nixos-configs/nixos/server.nix

{
  lib,
  config,
  self,
  ...
}: {
  options.pim.tailscale.advertiseExitNode = lib.mkOption {
    type = lib.types.bool;
    default = false;
  };

  config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
    networking = {
      firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
      domain = "dmz";
      useDHCP = false;
      nftables.enable = lib.mkDefault true;
      firewall.enable = lib.mkDefault true;
    };

    systemd.network = {
      enable = true;

      networks = {
        "30-main-nic" = {
          matchConfig.Name = "en*";
          networkConfig.DHCP = "yes";
        };
      };
    };

    boot.loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };

    services = {
      openssh.enable = true;
      prometheus.exporters.node.enable = true;

      tailscale = {
        authKeyFile = config.sops.secrets."tailscale/authKey".path;
        useRoutingFeatures = "server";
        openFirewall = true;

        extraUpFlags =
          [
            "--accept-dns=false"
            "--hostname=${config.networking.hostName}"
          ]
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-exit-node"
          ++ lib.lists.optional config.pim.tailscale.advertiseExitNode "--advertise-routes=192.168.30.0/24";
      };
    };

    sops.secrets."tailscale/authKey" = {
      sopsFile = "${self}/secrets/servers.yaml";
    };
  };
}