Blame - systems/x86_64-linux/teal/default.nix - Infra/NixFiles

blob: e092b7ce5d801caa7d79cc335fa14bead04ac066 [file] [log] [blame]

Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	1	# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
				2	# SPDX-FileCopyrightText: 2024 Clicks Codes
				3	#
				4	# SPDX-License-Identifier: GPL-3.0-only
				5
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	6	{
				7	pkgs,
				8	modulesPath,
				9	lib,
				10	config,
				11	...
				12	}:
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	13	{
				14	boot.loader.systemd-boot.enable = true;
				15	boot.loader.efi.canTouchEfiVariables = true;
				16
				17	time.timeZone = "Etc/UTC";
				18
				19	environment.systemPackages = with pkgs; [ neovim ];
				20
				21	clicks = {
				22	nix.enable = true;
				23
				24	security = {
				25	doas.enable = true;
				26
				27	acme = {
				28	enable = true;
				29	email = "minion@clicks.codes";
				30	};
				31	};
				32
				33	services = {
				34	ssh.enable = true;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	35	headscale = {
				36	enable = true;
				37	url = "clicks.domains";
				38	oidc = {
				39	enable = true;
				40	issuer = "https://login.clicks.codes/realms/master";
				41	allowed_groups = [ "/clicks" ];
				42	client_secret_path =
				43	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
				44	};
				45	database_password_path =
				46	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
				47	noise_private_key_path =
				48	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
				49	private_key_path =
				50	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame^]	51	acl =
				52	let
				53	internet = [
				54	"0.0.0.0/5"
				55	"8.0.0.0/7"
				56	"11.0.0.0/8"
				57	"12.0.0.0/6"
				58	"16.0.0.0/4"
				59	"32.0.0.0/3"
				60	"64.0.0.0/3"
				61	"96.0.0.0/6"
				62	"100.0.0.0/10"
				63	"100.128.0.0/9"
				64	"101.0.0.0/8"
				65	"102.0.0.0/7"
				66	"104.0.0.0/5"
				67	"112.0.0.0/4"
				68	"128.0.0.0/3"
				69	"160.0.0.0/5"
				70	"168.0.0.0/8"
				71	"169.0.0.0/9"
				72	"169.128.0.0/10"
				73	"169.192.0.0/11"
				74	"169.224.0.0/12"
				75	"169.240.0.0/13"
				76	"169.248.0.0/14"
				77	"169.252.0.0/15"
				78	"169.255.0.0/16"
				79	"170.0.0.0/7"
				80	"172.0.0.0/12"
				81	"172.32.0.0/11"
				82	"172.64.0.0/10"
				83	"172.128.0.0/9"
				84	"173.0.0.0/8"
				85	"174.0.0.0/7"
				86	"176.0.0.0/4"
				87	"192.0.0.0/9"
				88	"192.128.0.0/11"
				89	"192.160.0.0/13"
				90	"192.169.0.0/16"
				91	"192.170.0.0/15"
				92	"192.172.0.0/14"
				93	"192.176.0.0/12"
				94	"192.192.0.0/10"
				95	"193.0.0.0/8"
				96	"194.0.0.0/7"
				97	"196.0.0.0/6"
				98	"200.0.0.0/5"
				99	"208.0.0.0/4"
				100	"224.0.0.0/3"
				101	"ipv6-internet"
				102	# A nasty hack used because ipv6 colons were messing with dst
				103	# ports
				104	]; # Should be replaceable with autogroup:internet in next release
				105	in
				106	{
				107	groups."group:users" = [
				108	"minion"
				109	"coded"
				110	"pineafan"
				111	];
				112	groups."group:areas" = [
				113	# Some phonetic alphabet names are excluded here to avoid confusing
				114	# them with given names
				115	"alpha"
				116	"bravo"
				117	"delta"
				118	"echo"
				119	"foxtrot"
				120	"golf"
				121	"hotel"
				122	"india"
				123	"kilo"
				124	"lima"
				125	"november"
				126	"papa"
				127	"quebec"
				128	"sierra"
				129	"tango"
				130	"uniform"
				131	"whiskey"
				132	"xray"
				133	"yankee"
				134	"zulu"
				135	];
				136	hosts.ipv6-internet = "2000::/3";
Skyler Grey	2154d22	2024-06-10 17:17:51 +0000	[diff] [blame]	137
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame^]	138	acls = [
				139	{
				140	action = "accept";
				141	src = [ "group:users" ];
				142	dst = [
				143	"group:users:*"
				144	"group:areas:*"
				145	] ++ (lib.forEach internet (host: "${host}:*"));
				146	}
				147	{
				148	action = "accept";
				149	src = [ "group:areas" ];
				150	dst = [ "group:areas:*" ];
				151	}
				152	];
				153	};
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	154	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	155	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	156
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	157	networking.tailscale = {
				158	enable = true;
				159	authKeyFile =
				160	config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
				161	};
				162
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	163	storage = {
Skyler Grey	f4d05f0	2024-06-06 21:25:39 +0000	[diff] [blame]	164	raid.enable = true;
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	165	impermanence = {
				166	enable = true;
Skyler Grey	d337740	2024-06-06 22:01:26 +0000	[diff] [blame]	167	devices = {
				168	root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				169	persist = "/dev/md/a1d1:persist";
				170	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	171	};
				172	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	173	};
				174
				175	boot.initrd.availableKernelModules = [
				176	"nvme"
				177	"xhci_pci"
				178	"ahci"
				179	"usbhid"
				180	"uas"
				181	"usb_storage"
				182	"sd_mod"
				183	];
				184	boot.initrd.kernelModules = [ ];
				185	boot.kernelModules = [ "kvm-amd" ];
				186	boot.extraModulePackages = [ ];
				187
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	188	fileSystems."/nix" = {
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	189	device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				190	fsType = "btrfs";
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	191	options = [ "subvol=@nix" ];
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	192	};
				193
				194	fileSystems."/boot" = {
				195	device = "/dev/disk/by-uuid/880D-BBAB";
				196	fsType = "vfat";
				197	options = [
				198	"fmask=0022"
				199	"dmask=0022"
				200	];
				201	};
				202
				203	swapDevices = [ ];
				204
				205	networking.useDHCP = true;
				206
				207	system.stateVersion = "24.05";
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	208
				209	clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
				210	file = ./headscale.sops.json;
				211	group = "headscale";
				212	keys = [
				213	"oidc_client_secret"
				214	"database_password"
				215	"noise_private_key"
				216	"private_key"
				217	];
				218	neededForUsers = false;
				219	};
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	220
				221	clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
				222	file = ./tailscale.sops.json;
				223	keys = [ "authKey" ];
				224	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	225	}