Migrate Warwick server to this repo

2024-11-30 22:48:30 +01:00 · 2024-11-30 22:48:30 +01:00 · 842d2afbc0
commit 842d2afbc0
parent a90c75931b
12 changed files with 1702 additions and 4 deletions
--- a/nixos/server.nix
+++ b/nixos/server.nix
@ -1,9 +1,55 @@
 {
  lib,
  config,
+  self,
  ...
 }: {
+  options.pim.tailscale.advertiseExitNode = lib.mkOption {
+    type = lib.types.bool;
+    default = false;
+  };
+
  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
-    services.openssh.enable = true;
+    networking = {
+      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
+      domain = "dmz";
+      useDHCP = false;
+      nftables.enable = lib.mkDefault true;
+      firewall.enable = lib.mkDefault true;
+    };
+
+    systemd.network = {
+      enable = true;
+
+      networks = {
+        "30-main-nic" = {
+          matchConfig.Name = "en*";
+          networkConfig.DHCP = "yes";
+        };
+      };
+    };
+
+    services = {
+      openssh.enable = true;
+      prometheus.exporters.node.enable = true;
+
+      tailscale = {
+        authKeyFile = config.sops.secrets."tailscale/authKey".path;
+        useRoutingFeatures = "server";
+        openFirewall = true;
+
+        extraUpFlags =
+          [
+            "--accept-dns=false"
+            "--hostname=${config.networking.hostName}"
+          ]
+          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
+          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
+      };
+    };
+
+    sops.secrets."tailscale/authKey" = {
+      sopsFile = "${self}/secrets/servers.sops.yaml";
+    };
  };
 }