nixos-configs/nixos/server.nix

{
  lib,
  config,
  self,
  pkgs,
  ...
}: {
  options.pim.tailscale.advertiseExitNode = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };

  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
    environment.systemPackages = [pkgs.unar];

    networking = {
      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
      domain = "dmz";
      useDHCP = false;
      nftables.enable = lib.mkDefault true;
      firewall.enable = lib.mkDefault true;
    };

    systemd.network = {
      enable = true;

      networks = {
        "30-main-nic" = {
          matchConfig.Name = "en*";
          networkConfig.DHCP = "yes";
        };
      };
    };

    boot = {
      # Increase this from 128.
      # It seems containerization solutions use this a lot.
      # Then, if exhausted, deployment of sops keys fail.
      kernel.sysctl."fs.inotify.max_user_instances" = 256;

      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    };

    services = {
      openssh.enable = true;
      prometheus.exporters.node.enable = true;

      tailscale = {
        authKeyFile = config.sops.secrets."tailscale/authKey".path;
        useRoutingFeatures = "server";
        openFirewall = true;

        extraUpFlags =
          [
            "--accept-dns=false"
            "--hostname=${config.networking.hostName}"
          ]
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
      };
    };

    sops.secrets."tailscale/authKey" = {
      sopsFile = "${self}/secrets/servers.yaml";
    };
  };
}
Update to NixOS 24.11 2024-11-30 13:14:46 +01:00			`{`
			`lib,`
			`config,`
Migrate Warwick server to this repo 2024-11-30 22:48:30 +01:00			`self,`
Install unar on servers 2025-01-24 10:58:09 +01:00			`pkgs,`
Update to NixOS 24.11 2024-11-30 13:14:46 +01:00			`...`
			`}: {`
Migrate Warwick server to this repo 2024-11-30 22:48:30 +01:00			`options.pim.tailscale.advertiseExitNode = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`};`

Update to NixOS 24.11 2024-11-30 13:14:46 +01:00			`config = lib.mkIf (builtins.elem "server" config.deployment.tags) {`
Install unar on servers 2025-01-24 10:58:09 +01:00			`environment.systemPackages = [pkgs.unar];`

Migrate Warwick server to this repo 2024-11-30 22:48:30 +01:00			`networking = {`
			`firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];`
			`domain = "dmz";`
			`useDHCP = false;`
			`nftables.enable = lib.mkDefault true;`
			`firewall.enable = lib.mkDefault true;`
			`};`

			`systemd.network = {`
			`enable = true;`

			`networks = {`
			`"30-main-nic" = {`
			`matchConfig.Name = "en*";`
			`networkConfig.DHCP = "yes";`
			`};`
			`};`
			`};`

Increase inotify limit for servers 2024-12-04 22:57:37 +01:00			`boot = {`
			`# Increase this from 128.`
			`# It seems containerization solutions use this a lot.`
			`# Then, if exhausted, deployment of sops keys fail.`
			`kernel.sysctl."fs.inotify.max_user_instances" = 256;`

			`loader = {`
			`systemd-boot.enable = true;`
			`efi.canTouchEfiVariables = true;`
			`};`
Migrate Atlas to this repo 2024-12-01 14:33:24 +01:00			`};`

Migrate Warwick server to this repo 2024-11-30 22:48:30 +01:00			`services = {`
			`openssh.enable = true;`
			`prometheus.exporters.node.enable = true;`

			`tailscale = {`
			`authKeyFile = config.sops.secrets."tailscale/authKey".path;`
			`useRoutingFeatures = "server";`
			`openFirewall = true;`

			`extraUpFlags =`
			`[`
			`"--accept-dns=false"`
			`"--hostname=${config.networking.hostName}"`
			`]`
			`++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"`
			`++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";`
			`};`
			`};`

			`sops.secrets."tailscale/authKey" = {`
Migrate Atlas to this repo 2024-12-01 14:33:24 +01:00			`sopsFile = "${self}/secrets/servers.yaml";`
Migrate Warwick server to this repo 2024-11-30 22:48:30 +01:00			`};`
Update to NixOS 24.11 2024-11-30 13:14:46 +01:00			`};`
			`}`