Major refactor of fortress config

2025-08-03 18:10:24 -05:00 · 2025-08-03 18:10:24 -05:00 · 72d51d403a
commit 72d51d403a
parent 74929a0aa6
5 changed files with 239 additions and 226 deletions
--- a/systems/fortress/configuration.nix
+++ b/systems/fortress/configuration.nix
@ -30,6 +30,12 @@
    ../../nixos/features/virtualization/docker.nix

    ../../secrets/dotspace.nix
+
+    # Local Config
+    ./gatus.nix
+    ./coturn.nix
+    ./haproxy.nix
+    ./wireguard.nix
  ];

  ##############################################################################
@ -39,196 +45,33 @@

  services.smartd.enable = lib.mkForce false;

-  users.users.haproxy = {
-    uid = 99;
-    group = "haproxy";
-  };
-  users.groups.haproxy.gid = 99;
-
-  sops.secrets = {
-    "dotspace/coturn/cert.pem" = {
-      owner = config.systemd.services.coturn.serviceConfig.User;
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dozzle = {
+      image = "amir20/dozzle:latest";
+      ports = [ "10.86.84.1:9999:8080" ];
+      volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
    };
-    "dotspace/coturn/pkey.pem" = {
-      owner = config.systemd.services.coturn.serviceConfig.User;
+    dnsmasq = {
+      image = "jpillora/dnsmasq";
+      ports = [
+        "10.86.84.1:53:53/udp"
+        "10.86.84.1:5380:8080"
+      ];
+      volumes = [
+        "/home/lauren_lagarde/dnsmasq.conf:/etc/dnsmasq.conf" # TODO
+      ];
+      capabilities = { NET_ADMIN = true; };
    };
-    "dotspace/coturn/static_auth_secret" = {
-      owner = config.systemd.services.coturn.serviceConfig.User;
-    };
-
-    "dotspace/pki/lagarde.dev.pem" = {
-      mode = "0660";
-      owner = "haproxy";
-      group = "haproxy";
-    };
-    "dotspace/pki/mlaga97.space.pem" = {
-      mode = "0660";
-      owner = "haproxy";
-      group = "haproxy";
-    };
-    "dotspace/pki/bauble.boutique.pem" = {
-      mode = "0660";
-      owner = "haproxy";
-      group = "haproxy";
-    };
-
-    "dotspace/gatus.env" = {
-      mode = "0664";
-    };
-
-    "dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
-    "dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
-
-    "dotspace/fortress/keys/wireguard/private.key" = {
-      mode = "0640";
-      group = "systemd-network";
-      sopsFile = ./secrets.yaml;
-    };
-    "dotspace/fortress/keys/wireguard/lauren-phone.psk" = {
-      mode = "0640";
-      group = "systemd-network";
-      sopsFile = ./secrets.yaml;
-    };
-    "dotspace/fortress/keys/wireguard/ashley-phone.psk" = {
-      mode = "0640";
-      group = "systemd-network";
-      sopsFile = ./secrets.yaml;
-    };
-    "dotspace/fortress/keys/wireguard/lauren-laptop.psk" = {
-      mode = "0640";
-      group = "systemd-network";
-      sopsFile = ./secrets.yaml;
-    };
-  };
-
-  services.gatus = {
-    enable = true;
-    environmentFile = "/run/secrets/dotspace/gatus.env";
-    settings = {
-      web.port = 18255;
-
-      alerting.discord.webhook-url = "\${GATUS_DISCORD_WEBHOOK}";
-
-      maintenance = {
-        start = "04:50";
-        duration = "30m";
-        timezone = "America/Chicago";
-      };
-
-      endpoints = [
-        {
-          name = "Synapse";
-          group = "Core Services";
-          url = "https://matrix.mlaga97.space/_synapse/admin/v1/server_version";
-          interval = "30s";
-          conditions = [
-            "[STATUS] == 200"
-            "has([BODY].server_version) == true"
-            "[CERTIFICATE_EXPIRATION] > 48h"
-          ];
-          alerts = [{
-            type = "discord";
-            send-on-resolved = true;
-            description = "\${LAUREN_DISCORD_USERNAME}";
-          }];
-        }
-        {
-          name = "Home Assistant";
-          group = "Core Services";
-          url = "https://homeassistant.mlaga97.space/api/webhook/-k9lg4u3J3_QLO6avhXNG4KZa";
-          interval = "30s";
-          conditions = [
-            "[STATUS] == 200"
-            "[CERTIFICATE_EXPIRATION] > 48h"
-          ];
-          alerts = [{
-            type = "discord";
-            send-on-resolved = true;
-            description = "\${LAUREN_DISCORD_USERNAME}";
-          }];
-        }
-        {
-          name = "Git";
-          group = "Core Services";
-          url = "https://git.mlaga97.space/api/healthz";
-          interval = "30s";
-          conditions = [
-            "[STATUS] == 200"
-            "[BODY].status == pass"
-            "[CERTIFICATE_EXPIRATION] > 48h"
-          ];
-          alerts = [{
-            type = "discord";
-            send-on-resolved = true;
-            description = "\${LAUREN_DISCORD_USERNAME}";
-          }];
-        }
+    httpd = {
+      image = "httpd:latest";
+      ports = [ "10.86.84.1:8080:80" ];
+      volumes = [
+        "/home/lauren_lagarde/httpd/dotspace:/usr/local/apache2/htdocs" # TODO
      ];
    };
  };

