infra/systems/x86_64-linux/axol/default.nix

# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only

# axol
# 137.184.177.239
{
  pkgs,
  lib,
  modulesPath,
  config,
  ...
}: {
  imports = [
    (modulesPath + "/virtualisation/digital-ocean-config.nix")
  ];

  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";

  boot.loader.grub.enable = true;

  virtualisation.digitalOcean.rebuildFromUserData = false;

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  environment.systemPackages = with pkgs; [
    neovim
  ];

  auxolotl = {
    nix.enable = true;

    users.infra.enable = true;

    security = {
      doas.enable = true;

      acme = {
        enable = true;
        email = "jake.hamilton@hey.com";
      };
    };

    services = {
      ssh.enable = true;
      chat.enable = true;
      website.enable = true;
    };
  };

  clicks.services.headscale = {
    enable = true;
    domain = "vpn.auxolotl.org";
    database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
  };

  clicks.networking.tailscale = {
    enable = true;
    server = "vpn.auxolotl.org";
    authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
  };

  age.secrets."clicks.services.headscale.database_password_path" = {
    generator.script = "alnum";
    group = "headscale";
    mode = "0440"; # Needed to allow headscale group to read
    unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services
  };

  age.secrets."clicks.networking.tailscale.authKeyFile" = {
    rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
    unstableName = true;
  };

  system.stateVersion = "23.11";
}
feat(license): Switch to REUSE https://reuse.software is a way of specifying licenses in a simple way that easily allows us to specify multiple licenses in a project and check that we are correctly specifying our licenses We plan to add an MIT-licensed file to the project in a future commit, which prompted us to look at REUSE to make this simpler 2024-05-28 23:23:10 +00:00			`# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors`
			`#`
			`# SPDX-License-Identifier: GPL-3.0-only`

feat: full axol deployment 2024-05-07 03:36:54 +00:00			`# axol`
			`# 137.184.177.239`
chore: initial commit 2024-05-04 21:20:45 +00:00			`{`
			`pkgs,`
feat(axol): Add headscale module (#13) Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/13 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-08 22:37:17 +00:00			`lib,`
chore: initial commit 2024-05-04 21:20:45 +00:00			`modulesPath,`
feat(axol): Add headscale module (#13) Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/13 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-08 22:37:17 +00:00			`config,`
chore: initial commit 2024-05-04 21:20:45 +00:00			`...`
			`}: {`
			`imports = [`
			`(modulesPath + "/virtualisation/digital-ocean-config.nix")`
			`];`

feat(axol): Add headscale module (#13) Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/13 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-08 22:37:17 +00:00			`age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";`

chore: initial commit 2024-05-04 21:20:45 +00:00			`boot.loader.grub.enable = true;`

			`virtualisation.digitalOcean.rebuildFromUserData = false;`

			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`

			`environment.systemPackages = with pkgs; [`
			`neovim`
			`];`

			`auxolotl = {`
			`nix.enable = true;`

			`users.infra.enable = true;`

			`security = {`
feat: full axol deployment 2024-05-07 03:36:54 +00:00			`doas.enable = true;`

chore: initial commit 2024-05-04 21:20:45 +00:00			`acme = {`
			`enable = true;`
			`email = "jake.hamilton@hey.com";`
			`};`
			`};`

			`services = {`
feat: add baxter 2024-05-21 20:38:54 +00:00			`ssh.enable = true;`
feat: full axol deployment 2024-05-07 03:36:54 +00:00			`chat.enable = true;`
chore: initial commit 2024-05-04 21:20:45 +00:00			`website.enable = true;`
			`};`
			`};`

feat(axol): Add headscale module (#13) Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/13 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-08 22:37:17 +00:00			`clicks.services.headscale = {`
			`enable = true;`
			`domain = "vpn.auxolotl.org";`
			`database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;`
			`};`

feat(axol, baxter): Enable tailscale (#14) Previously, we set up headscale We need to enable tailscale on baxter, as we intend to use tailscale to connect builders to its buildbot instance As the headscale server doesn't automatically put the server running it into the tailscale network, we also need to set up the tailscale daemon on axol Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/14 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-09 20:28:14 +00:00			`clicks.networking.tailscale = {`
			`enable = true;`
			`server = "vpn.auxolotl.org";`
			`authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;`
			`};`

feat(axol): Add headscale module (#13) Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/13 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-08 22:37:17 +00:00			`age.secrets."clicks.services.headscale.database_password_path" = {`
			`generator.script = "alnum";`
			`group = "headscale";`
			`mode = "0440"; # Needed to allow headscale group to read`
			`unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services`
			`};`

feat(axol, baxter): Enable tailscale (#14) Previously, we set up headscale We need to enable tailscale on baxter, as we intend to use tailscale to connect builders to its buildbot instance As the headscale server doesn't automatically put the server running it into the tailscale network, we also need to set up the tailscale daemon on axol Reviewed-on: https://git.auxolotl.org/auxolotl/infra/pulls/14 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi> 2024-08-09 20:28:14 +00:00			`age.secrets."clicks.networking.tailscale.authKeyFile" = {`
			`rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;`
			`unstableName = true;`
			`};`

chore: initial commit 2024-05-04 21:20:45 +00:00			`system.stateVersion = "23.11";`
			`}`