Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / d7e1acd9d201feb70b31090fa86ad58b9364b282 / . / systems / x86_64-linux / teal / default.nix
blob: 40a006607657cf8adf3e9e26de579084ad7eb6c5 [file] [log] [blame]
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]6{
7 pkgs,
8 modulesPath,
9 lib,
10 config,
11 ...
12}:
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]13{
14 boot.loader.systemd-boot.enable = true;
15 boot.loader.efi.canTouchEfiVariables = true;
16
17 time.timeZone = "Etc/UTC";
18
19 environment.systemPackages = with pkgs; [ neovim ];
20
21 clicks = {
22 nix.enable = true;
23
Skyler Grey05e11c12024-06-15 00:02:15 +0000[diff] [blame]24 backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
25
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]26 security = {
27 doas.enable = true;
28
29 acme = {
30 enable = true;
Skyler Greyd7e1acd2024-06-22 14:42:11 +0000[diff] [blame^]31 defaults = {
32 email = "minion@clicks.codes";
33 dnsProvider = "cloudflare";
34 environmentFile = config.clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".path;
35 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]36 };
37 };
38
39 services = {
40 ssh.enable = true;
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]41 headscale = {
42 enable = true;
43 url = "clicks.domains";
44 oidc = {
45 enable = true;
46 issuer = "https://login.clicks.codes/realms/master";
47 allowed_groups = [ "/clicks" ];
48 client_secret_path =
49 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
50 };
51 database_password_path =
52 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
53 noise_private_key_path =
54 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
55 private_key_path =
56 config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]57 acl =
58 let
59 internet = [
60 "0.0.0.0/5"
61 "8.0.0.0/7"
62 "11.0.0.0/8"
63 "12.0.0.0/6"
64 "16.0.0.0/4"
65 "32.0.0.0/3"
66 "64.0.0.0/3"
67 "96.0.0.0/6"
68 "100.0.0.0/10"
69 "100.128.0.0/9"
70 "101.0.0.0/8"
71 "102.0.0.0/7"
72 "104.0.0.0/5"
73 "112.0.0.0/4"
74 "128.0.0.0/3"
75 "160.0.0.0/5"
76 "168.0.0.0/8"
77 "169.0.0.0/9"
78 "169.128.0.0/10"
79 "169.192.0.0/11"
80 "169.224.0.0/12"
81 "169.240.0.0/13"
82 "169.248.0.0/14"
83 "169.252.0.0/15"
84 "169.255.0.0/16"
85 "170.0.0.0/7"
86 "172.0.0.0/12"
87 "172.32.0.0/11"
88 "172.64.0.0/10"
89 "172.128.0.0/9"
90 "173.0.0.0/8"
91 "174.0.0.0/7"
92 "176.0.0.0/4"
93 "192.0.0.0/9"
94 "192.128.0.0/11"
95 "192.160.0.0/13"
96 "192.169.0.0/16"
97 "192.170.0.0/15"
98 "192.172.0.0/14"
99 "192.176.0.0/12"
100 "192.192.0.0/10"
101 "193.0.0.0/8"
102 "194.0.0.0/7"
103 "196.0.0.0/6"
104 "200.0.0.0/5"
105 "208.0.0.0/4"
106 "224.0.0.0/3"
107 "ipv6-internet"
108 # A nasty hack used because ipv6 colons were messing with dst
109 # ports
110 ]; # Should be replaceable with autogroup:internet in next release
111 in
112 {
113 groups."group:users" = [
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]114 "coded"
Skyler Greyefc62522024-06-15 00:23:06 +0000[diff] [blame]115 "maddie"
116 "minion"
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]117 "pineafan"
Skyler Greyefc62522024-06-15 00:23:06 +0000[diff] [blame]118 "zanderp25"
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]119 ];
120 groups."group:areas" = [
121 # Some phonetic alphabet names are excluded here to avoid confusing
122 # them with given names
123 "alpha"
124 "bravo"
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]125 "echo"
126 "foxtrot"
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]127 "hotel"
128 "india"
129 "kilo"
130 "lima"
131 "november"
132 "papa"
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]133 "sierra"
134 "tango"
135 "uniform"
136 "whiskey"
137 "xray"
138 "yankee"
139 "zulu"
140 ];
141 hosts.ipv6-internet = "2000::/3";
Skyler Grey2154d222024-06-10 17:17:51 +0000[diff] [blame]142
Skyler Grey0e05b522024-06-11 22:48:00 +0000[diff] [blame]143 acls = [
144 {
145 action = "accept";
146 src = [ "group:users" ];
147 dst = [
148 "group:users:*"
149 "group:areas:*"
150 ] ++ (lib.forEach internet (host: "${host}:*"));
151 }
152 {
153 action = "accept";
154 src = [ "group:areas" ];
155 dst = [ "group:areas:*" ];
156 }
157 ];
158 };
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]159 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]160 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]161
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]162 networking.tailscale = {
163 enable = true;
164 authKeyFile =
165 config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
166 };
167
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]168 storage = {
Skyler Greyf4d05f02024-06-06 21:25:39 +0000[diff] [blame]169 raid.enable = true;
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]170 impermanence = {
171 enable = true;
Skyler Greyd3377402024-06-06 22:01:26 +0000[diff] [blame]172 devices = {
173 root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
174 persist = "/dev/md/a1d1:persist";
175 };
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]176 };
177 };
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]178 };
179
180 boot.initrd.availableKernelModules = [
181 "nvme"
182 "xhci_pci"
183 "ahci"
184 "usbhid"
185 "uas"
186 "usb_storage"
187 "sd_mod"
188 ];
189 boot.initrd.kernelModules = [ ];
190 boot.kernelModules = [ "kvm-amd" ];
191 boot.extraModulePackages = [ ];
192
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]193 fileSystems."/nix" = {
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]194 device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
195 fsType = "btrfs";
Skyler Grey40ae7a02024-06-06 21:22:25 +0000[diff] [blame]196 options = [ "subvol=@nix" ];
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]197 };
198
199 fileSystems."/boot" = {
200 device = "/dev/disk/by-uuid/880D-BBAB";
201 fsType = "vfat";
202 options = [
203 "fmask=0022"
204 "dmask=0022"
205 ];
206 };
207
208 swapDevices = [ ];
209
210 networking.useDHCP = true;
211
212 system.stateVersion = "24.05";
Skyler Grey61f0f852024-06-09 00:02:53 +0000[diff] [blame]213
214 clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
215 file = ./headscale.sops.json;
216 group = "headscale";
217 keys = [
218 "oidc_client_secret"
219 "database_password"
220 "noise_private_key"
221 "private_key"
222 ];
223 neededForUsers = false;
224 };
Skyler Grey8ef34812024-06-09 19:42:15 +0000[diff] [blame]225
226 clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
227 file = ./tailscale.sops.json;
228 keys = [ "authKey" ];
229 };
Skyler Greyd7e1acd2024-06-22 14:42:11 +0000[diff] [blame^]230
231 clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".file = ./acme.sops.env.bin;
Skyler Greyf08a6192024-06-01 23:55:20 +0000[diff] [blame]232}