-  # https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f
-  services.coturn = {
-    enable = true;
-
-    # syslog
-    # verbose
-
-    lt-cred-mech = true;
-    use-auth-secret = true;
-
-    static-auth-secret-file = "/run/secrets/dotspace/coturn/static_auth_secret";
-    realm = "turn.mlaga97.space";
-
-    cert = "/run/secrets/dotspace/coturn/cert.pem";
-    pkey = "/run/secrets/dotspace/coturn/pkey.pem";
-
-    no-udp = true;
-
-    listening-ips = [
-      "68.183.54.8"
-      "10.86.84.1"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.haproxy = {
-    image = "haproxy:2.6-alpine";
-    ports = [
-      "80:80"
-      "443:443"
-      "8448:8448"
-      "9980:9980"
-    ];
-    volumes = [
-      "/run/secrets/dotspace/pki:/certs"
-      "/home/lauren_lagarde/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
-    ];
-  };
-
-  virtualisation.oci-containers.containers.dnsmasq = {
-    image = "jpillora/dnsmasq";
-    ports = [
-      "10.86.84.1:53:53/udp"
-      "10.86.84.1:5380:8080"
-    ];
-    volumes = [ "/home/lauren_lagarde/dnsmasq.conf:/etc/dnsmasq.conf" ];
-    capabilities = { NET_ADMIN = true; };
-  };
-
-  virtualisation.oci-containers.containers.httpd = {
-    image = "httpd:latest";
-    ports = [ "10.86.84.1:8080:80" ];
-    volumes = [ "/home/lauren_lagarde/httpd/dotspace:/usr/local/apache2/htdocs" ];
-  };
-
-  virtualisation.oci-containers.containers.dozzle = {
-    image = "amir20/dozzle:latest";
-    ports = [ "10.86.84.1:9999:8080" ];
-    volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
-  };
-
-  virtualisation.oci-containers.backend = "docker";
-
  ##############################################################################
  ##############################################################################
  ##############################################################################
@ -275,51 +118,12 @@
    };
  };

-  ##############################################################################
-  # Wireguard
-
-  systemd.network.networks."90-wg.fortress" = {
-    matchConfig.Name = "wg.fortress";
-    address = [ "10.13.13.1/24" ];
-    networkConfig = {
-      IPMasquerade = "ipv4";
-      IPv4Forwarding = true;
-    };
-  };
-
-  systemd.network.netdevs."50-wg.fortress" = {
-    netdevConfig = {
-      Kind = "wireguard";
-      Name = "wg.fortress";
-      MTUBytes = "1300";
-    };
-    wireguardConfig = {
-      PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/private.key";
-      ListenPort = 51820; # TODO: This should've been 51280
-      RouteTable = "main";
-    };
-    wireguardPeers = [
-      {
-        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-phone.psk";
-        PublicKey = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
-        AllowedIPs = [ "10.13.13.3/32" ];
-      }
-      {
-        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/ashley-phone.psk";
-        PublicKey = "AtmZMqvQgsRVq44kYdjOkC8ACmrw8MbDhyPSvtEbmlc=";
-        AllowedIPs = [ "10.13.13.4/32" ];
-      }
-      {
-        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-laptop.psk";
-        PublicKey = "prhDYwUWhEc5X+zWHrqw79MFFvEN/qAAAZPq7vndhRE=";
-        AllowedIPs = [ "10.13.13.5/32" ];
-      }
-    ];
-  };
-
  ##############################################################################
  # Tinc

