Preliminary fortress stuff

systems/fortress/.sops.yaml

@@ -0,0 +1,18 @@
+# Get new (host) keys with:
+#   nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age'
+#   nix-shell -p ssh-to-age --run 'ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub'
+# Get new (user) keys with:
+#   mkdir -p ~/.config/sops/age && nix-shell -p ssh-to-age --run 'ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt'
+#   nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub'
+keys:
+  - &system_fortress age1v3nya8n8fys8une6cp0t4agrqh4zjk7dk3lel5403xjkf6k87qdqhgjrk8
+  - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+  - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - pgp:
+          - *yubikey_lauren_primary
+        age:
+          - *system_fortress
+          - *system_ll_latitude

systems/fortress/compose.yml

@@ -0,0 +1,34 @@
+services:
+  secrets:
+    image: nixos/nix:latest
+    command: nix-shell -p ssh-to-age -p sops --command "mkdir -p /root/.config/sops/age && ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /root/.config/sops/age/keys.txt && sops --decrypt /app/secrets.yaml"
+    volumes:
+      - .:/app
+      - /etc/ssh/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # External Services
+  
+  #httpd:
+  #haproxy:
+
+  #coturn:
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Internal Services
+  
+  #dnsmasq:
+  #tinc:
+  #wireguard:
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Local Services
+
+  #dockge:
+  #uptime-kuma:

systems/fortress/secrets.yaml

@@ -0,0 +1,49 @@
+dotspace:
+    fortress:
+        tinc_key: ENC[AES256_GCM,data:TYiAAgb7hiAzeeqlLQmj7b/50Yht/EXPUz5WgOs4aWPdCmYmZ/Qy90cUOFP4JDGuwj6BqqcPQ2xMZn3UzHOMlhhFMPiAGrD9ClzhRcti8Y8N2hyElgpTOcFwUiHyB92R4y3SCHLEhCbz0QpqDVKlsHIZyNC+hQihTmGlN53Uq4wThVdriJv9JsSABvwXHyjh+uGmYzKM7lZU4no2xn4CKuh4pa5Rq8GvDlAjJQNg8qcCucTz9VjH8rPZRJoi9GFFrl6a71ollg==,iv:50iiuhG+QVWM27rYP8zjCGX/Zp3TnjG7hUk6x2Gz99A=,tag:3NeS6Rlj9y9lAqDuaKMItA==,type:str]
+        wireguard_key: ENC[AES256_GCM,data:91oquuoknEoMQ5NEwcFwwb/DXkpz0ImSgWpU3CPOrRTQ0VjI7FHluPhKsPA=,iv:STBb0c2lhno+Wylx7L82tBBEdPtCGa8BkmBxrYp8K0w=,tag:nj9gCA9jrqqN6HBmpcY8wQ==,type:str]
+sops:
+    age:
+        - recipient: age1v3nya8n8fys8une6cp0t4agrqh4zjk7dk3lel5403xjkf6k87qdqhgjrk8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEa0k0NC91YnhlRnl0NWYx
+            UUNXSjM1UWFNektJQm55RTB3bzlkZmYvSm5nCjNMUitYdVdBNnNOUVFpYXNQb0Nk
+            eWlSM0hQT0RhSStPRGV3VFVZU1hBdWcKLS0tIFNUWlVVK0UwNnJVZVppRHJuSEoy
+            N0RqWEwyTkRESS8xVmJ0eThRa3dOZkEKiqjDn6WedlB+mmodYeMK49Rbm90CMB7c
+            AQstw4G7v4y6jnhLklHYQUsIKjMj2qysB4qLl63q7PjJf+THsY4UUA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bGVxNUxSK1lxRzFjKzRP
+            a2dBQWdtRlR4N2N1dFcwU0UyU1RNUXRLREdRCmxEODhJaHQ1WjdyYkZyZDd1UjJs
+            a3RCMkFIejJybDJOdWtKRi9nbVZGODgKLS0tIFp1YWdENUtQemR3VmFsRHZKdVlG
+            TE1xT1JWd0dSaVN2TDErNktucWE2K0EKwjd572SoW6SZZzQ9Nxr7Z7Mc1F2h+FSJ
+            FS4iqRRb6Py8l4DrQ76YSwze5Uxl1jXK8WaEP0V7en55B8Yn2D04Fw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-31T03:47:30Z"
+    mac: ENC[AES256_GCM,data:GGQz5aa52oYfnBPTjxbLGaJGOUIxotvwRQQ1NzNMJnmtmEeZosDlLAhk08sG5f9u0Q4gYlxxB+XVPq23dbleGXXla/YkOR+z044ppriKpzTa0bSzKyXgSgFn4qtWC148r5iqGaeYPXjHdZARgUVHmQR8qTdAey6nk6k5Oz2I6yc=,iv:1m1ripzQV39VxNAED/xgwOTnu6+wgSmf7iul40Y2tsA=,tag:7eRFgOxR6CkHIg1/8i66oA==,type:str]
+    pgp:
+        - created_at: "2025-07-31T03:49:46Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9BR1U1EkAnnARAAsvw3aKlrTM5+Z/DqWzDPpgpAhO3qO7eFFuZzwTnoKxzv
+            9Dg+9qwkG1QI5R3UVv7J5a9hCqjfnskZnHSC7lwo/xkA9cCifCTohCtUe+4s8+Gd
+            HgcWrx287oqnuMBOPjZ6WXIYXKLUZPgQ4RciggbyoOStrqwDO2s6RYMVpWAvEBTz
+            18eydqdD57KL6YUmq6sc9wGKFlhIRvpxay6RltohRRPq1+bReiAuEP69G4fThELo
+            ND08l3Q78lQx5cvKStTFbPCOHu2da991gzfRmLpyPjKtGZ5pIfEULui13oUc6iAX
+            23BSn3iHXuEuqYKCbM19D7xRoCvlDpf7gY6M77ZzqEjG/u3gey1JAW0YzDu4brXj
+            3JTKe72ASc/38D9P9NWhCYDk1uOY0aWO5Eg6j5QZ5fF4eGH836HV4ouU7g74Eige
+            gWTMi3TKmWrbvnRnRMNb6ixR7EbHOKRawrajACtzG55R4TVZDXJU0pv5Fas9TBXa
+            wruWH9a1M0prD//ueTss2b2NOMqkyl3O19sVvotW5xgkiXBpjDsj2bCR/uhmLTkp
+            QKlXa11P4ZiDMNkMbU/1USwMNfYH+pGuVS9CbeIvycnUSDDMV90eRZu99GyIc0+3
+            BHvE6mThfKRkpz/B3hiZuacYK/nINxZ5So1XRR8jO730wwuQ2KPkgroJYd4flLPS
+            XgEpnBwMa+c0y9KBDfoGgoB+urG0bDolLL1DqhvBq93jaNT9dF+VSHHMHAcOvVVd
+            oHagTK56+RWUyg/MFThWeIcNUXKdukwlFdQN3Pko7agawxV4zi6u1dYi9fxFq3g=
+            =N1Pk
+            -----END PGP MESSAGE-----
+          fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2