nixos-configs/nixos/server.nix

68 lines
1.7 KiB
Nix
Raw Normal View History

2024-11-30 12:14:46 +00:00
{
lib,
config,
2024-11-30 21:48:30 +00:00
self,
2024-11-30 12:14:46 +00:00
...
}: {
2024-11-30 21:48:30 +00:00
options.pim.tailscale.advertiseExitNode = lib.mkOption {
type = lib.types.bool;
default = false;
};
2024-11-30 12:14:46 +00:00
config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
2024-11-30 21:48:30 +00:00
networking = {
firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
domain = "dmz";
useDHCP = false;
nftables.enable = lib.mkDefault true;
firewall.enable = lib.mkDefault true;
};
systemd.network = {
enable = true;
networks = {
"30-main-nic" = {
matchConfig.Name = "en*";
networkConfig.DHCP = "yes";
};
};
};
2024-12-04 21:57:37 +00:00
boot = {
# Increase this from 128.
# It seems containerization solutions use this a lot.
# Then, if exhausted, deployment of sops keys fail.
kernel.sysctl."fs.inotify.max_user_instances" = 256;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
2024-12-01 13:33:24 +00:00
};
2024-11-30 21:48:30 +00:00
services = {
openssh.enable = true;
prometheus.exporters.node.enable = true;
tailscale = {
authKeyFile = config.sops.secrets."tailscale/authKey".path;
useRoutingFeatures = "server";
openFirewall = true;
extraUpFlags =
[
"--accept-dns=false"
"--hostname=${config.networking.hostName}"
]
++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
};
};
sops.secrets."tailscale/authKey" = {
2024-12-01 13:33:24 +00:00
sopsFile = "${self}/secrets/servers.yaml";
2024-11-30 21:48:30 +00:00
};
2024-11-30 12:14:46 +00:00
};
}