+  sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
+  sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+
  systemd.network.networks."90-tinc" = {
    matchConfig.Name = "tinc.dotspace";
    address = [ "10.86.84.1/32" ];
--- a/systems/fortress/coturn.nix
+++ b/systems/fortress/coturn.nix
@ -0,0 +1,37 @@
+{ config, ... }: {
+  sops.secrets = {
+    "dotspace/coturn/cert.pem" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+    "dotspace/coturn/pkey.pem" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+    "dotspace/coturn/static_auth_secret" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+  };
+
+  # https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f
+  services.coturn = {
+    enable = true;
+
+    # syslog
+    # verbose
+
+    lt-cred-mech = true;
+    use-auth-secret = true;
+
+    static-auth-secret-file = "/run/secrets/dotspace/coturn/static_auth_secret";
+    realm = "turn.mlaga97.space";
+
+    cert = "/run/secrets/dotspace/coturn/cert.pem";
+    pkey = "/run/secrets/dotspace/coturn/pkey.pem";
+
+    no-udp = true;
+
+    listening-ips = [
+      "68.183.54.8"
+      "10.86.84.1"
+    ];
+  };
+}
--- a/systems/fortress/gatus.nix
+++ b/systems/fortress/gatus.nix
@ -0,0 +1,69 @@
+{ ... }: {
+  sops.secrets."dotspace/gatus.env".mode = "0664";
+
+  services.gatus = {
+    enable = true;
+    environmentFile = "/run/secrets/dotspace/gatus.env";
+    settings = {
+      web.port = 18255;
+
+      alerting.discord.webhook-url = "\${GATUS_DISCORD_WEBHOOK}";
+
+      maintenance = {
+        start = "04:50";
+        duration = "30m";
+        timezone = "America/Chicago";
+      };
+
+      endpoints = [
+        {
+          name = "Synapse";
+          group = "Core Services";
+          url = "https://matrix.mlaga97.space/_synapse/admin/v1/server_version";
+          interval = "30s";
+          conditions = [
+            "[STATUS] == 200"
+            "has([BODY].server_version) == true"
+            "[CERTIFICATE_EXPIRATION] > 48h"
+          ];
+          alerts = [{
+            type = "discord";
+            send-on-resolved = true;
+            description = "\${LAUREN_DISCORD_USERNAME}";
+          }];
+        }
+        {
+          name = "Home Assistant";
+          group = "Core Services";
+          url = "https://homeassistant.mlaga97.space/api/webhook/-k9lg4u3J3_QLO6avhXNG4KZa";
+          interval = "30s";
+          conditions = [
+            "[STATUS] == 200"
+            "[CERTIFICATE_EXPIRATION] > 48h"
+          ];
+          alerts = [{
+            type = "discord";
+            send-on-resolved = true;
+            description = "\${LAUREN_DISCORD_USERNAME}";
+          }];
+        }
+        {
+          name = "Git";
+          group = "Core Services";
+          url = "https://git.mlaga97.space/api/healthz";
+          interval = "30s";
+          conditions = [
+            "[STATUS] == 200"
+            "[BODY].status == pass"
+            "[CERTIFICATE_EXPIRATION] > 48h"
+          ];
+          alerts = [{
+            type = "discord";
+            send-on-resolved = true;
+            description = "\${LAUREN_DISCORD_USERNAME}";
+          }];
+        }
+      ];
+    };
+  };
+}
--- a/systems/fortress/haproxy.nix
+++ b/systems/fortress/haproxy.nix
@ -0,0 +1,40 @@
+{ ... }: {
+  users.groups.haproxy.gid = 99;
+
+  users.users.haproxy = {
+    uid = 99;
+    group = "haproxy";
+  };
+
+  sops.secrets = {
+    "dotspace/pki/lagarde.dev.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
+    "dotspace/pki/mlaga97.space.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
+    "dotspace/pki/bauble.boutique.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
+  };
+
+  virtualisation.oci-containers.containers.haproxy = {
+    image = "haproxy:2.6-alpine";
+    ports = [
+      "80:80"
+      "443:443"
+      "8448:8448"
+      "9980:9980"
+    ];
+    volumes = [
+      "/run/secrets/dotspace/pki:/certs"
+      "/home/lauren_lagarde/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg" # TODO
+    ];
+  };
+}
--- a/systems/fortress/wireguard.nix
+++ b/systems/fortress/wireguard.nix
@ -0,0 +1,63 @@
+{ ... }: {
+  sops.secrets = {
+    "dotspace/fortress/keys/wireguard/private.key" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+    "dotspace/fortress/keys/wireguard/lauren-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+    "dotspace/fortress/keys/wireguard/ashley-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+    "dotspace/fortress/keys/wireguard/lauren-laptop.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+  };
+
+  systemd.network.networks."90-wg.fortress" = {
+    matchConfig.Name = "wg.fortress";
+    address = [ "10.13.13.1/24" ];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  systemd.network.netdevs."50-wg.fortress" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg.fortress";
+      MTUBytes = "1300";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/private.key";
+      ListenPort = 51820; # TODO: This should've been 51280
+      RouteTable = "main";
+    };
+    wireguardPeers = [
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-phone.psk";
+        PublicKey = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
+        AllowedIPs = [ "10.13.13.3/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/ashley-phone.psk";
+        PublicKey = "AtmZMqvQgsRVq44kYdjOkC8ACmrw8MbDhyPSvtEbmlc=";
+        AllowedIPs = [ "10.13.13.4/32" ];
+      }
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/fortress/keys/wireguard/lauren-laptop.psk";
+        PublicKey = "prhDYwUWhEc5X+zWHrqw79MFFvEN/qAAAZPq7vndhRE=";
+        AllowedIPs = [ "10.13.13.5/32" ];
+      }
+    ];
+  };
+}