Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 04ff717979a8b37b0af0574295e234684f86f404 / . / systems / x86_64-linux / teal / default.nix
blob: f7627c5f83994da80ae6f06632fb271988d06c92 [file] [log] [blame]
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]6{
7 pkgs,
8 modulesPath,
9 lib,
10 config,
11 ...
12}:
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]13{
14 boot.loader.systemd-boot.enable = true;
15 boot.loader.efi.canTouchEfiVariables = true;
16
17 time.timeZone = "Etc/UTC";
18
19 environment.systemPackages = with pkgs; [ neovim ];
20
21 clicks = {
22 nix.enable = true;
23
24 security = {
25 doas.enable = true;
26
27 acme = {
28 enable = true;
29 email = "minion@clicks.codes";
30 };
31 };
32
33 services = {
34 ssh.enable = true;
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]35 headscale = {
36 enable = true;
37 url = "clicks.domains";
38 oidc = {
39 enable = true;
40 issuer = "https://login.clicks.codes/realms/master";
41 allowed_groups = [ "/clicks" ];
42 client_secret_path =
43 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
44 };
45 database_password_path =
46 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
47 noise_private_key_path =
48 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
49 private_key_path =
50 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame]51 acl = {
52 groups."group:users" = [
53 "minion"
54 "coded"
55 "pineafan"
56 ];
57 groups."group:areas" = [
Skyler Grey04ff7172024-06-10 22:17:53 +0000[diff] [blame^]58 # Some phonetic alphabet names are excluded here to avoid confusing
59 # them with given names
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame]60 "alpha"
61 "bravo"
Skyler Grey04ff7172024-06-10 22:17:53 +0000[diff] [blame^]62 "delta"
63 "echo"
64 "foxtrot"
65 "golf"
66 "hotel"
67 "india"
68 "kilo"
69 "lima"
70 "november"
71 "papa"
72 "quebec"
73 "sierra"
74 "tango"
75 "uniform"
76 "whiskey"
77 "xray"
78 "yankee"
79 "zulu"
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame]80 ];
81
82 acls = [
83 {
84 action = "accept";
85 src = [ "group:users" ];
Skyler Grey04ff7172024-06-10 22:17:53 +0000[diff] [blame^]86 dst = [ "group:users:*" "group:areas:*" ];
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame]87 }
88 {
89 action = "accept";
90 src = [ "group:areas" ];
91 dst = [ "group:areas:*" ];
92 }
93 ];
94 };
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]95 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]96 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]97
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]98 networking.tailscale = {
99 enable = true;
100 authKeyFile =
101 config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
102 };
103
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]104 storage = {
Skyler Greyf4d05f02024-06-06 21:25:39 +0000[diff] [blame]105 raid.enable = true;
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]106 impermanence = {
107 enable = true;
Skyler Greyd3377402024-06-06 22:01:26 +0000[diff] [blame]108 devices = {
109 root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
110 persist = "/dev/md/a1d1:persist";
111 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]112 };
113 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]114 };
115
116 boot.initrd.availableKernelModules = [
117 "nvme"
118 "xhci_pci"
119 "ahci"
120 "usbhid"
121 "uas"
122 "usb_storage"
123 "sd_mod"
124 ];
125 boot.initrd.kernelModules = [ ];
126 boot.kernelModules = [ "kvm-amd" ];
127 boot.extraModulePackages = [ ];
128
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]129 fileSystems."/nix" = {
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]130 device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
131 fsType = "btrfs";
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]132 options = [ "subvol=@nix" ];
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]133 };
134
135 fileSystems."/boot" = {
136 device = "/dev/disk/by-uuid/880D-BBAB";
137 fsType = "vfat";
138 options = [
139 "fmask=0022"
140 "dmask=0022"
141 ];
142 };
143
144 swapDevices = [ ];
145
146 networking.useDHCP = true;
147
148 system.stateVersion = "24.05";
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]149
150 clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
151 file = ./headscale.sops.json;
152 group = "headscale";
153 keys = [
154 "oidc_client_secret"
155 "database_password"
156 "noise_private_key"
157 "private_key"
158 ];
159 neededForUsers = false;
160 };
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]161
162 clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
163 file = ./tailscale.sops.json;
164 keys = [ "authKey" ];
165 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]166}