Blame - systems/x86_64-linux/teal/default.nix - Infra/NixFiles

blob: df5031916bd55905d475c36890db54605e9f9297 [file] [log] [blame]

Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	1	# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
				2	# SPDX-FileCopyrightText: 2024 Clicks Codes
				3	#
				4	# SPDX-License-Identifier: GPL-3.0-only
				5
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	6	{
				7	pkgs,
				8	modulesPath,
				9	lib,
				10	config,
				11	...
				12	}:
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	13	{
				14	boot.loader.systemd-boot.enable = true;
				15	boot.loader.efi.canTouchEfiVariables = true;
				16
				17	time.timeZone = "Etc/UTC";
				18
				19	environment.systemPackages = with pkgs; [ neovim ];
				20
				21	clicks = {
				22	nix.enable = true;
				23
Skyler Grey	05e11c1	2024-06-15 00:02:15 +0000	[diff] [blame]	24	backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
				25
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	26	security = {
				27	doas.enable = true;
				28
				29	acme = {
				30	enable = true;
				31	email = "minion@clicks.codes";
				32	};
				33	};
				34
				35	services = {
				36	ssh.enable = true;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	37	headscale = {
				38	enable = true;
				39	url = "clicks.domains";
				40	oidc = {
				41	enable = true;
				42	issuer = "https://login.clicks.codes/realms/master";
				43	allowed_groups = [ "/clicks" ];
				44	client_secret_path =
				45	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
				46	};
				47	database_password_path =
				48	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
				49	noise_private_key_path =
				50	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
				51	private_key_path =
				52	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	53	acl =
				54	let
				55	internet = [
				56	"0.0.0.0/5"
				57	"8.0.0.0/7"
				58	"11.0.0.0/8"
				59	"12.0.0.0/6"
				60	"16.0.0.0/4"
				61	"32.0.0.0/3"
				62	"64.0.0.0/3"
				63	"96.0.0.0/6"
				64	"100.0.0.0/10"
				65	"100.128.0.0/9"
				66	"101.0.0.0/8"
				67	"102.0.0.0/7"
				68	"104.0.0.0/5"
				69	"112.0.0.0/4"
				70	"128.0.0.0/3"
				71	"160.0.0.0/5"
				72	"168.0.0.0/8"
				73	"169.0.0.0/9"
				74	"169.128.0.0/10"
				75	"169.192.0.0/11"
				76	"169.224.0.0/12"
				77	"169.240.0.0/13"
				78	"169.248.0.0/14"
				79	"169.252.0.0/15"
				80	"169.255.0.0/16"
				81	"170.0.0.0/7"
				82	"172.0.0.0/12"
				83	"172.32.0.0/11"
				84	"172.64.0.0/10"
				85	"172.128.0.0/9"
				86	"173.0.0.0/8"
				87	"174.0.0.0/7"
				88	"176.0.0.0/4"
				89	"192.0.0.0/9"
				90	"192.128.0.0/11"
				91	"192.160.0.0/13"
				92	"192.169.0.0/16"
				93	"192.170.0.0/15"
				94	"192.172.0.0/14"
				95	"192.176.0.0/12"
				96	"192.192.0.0/10"
				97	"193.0.0.0/8"
				98	"194.0.0.0/7"
				99	"196.0.0.0/6"
				100	"200.0.0.0/5"
				101	"208.0.0.0/4"
				102	"224.0.0.0/3"
				103	"ipv6-internet"
				104	# A nasty hack used because ipv6 colons were messing with dst
				105	# ports
				106	]; # Should be replaceable with autogroup:internet in next release
				107	in
				108	{
				109	groups."group:users" = [
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	110	"coded"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame]	111	"maddie"
				112	"minion"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	113	"pineafan"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame]	114	"zanderp25"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	115	];
				116	groups."group:areas" = [
				117	# Some phonetic alphabet names are excluded here to avoid confusing
				118	# them with given names
				119	"alpha"
				120	"bravo"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	121	"echo"
				122	"foxtrot"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	123	"hotel"
				124	"india"
				125	"kilo"
				126	"lima"
				127	"november"
				128	"papa"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	129	"sierra"
				130	"tango"
				131	"uniform"
				132	"whiskey"
				133	"xray"
				134	"yankee"
				135	"zulu"
				136	];
				137	hosts.ipv6-internet = "2000::/3";
Skyler Grey	2154d22	2024-06-10 17:17:51 +0000	[diff] [blame]	138
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	139	acls = [
				140	{
				141	action = "accept";
				142	src = [ "group:users" ];
				143	dst = [
				144	"group:users:*"
				145	"group:areas:*"
				146	] ++ (lib.forEach internet (host: "${host}:*"));
				147	}
				148	{
				149	action = "accept";
				150	src = [ "group:areas" ];
				151	dst = [ "group:areas:*" ];
				152	}
				153	];
				154	};
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	155	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	156	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	157
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	158	networking.tailscale = {
				159	enable = true;
				160	authKeyFile =
				161	config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
				162	};
				163
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	164	storage = {
Skyler Grey	f4d05f0	2024-06-06 21:25:39 +0000	[diff] [blame]	165	raid.enable = true;
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	166	impermanence = {
				167	enable = true;
Skyler Grey	d337740	2024-06-06 22:01:26 +0000	[diff] [blame]	168	devices = {
				169	root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				170	persist = "/dev/md/a1d1:persist";
				171	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	172	};
				173	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	174	};
				175
				176	boot.initrd.availableKernelModules = [
				177	"nvme"
				178	"xhci_pci"
				179	"ahci"
				180	"usbhid"
				181	"uas"
				182	"usb_storage"
				183	"sd_mod"
				184	];
				185	boot.initrd.kernelModules = [ ];
				186	boot.kernelModules = [ "kvm-amd" ];
				187	boot.extraModulePackages = [ ];
				188
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	189	fileSystems."/nix" = {
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	190	device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				191	fsType = "btrfs";
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	192	options = [ "subvol=@nix" ];
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	193	};
				194
				195	fileSystems."/boot" = {
				196	device = "/dev/disk/by-uuid/880D-BBAB";
				197	fsType = "vfat";
				198	options = [
				199	"fmask=0022"
				200	"dmask=0022"
				201	];
				202	};
				203
				204	swapDevices = [ ];
				205
				206	networking.useDHCP = true;
				207
				208	system.stateVersion = "24.05";
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	209
				210	clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
				211	file = ./headscale.sops.json;
				212	group = "headscale";
				213	keys = [
				214	"oidc_client_secret"
				215	"database_password"
				216	"noise_private_key"
				217	"private_key"
				218	];
				219	neededForUsers = false;
				220	};
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	221
				222	clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
				223	file = ./tailscale.sops.json;
				224	keys = [ "authKey" ];
				225	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	226	}