infra/systems/x86_64-linux/axol/default.nix
Skyler Grey 6cc4c3fc67
All checks were successful
buildbot/nix-eval Build done.
feat(axol, baxter): Enable tailscale (#14)
Previously, we set up headscale

We need to enable tailscale on baxter, as we intend to use tailscale to
connect builders to its buildbot instance

As the headscale server doesn't automatically put the server running it
into the tailscale network, we also need to set up the tailscale daemon
on axol

Reviewed-on: #14
Co-authored-by: Skyler Grey <sky@a.starrysky.fyi>
Co-committed-by: Skyler Grey <sky@a.starrysky.fyi>
2024-08-09 20:28:14 +00:00

80 lines
1.8 KiB
Nix

# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
# axol
# 137.184.177.239
{
pkgs,
lib,
modulesPath,
config,
...
}: {
imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix")
];
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";
boot.loader.grub.enable = true;
virtualisation.digitalOcean.rebuildFromUserData = false;
networking.firewall.allowedTCPPorts = [
80
443
];
environment.systemPackages = with pkgs; [
neovim
];
auxolotl = {
nix.enable = true;
users.infra.enable = true;
security = {
doas.enable = true;
acme = {
enable = true;
email = "jake.hamilton@hey.com";
};
};
services = {
ssh.enable = true;
chat.enable = true;
website.enable = true;
};
};
clicks.services.headscale = {
enable = true;
domain = "vpn.auxolotl.org";
database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
};
clicks.networking.tailscale = {
enable = true;
server = "vpn.auxolotl.org";
authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
};
age.secrets."clicks.services.headscale.database_password_path" = {
generator.script = "alnum";
group = "headscale";
mode = "0440"; # Needed to allow headscale group to read
unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services
};
age.secrets."clicks.networking.tailscale.authKeyFile" = {
rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
unstableName = true;
};
system.stateVersion = "23.11";
}