Move common nix code one level up.

common/global/cpufreq.nix

@@ -0,0 +1,3 @@
+{
+  powerManagement.cpuFreqGovernor = "ondemand";
+}

common/global/default.nix

@@ -0,0 +1,25 @@
+{ pkgs, self, ... }:
+{
+  imports = [
+    ./cpufreq.nix
+    ./flakes.nix
+    ./locale.nix
+    ./network.nix
+    ./nix.nix
+    ./packages.nix
+    ./sudo.nix
+    ./tailscale.nix
+  ];
+
+  system.copySystemConfiguration = false; # not supported with flakes
+  # Let 'nixos-version --json' know about the Git revision of the flake
+  system.configurationRevision = pkgs.lib.mkIf (self ? rev) self.rev;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

common/global/flakes.nix

@@ -0,0 +1,3 @@
+{
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+}

common/global/locale.nix

@@ -0,0 +1,3 @@
+{
+  time.timeZone = "Europe/Lisbon";
+}

common/global/network.nix

@@ -0,0 +1,17 @@
+{
+  networking = {
+    useDHCP = true;
+    firewall.enable = false;
+    extraHosts = ''
+      192.168.1.71 c1
+      192.168.1.72 c2
+      192.168.1.73 c3
+    '';
+  };
+
+  environment.persistence."/persist" = {
+    directories = [
+      "/var/db/dhcpcd"
+    ];
+  };
+}

common/global/nix.nix

@@ -0,0 +1,3 @@
+{
+  nix.settings.trusted-users = [ "root" "@wheel" ];
+}

common/global/packages.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    nodejs_20
+    vim
+  ];
+}

common/global/sudo.nix

@@ -0,0 +1,5 @@
+{
+  security.sudo = {
+    wheelNeedsPassword = false;
+  };
+}

common/global/tailscale.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+let
+in
+{
+  imports = [ ./tailscale_lib.nix ];
+
+  services.tailscaleAutoconnect.enable = true;
+
+  services.tailscale.package = pkgs.unstable.tailscale;
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/tailscale"
+  ];
+}

common/global/tailscale_lib.nix

@@ -0,0 +1,103 @@
+# https://guekka.github.io/nixos-server-2/
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.services.tailscaleAutoconnect; 
+in {
+  options.services.tailscaleAutoconnect = {
+    enable = mkEnableOption "tailscaleAutoconnect";
+
+    authkey = mkOption {
+      type = types.str;
+      description = "The authkey to use for authentication with Tailscale";
+    };
+
+    loginServer = mkOption {
+      type = types.str;
+      default = "";
+      description = "The login server to use for authentication with Tailscale";
+    };
+
+    advertiseExitNode = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to advertise this node as an exit node";
+    };
+
+    exitNode = mkOption {
+      type = types.str;
+      default = "";
+      description = "The exit node to use for this node";
+    };
+
+    exitNodeAllowLanAccess = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to allow LAN access to this node";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.authkey != "";
+        message = "authkey must be set";
+      }
+      {
+        assertion = cfg.exitNodeAllowLanAccess -> cfg.exitNode != "";
+        message = "exitNodeAllowLanAccess must be false if exitNode is not set";
+      }
+      {
+        assertion = cfg.advertiseExitNode -> cfg.exitNode == "";
+        message = "advertiseExitNode must be false if exitNode is set";
+      }
+    ];
+
+    systemd.services.tailscale-autoconnect = {
+      description = "Automatic connection to Tailscale";
+
+      # make sure tailscale is running before trying to connect to tailscale
+      after = ["network-pre.target" "tailscale.service"];
+      wants = ["network-pre.target" "tailscale.service"];
+      wantedBy = ["multi-user.target"];
+
+      serviceConfig.Type = "oneshot";
+
+      script = with pkgs; ''
+        # wait for tailscaled to settle
+        sleep 2
+
+        # check if we are already authenticated to tailscale
+        status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+        # if status is not null, then we are already authenticated
+        echo "tailscale status: $status"
+        if [ "$status" != "NeedsLogin" ]; then
+            exit 0
+        fi
+
+        # otherwise authenticate with tailscale
+        # timeout after 10 seconds to avoid hanging the boot process
+        ${coreutils}/bin/timeout 10 ${tailscale}/bin/tailscale up \
+          ${lib.optionalString (cfg.loginServer != "") "--login-server=${cfg.loginServer}"} \
+          "--authkey=${cfg.authkey}"
+
+        # we have to proceed in two steps because some options are only available
+        # after authentication
+        ${coreutils}/bin/timeout 10 ${tailscale}/bin/tailscale up \
+          ${lib.optionalString (cfg.loginServer != "") "--login-server=${cfg.loginServer}"} \
+          ${lib.optionalString (cfg.advertiseExitNode) "--advertise-exit-node"} \
+          ${lib.optionalString (cfg.exitNode != "") "--exit-node=${cfg.exitNode}"} \
+          ${lib.optionalString (cfg.exitNodeAllowLanAccess) "--exit-node-allow-lan-access"}
+      '';
+    };
+
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      allowedUDPPorts = [ config.services.tailscale.port ];
+    };
+
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = if cfg.advertiseExitNode then "server" else "client";
+    };
+  };
+}