auxolotl/infra
21
2
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
infra/systems/x86_64-linux/axol/default.nix
Skyler Grey 740e35fb48
All checks were successful
buildbot/nix-eval Build done.
Details
feat(axol): Add headscale module (#13) 
Headscale is an open server for tailscale. Clicks, another group I work
on nix stuff with, has a module which makes it extremely easy to set up
a headscale server. I've spent a while over the past week making it safe
to import, and it's finally ready for Auxolotl to have!

We want to use headscale for internal communication between servers, so
it's OK to avoid setting up OIDC ... similarly, the only people who are
on the headscale should be relatively-well trusted. The expectation is
that to start with, this will be people who want to run buildbot workers

Reviewed-on: #13
Co-authored-by: Skyler Grey <sky@a.starrysky.fyi>
Co-committed-by: Skyler Grey <sky@a.starrysky.fyi>
2024-08-08 22:37:17 +00:00

69 lines
1.4 KiB
Nix
Raw Blame History

# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
# axol
# 137.184.177.239
{
pkgs,
lib,
modulesPath,
config,
...
}: {
imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix")
];
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";
boot.loader.grub.enable = true;
virtualisation.digitalOcean.rebuildFromUserData = false;
networking.firewall.allowedTCPPorts = [
80
443
];
environment.systemPackages = with pkgs; [
neovim
];
auxolotl = {
nix.enable = true;
users.infra.enable = true;
security = {
doas.enable = true;
acme = {
enable = true;
email = "jake.hamilton@hey.com";
};
};
services = {
ssh.enable = true;
chat.enable = true;
website.enable = true;
};
};
clicks.services.headscale = {
enable = true;
domain = "vpn.auxolotl.org";
database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
};
age.secrets."clicks.services.headscale.database_password_path" = {
generator.script = "alnum";
group = "headscale";
mode = "0440"; # Needed to allow headscale group to read
unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services
};
system.stateVersion = "23.11";
}
Reference in a new issue View git blame Copy permalink