Blame - systems/x86_64-linux/teal/default.nix - Infra/NixFiles

blob: 1b6fe6cc1b993716d332c93e35d591ef62944f66 [file] [log] [blame]

Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	1	# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
				2	# SPDX-FileCopyrightText: 2024 Clicks Codes
				3	#
				4	# SPDX-License-Identifier: GPL-3.0-only
				5
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	6	{
				7	pkgs,
				8	modulesPath,
				9	lib,
				10	config,
				11	...
				12	}:
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	13	{
				14	boot.loader.systemd-boot.enable = true;
				15	boot.loader.efi.canTouchEfiVariables = true;
				16
				17	time.timeZone = "Etc/UTC";
				18
				19	environment.systemPackages = with pkgs; [ neovim ];
				20
				21	clicks = {
				22	nix.enable = true;
				23
Skyler Grey	05e11c1	2024-06-15 00:02:15 +0000	[diff] [blame]	24	backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
				25
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	26	security = {
				27	doas.enable = true;
				28
				29	acme = {
				30	enable = true;
				31	email = "minion@clicks.codes";
				32	};
				33	};
				34
				35	services = {
				36	ssh.enable = true;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	37	headscale = {
				38	enable = true;
				39	url = "clicks.domains";
				40	oidc = {
				41	enable = true;
				42	issuer = "https://login.clicks.codes/realms/master";
				43	allowed_groups = [ "/clicks" ];
				44	client_secret_path =
				45	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
				46	};
				47	database_password_path =
				48	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
				49	noise_private_key_path =
				50	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
				51	private_key_path =
				52	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	53	acl =
				54	let
				55	internet = [
				56	"0.0.0.0/5"
				57	"8.0.0.0/7"
				58	"11.0.0.0/8"
				59	"12.0.0.0/6"
				60	"16.0.0.0/4"
				61	"32.0.0.0/3"
				62	"64.0.0.0/3"
				63	"96.0.0.0/6"
				64	"100.0.0.0/10"
				65	"100.128.0.0/9"
				66	"101.0.0.0/8"
				67	"102.0.0.0/7"
				68	"104.0.0.0/5"
				69	"112.0.0.0/4"
				70	"128.0.0.0/3"
				71	"160.0.0.0/5"
				72	"168.0.0.0/8"
				73	"169.0.0.0/9"
				74	"169.128.0.0/10"
				75	"169.192.0.0/11"
				76	"169.224.0.0/12"
				77	"169.240.0.0/13"
				78	"169.248.0.0/14"
				79	"169.252.0.0/15"
				80	"169.255.0.0/16"
				81	"170.0.0.0/7"
				82	"172.0.0.0/12"
				83	"172.32.0.0/11"
				84	"172.64.0.0/10"
				85	"172.128.0.0/9"
				86	"173.0.0.0/8"
				87	"174.0.0.0/7"
				88	"176.0.0.0/4"
				89	"192.0.0.0/9"
				90	"192.128.0.0/11"
				91	"192.160.0.0/13"
				92	"192.169.0.0/16"
				93	"192.170.0.0/15"
				94	"192.172.0.0/14"
				95	"192.176.0.0/12"
				96	"192.192.0.0/10"
				97	"193.0.0.0/8"
				98	"194.0.0.0/7"
				99	"196.0.0.0/6"
				100	"200.0.0.0/5"
				101	"208.0.0.0/4"
				102	"224.0.0.0/3"
				103	"ipv6-internet"
				104	# A nasty hack used because ipv6 colons were messing with dst
				105	# ports
				106	]; # Should be replaceable with autogroup:internet in next release
				107	in
				108	{
				109	groups."group:users" = [
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	110	"coded"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame^]	111	"maddie"
				112	"minion"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	113	"pineafan"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame^]	114	"zanderp25"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	115	];
				116	groups."group:areas" = [
				117	# Some phonetic alphabet names are excluded here to avoid confusing
				118	# them with given names
				119	"alpha"
				120	"bravo"
				121	"delta"
				122	"echo"
				123	"foxtrot"
				124	"golf"
				125	"hotel"
				126	"india"
				127	"kilo"
				128	"lima"
				129	"november"
				130	"papa"
				131	"quebec"
				132	"sierra"
				133	"tango"
				134	"uniform"
				135	"whiskey"
				136	"xray"
				137	"yankee"
				138	"zulu"
				139	];
				140	hosts.ipv6-internet = "2000::/3";
Skyler Grey	2154d22	2024-06-10 17:17:51 +0000	[diff] [blame]	141
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	142	acls = [
				143	{
				144	action = "accept";
				145	src = [ "group:users" ];
				146	dst = [
				147	"group:users:*"
				148	"group:areas:*"
				149	] ++ (lib.forEach internet (host: "${host}:*"));
				150	}
				151	{
				152	action = "accept";
				153	src = [ "group:areas" ];
				154	dst = [ "group:areas:*" ];
				155	}
				156	];
				157	};
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	158	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	159	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	160
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	161	networking.tailscale = {
				162	enable = true;
				163	authKeyFile =
				164	config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
				165	};
				166
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	167	storage = {
Skyler Grey	f4d05f0	2024-06-06 21:25:39 +0000	[diff] [blame]	168	raid.enable = true;
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	169	impermanence = {
				170	enable = true;
Skyler Grey	d337740	2024-06-06 22:01:26 +0000	[diff] [blame]	171	devices = {
				172	root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				173	persist = "/dev/md/a1d1:persist";
				174	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	175	};
				176	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	177	};
				178
				179	boot.initrd.availableKernelModules = [
				180	"nvme"
				181	"xhci_pci"
				182	"ahci"
				183	"usbhid"
				184	"uas"
				185	"usb_storage"
				186	"sd_mod"
				187	];
				188	boot.initrd.kernelModules = [ ];
				189	boot.kernelModules = [ "kvm-amd" ];
				190	boot.extraModulePackages = [ ];
				191
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	192	fileSystems."/nix" = {
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	193	device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				194	fsType = "btrfs";
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	195	options = [ "subvol=@nix" ];
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	196	};
				197
				198	fileSystems."/boot" = {
				199	device = "/dev/disk/by-uuid/880D-BBAB";
				200	fsType = "vfat";
				201	options = [
				202	"fmask=0022"
				203	"dmask=0022"
				204	];
				205	};
				206
				207	swapDevices = [ ];
				208
				209	networking.useDHCP = true;
				210
				211	system.stateVersion = "24.05";
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	212
				213	clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
				214	file = ./headscale.sops.json;
				215	group = "headscale";
				216	keys = [
				217	"oidc_client_secret"
				218	"database_password"
				219	"noise_private_key"
				220	"private_key"
				221	];
				222	neededForUsers = false;
				223	};
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	224
				225	clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
				226	file = ./tailscale.sops.json;
				227	keys = [ "authKey" ];
				228	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	229	}