more things added

flake.nix

@@ -20,7 +20,7 @@
     in
     {
       nixosConfigurations = {
-        gateway = kclib.mkHost "gateway" "x86_64-linux";
+        tailscale-proxy = kclib.mkHost "tailscale-proxy" "x86_64-linux";
         entrypoint = kclib.mkHost "entrypoint" "x86_64-linux";
       };
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;

hosts/base.nix

@@ -2,8 +2,7 @@
   ...
 }:
 {
-  boot.loader.systemd-boot.enable = true;
+  nixpkgs.config.allowUnfree = true;
-  boot.loader.efi.canTouchEfiVariables = true;
 
   kropcloud = {
     admin = {
@@ -13,6 +12,11 @@
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUnlAjPnMwJYgZb7YuholdTxifOEFnAyXVqI+xFlHw6 krop@lenar"
       ];
     };
+    services = {
+      ssh = {
+        enable = true;
+      };
+    };
   };
 
   system.stateVersion = "24.11";

hosts/gateway.nix

@@ -1 +0,0 @@
-{ }: { }

hosts/tailscale-proxy.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  kropcloud = {
+    services = {
+      tailscale = {
+        enable = true;
+        asRouter.enable = true;
+      };
+    };
+  };
+}

lib.nix

@@ -3,17 +3,25 @@
   inputs,
 }:
 {
-  mkHost = name: arch: {
+  mkHost =
-    nixpkgs.lib.nixosSystem = {
+    name: arch:
+    nixpkgs.lib.nixosSystem {
       system = arch;
       modules = [
         ./hosts/base.nix
         ./hosts/${name}.nix
         ./nixosModules
+        (
+          { ... }:
+          {
+            config = {
+              networking.hostName = name;
+            };
+          }
+        )
       ];
       specialArgs = {
         inherit inputs;
       };
     };
-  };
 }

nixosModules/default.nix

@@ -1,6 +1,8 @@
-{ }:
+{ ... }:
 {
   imports = [
+    ./services
+    ./networking
     ./users
     ./locale
   ];

nixosModules/networking/default.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.networking;
+in
+{
+  options.kropcloud.networking = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      description = "Whence to configure networking";
+      default = true;
+      example = false;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking = {
+      nftables.enable = true;
+      firewall = {
+        checkReversePath = "loose";
+      };
+    };
+  };
+}

nixosModules/services/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./ssh
+    ./tailscale
+  ];
+}

nixosModules/services/ssh/default.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.services.ssh;
+in
+{
+  options.kropcloud.services.ssh = {
+    enable = lib.mkEnableOption "Whence to enable sshd service.";
+  };
+  config = lib.mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+  };
+}

nixosModules/services/tailscale/default.nix

@@ -0,0 +1,30 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.kropcloud.services.tailscale;
+in
+{
+  options.kropcloud.services.tailscale = {
+    enable = lib.mkEnableOption "Whence to enable tailscale service.";
+    asRouter = {
+      enable = lib.mkEnableOption "Whence to configure tailscale as router.";
+      subnet = lib.mkOption {
+        type = lib.types.str;
+        default = "192.168.1.0/24";
+        example = "192.168.1.0/24";
+        description = "The subnet to expose";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = lib.mkIf cfg.asRouter.enable "server";
+      extraSetFlags = lib.mkIf cfg.asRouter.enable [ "--advertise-routes=${cfg.asRouter.subnet}" ];
+    };
+  };
+}