Blame - systems/x86_64-linux/teal/default.nix - Infra/NixFiles

blob: d09bb7f88b56a4fa367f86b85d282563bc316b04 [file] [log] [blame]

Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	1	# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
				2	# SPDX-FileCopyrightText: 2024 Clicks Codes
				3	#
				4	# SPDX-License-Identifier: GPL-3.0-only
				5
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	6	{
				7	pkgs,
				8	modulesPath,
				9	lib,
				10	config,
				11	...
				12	}:
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	13	{
				14	boot.loader.systemd-boot.enable = true;
				15	boot.loader.efi.canTouchEfiVariables = true;
				16
				17	time.timeZone = "Etc/UTC";
				18
				19	environment.systemPackages = with pkgs; [ neovim ];
				20
				21	clicks = {
				22	nix.enable = true;
				23
Skyler Grey	05e11c1	2024-06-15 00:02:15 +0000	[diff] [blame]	24	backups.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYH3yYKcrsDz8U45HF6201BN1nBDQIr4qsGeKh94K6T root@vermilion";
				25
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	26	security = {
				27	doas.enable = true;
				28
				29	acme = {
				30	enable = true;
Skyler Grey	d7e1acd	2024-06-22 14:42:11 +0000	[diff] [blame]	31	defaults = {
				32	email = "minion@clicks.codes";
				33	dnsProvider = "cloudflare";
				34	environmentFile = config.clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".path;
				35	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	36	};
				37	};
				38
Skyler Grey	3299e4f	2024-07-04 00:33:43 +0000	[diff] [blame]	39	sites."docs.auxolotl.org".enable = true;
				40
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	41	services = {
				42	ssh.enable = true;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	43	headscale = {
				44	enable = true;
Skyler Grey	bed35f1	2024-07-04 00:46:44 +0000	[diff] [blame]	45	domain = "clicks.domains";
Skyler Grey	14375fe	2024-06-22 14:43:44 +0000	[diff] [blame]	46	addr = lib.clicks.constants.hosts.generic;
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	47	oidc = {
				48	enable = true;
				49	issuer = "https://login.clicks.codes/realms/master";
				50	allowed_groups = [ "/clicks" ];
				51	client_secret_path =
				52	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
				53	};
				54	database_password_path =
				55	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
				56	noise_private_key_path =
				57	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
				58	private_key_path =
				59	config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	60	acl =
				61	let
				62	internet = [
				63	"0.0.0.0/5"
				64	"8.0.0.0/7"
				65	"11.0.0.0/8"
				66	"12.0.0.0/6"
				67	"16.0.0.0/4"
				68	"32.0.0.0/3"
				69	"64.0.0.0/3"
				70	"96.0.0.0/6"
				71	"100.0.0.0/10"
				72	"100.128.0.0/9"
				73	"101.0.0.0/8"
				74	"102.0.0.0/7"
				75	"104.0.0.0/5"
				76	"112.0.0.0/4"
				77	"128.0.0.0/3"
				78	"160.0.0.0/5"
				79	"168.0.0.0/8"
				80	"169.0.0.0/9"
				81	"169.128.0.0/10"
				82	"169.192.0.0/11"
				83	"169.224.0.0/12"
				84	"169.240.0.0/13"
				85	"169.248.0.0/14"
				86	"169.252.0.0/15"
				87	"169.255.0.0/16"
				88	"170.0.0.0/7"
				89	"172.0.0.0/12"
				90	"172.32.0.0/11"
				91	"172.64.0.0/10"
				92	"172.128.0.0/9"
				93	"173.0.0.0/8"
				94	"174.0.0.0/7"
				95	"176.0.0.0/4"
				96	"192.0.0.0/9"
				97	"192.128.0.0/11"
				98	"192.160.0.0/13"
				99	"192.169.0.0/16"
				100	"192.170.0.0/15"
				101	"192.172.0.0/14"
				102	"192.176.0.0/12"
				103	"192.192.0.0/10"
				104	"193.0.0.0/8"
				105	"194.0.0.0/7"
				106	"196.0.0.0/6"
				107	"200.0.0.0/5"
				108	"208.0.0.0/4"
				109	"224.0.0.0/3"
				110	"ipv6-internet"
				111	# A nasty hack used because ipv6 colons were messing with dst
				112	# ports
				113	]; # Should be replaceable with autogroup:internet in next release
				114	in
				115	{
				116	groups."group:users" = [
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	117	"coded"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame]	118	"maddie"
				119	"minion"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	120	"pineafan"
Skyler Grey	efc6252	2024-06-15 00:23:06 +0000	[diff] [blame]	121	"zanderp25"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	122	];
				123	groups."group:areas" = [
				124	# Some phonetic alphabet names are excluded here to avoid confusing
				125	# them with given names
				126	"alpha"
				127	"bravo"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	128	"echo"
				129	"foxtrot"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	130	"hotel"
				131	"india"
