Skyler Grey
6cc4c3fc67
All checks were successful
buildbot/nix-eval Build done.
Previously, we set up headscale We need to enable tailscale on baxter, as we intend to use tailscale to connect builders to its buildbot instance As the headscale server doesn't automatically put the server running it into the tailscale network, we also need to set up the tailscale daemon on axol Reviewed-on: #14 Co-authored-by: Skyler Grey <sky@a.starrysky.fyi> Co-committed-by: Skyler Grey <sky@a.starrysky.fyi>
80 lines
1.8 KiB
Nix
80 lines
1.8 KiB
Nix
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
|
#
|
|
# SPDX-License-Identifier: GPL-3.0-only
|
|
|
|
# axol
|
|
# 137.184.177.239
|
|
{
|
|
pkgs,
|
|
lib,
|
|
modulesPath,
|
|
config,
|
|
...
|
|
}: {
|
|
imports = [
|
|
(modulesPath + "/virtualisation/digital-ocean-config.nix")
|
|
];
|
|
|
|
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX";
|
|
|
|
boot.loader.grub.enable = true;
|
|
|
|
virtualisation.digitalOcean.rebuildFromUserData = false;
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
neovim
|
|
];
|
|
|
|
auxolotl = {
|
|
nix.enable = true;
|
|
|
|
users.infra.enable = true;
|
|
|
|
security = {
|
|
doas.enable = true;
|
|
|
|
acme = {
|
|
enable = true;
|
|
email = "jake.hamilton@hey.com";
|
|
};
|
|
};
|
|
|
|
services = {
|
|
ssh.enable = true;
|
|
chat.enable = true;
|
|
website.enable = true;
|
|
};
|
|
};
|
|
|
|
clicks.services.headscale = {
|
|
enable = true;
|
|
domain = "vpn.auxolotl.org";
|
|
database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path;
|
|
};
|
|
|
|
clicks.networking.tailscale = {
|
|
enable = true;
|
|
server = "vpn.auxolotl.org";
|
|
authKeyFile = config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
|
|
};
|
|
|
|
age.secrets."clicks.services.headscale.database_password_path" = {
|
|
generator.script = "alnum";
|
|
group = "headscale";
|
|
mode = "0440"; # Needed to allow headscale group to read
|
|
unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services
|
|
};
|
|
|
|
age.secrets."clicks.networking.tailscale.authKeyFile" = {
|
|
rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
|
|
unstableName = true;
|
|
};
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|