0.0.0/4"
				102	"224.0.0.0/3"
				103	"ipv6-internet"
				104	# A nasty hack used because ipv6 colons were messing with dst
				105	# ports
				106	]; # Should be replaceable with autogroup:internet in next release
				107	in
				108	{
				109	groups."group:users" = [
				110	"minion"
				111	"coded"
				112	"pineafan"
				113	];
				114	groups."group:areas" = [
				115	# Some phonetic alphabet names are excluded here to avoid confusing
				116	# them with given names
				117	"alpha"
				118	"bravo"
				119	"delta"
				120	"echo"
				121	"foxtrot"
				122	"golf"
				123	"hotel"
				124	"india"
				125	"kilo"
				126	"lima"
				127	"november"
				128	"papa"
				129	"quebec"
				130	"sierra"
				131	"tango"
				132	"uniform"
				133	"whiskey"
				134	"xray"
				135	"yankee"
				136	"zulu"
				137	];
				138	hosts.ipv6-internet = "2000::/3";
Skyler Grey	2154d22	2024-06-10 17:17:51 +0000	[diff] [blame]	139
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	140	acls = [
				141	{
				142	action = "accept";
				143	src = [ "group:users" ];
				144	dst = [
				145	"group:users:*"
				146	"group:areas:*"
				147	] ++ (lib.forEach internet (host: "${host}:*"));
				148	}
				149	{
				150	action = "accept";
				151	src = [ "group:areas" ];
				152	dst = [ "group:areas:*" ];
				153	}
				154	];
				155	};
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	156	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	157	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	158
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	159	networking.tailscale = {
				160	enable = true;
				161	authKeyFile =
				162	config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
				163	};
				164
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	165	storage = {
Skyler Grey	f4d05f0	2024-06-06 21:25:39 +0000	[diff] [blame]	166	raid.enable = true;
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	167	impermanence = {
				168	enable = true;
Skyler Grey	d337740	2024-06-06 22:01:26 +0000	[diff] [blame]	169	devices = {
				170	root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				171	persist = "/dev/md/a1d1:persist";
				172	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	173	};
				174	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	175	};
				176
				177	boot.initrd.availableKernelModules = [
				178	"nvme"
				179	"xhci_pci"
				180	"ahci"
				181	"usbhid"
				182	"uas"
				183	"usb_storage"
				184	"sd_mod"
				185	];
				186	boot.initrd.kernelModules = [ ];
				187	boot.kernelModules = [ "kvm-amd" ];
				188	boot.extraModulePackages = [ ];
				189
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	190	fileSystems."/nix" = {
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	191	device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				192	fsType = "btrfs";
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	193	options = [ "subvol=@nix" ];
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	194	};
				195
				196	fileSystems."/boot" = {
				197	device = "/dev/disk/by-uuid/880D-BBAB";
				198	fsType = "vfat";
				199	options = [
				200	"fmask=0022"
				201	"dmask=0022"
				202	];
				203	};
				204
				205	swapDevices = [ ];
				206
				207	networking.useDHCP = true;
				208
				209	system.stateVersion = "24.05";
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	210
				211	clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
				212	file = ./headscale.sops.json;
				213	group = "headscale";
				214	keys = [
				215	"oidc_client_secret"
				216	"database_password"
				217	"noise_private_key"
				218	"private_key"
				219	];
				220	neededForUsers = false;
				221	};
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	222
				223	clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
				224	file = ./tailscale.sops.json;
				225	keys = [ "authKey" ];
				226	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	227	}