				132	"kilo"
				133	"lima"
				134	"november"
				135	"papa"
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	136	"sierra"
				137	"tango"
				138	"uniform"
				139	"whiskey"
				140	"xray"
				141	"yankee"
				142	"zulu"
				143	];
				144	hosts.ipv6-internet = "2000::/3";
Skyler Grey	2154d22	2024-06-10 17:17:51 +0000	[diff] [blame]	145
Skyler Grey	0e05b52	2024-06-11 22:48:00 +0000	[diff] [blame]	146	acls = [
				147	{
				148	action = "accept";
				149	src = [ "group:users" ];
				150	dst = [
				151	"group:users:*"
				152	"group:areas:*"
				153	] ++ (lib.forEach internet (host: "${host}:*"));
				154	}
				155	{
				156	action = "accept";
				157	src = [ "group:areas" ];
				158	dst = [ "group:areas:*" ];
				159	}
				160	];
				161	};
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	162	};
Skyler Grey	0a0912a	2024-07-04 00:13:40 +0000	[diff] [blame]	163	fava = {
				164	enable = true;
				165	tailscaleAuth = true;
				166	accounts = {
Skyler Grey	5e8bba2	2024-07-12 14:31:49 +0000	[diff] [blame]	167	"clicks" = lib.home-manager.hm.dag.entryAnywhere {
				168	name = "Clicks Codes";
				169	beancountExtraOptions.operating_currency = "GBP";
				170	};
				171	"coded" = lib.home-manager.hm.dag.entryBetween [ "testing" ] [ "clicks" ] {
				172	name = "Samuel Shuert";
				173	beancountExtraOptions.operating_currency = "USD";
				174	};
				175	"minion" = lib.home-manager.hm.dag.entryBetween [ "testing" ] [ "clicks" ] {
				176	name = "Skyler Grey";
				177	beancountExtraOptions.operating_currency = "GBP";
				178	};
				179	"testing" = lib.home-manager.hm.dag.entryAfter [ "clicks" ] {
				180	name = "Test Data - May Be Wiped At Any Time";
				181	};
Skyler Grey	0a0912a	2024-07-04 00:13:40 +0000	[diff] [blame]	182	};
				183	domain = "fava.clicks.codes";
				184	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	185	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	186
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	187	networking.tailscale = {
				188	enable = true;
				189	authKeyFile =
				190	config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
				191	};
				192
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	193	storage = {
Skyler Grey	f4d05f0	2024-06-06 21:25:39 +0000	[diff] [blame]	194	raid.enable = true;
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	195	impermanence = {
				196	enable = true;
Skyler Grey	d337740	2024-06-06 22:01:26 +0000	[diff] [blame]	197	devices = {
				198	root = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				199	persist = "/dev/md/a1d1:persist";
				200	};
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	201	};
				202	};
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	203	};
				204
				205	boot.initrd.availableKernelModules = [
				206	"nvme"
				207	"xhci_pci"
				208	"ahci"
				209	"usbhid"
				210	"uas"
				211	"usb_storage"
				212	"sd_mod"
				213	];
				214	boot.initrd.kernelModules = [ ];
				215	boot.kernelModules = [ "kvm-amd" ];
				216	boot.extraModulePackages = [ ];
				217
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	218	fileSystems."/nix" = {
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	219	device = "/dev/disk/by-uuid/ab5c2f52-a737-4b29-a505-e3d0b9d0714c";
				220	fsType = "btrfs";
Skyler Grey	40ae7a0	2024-06-06 21:22:25 +0000	[diff] [blame]	221	options = [ "subvol=@nix" ];
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	222	};
				223
				224	fileSystems."/boot" = {
				225	device = "/dev/disk/by-uuid/880D-BBAB";
				226	fsType = "vfat";
				227	options = [
				228	"fmask=0022"
				229	"dmask=0022"
				230	];
				231	};
				232
				233	swapDevices = [ ];
				234
				235	networking.useDHCP = true;
				236
				237	system.stateVersion = "24.05";
Skyler Grey	61f0f85	2024-06-09 00:02:53 +0000	[diff] [blame]	238
				239	clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
				240	file = ./headscale.sops.json;
				241	group = "headscale";
				242	keys = [
				243	"oidc_client_secret"
				244	"database_password"
				245	"noise_private_key"
				246	"private_key"
				247	];
				248	neededForUsers = false;
				249	};
Skyler Grey	8ef3481	2024-06-09 19:42:15 +0000	[diff] [blame]	250
				251	clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
				252	file = ./tailscale.sops.json;
				253	keys = [ "authKey" ];
				254	};
Skyler Grey	d7e1acd	2024-06-22 14:42:11 +0000	[diff] [blame]	255
				256	clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".file = ./acme.sops.env.bin;
Skyler Grey	f08a619	2024-06-01 23:55:20 +0000	[diff] [blame]	257	}