Stronghold WIP

systems/fortress/.sops.yaml

@@ -1,9 +1,3 @@
-# Get new (host) keys with:
-#   nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age'
-#   nix-shell -p ssh-to-age --run 'ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub'
-# Get new (user) keys with:
-#   mkdir -p ~/.config/sops/age && nix-shell -p ssh-to-age --run 'ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt'
-#   nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub'
 keys:
   - &system_fortress age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu
   - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz

systems/fortress/configuration.nix

@@ -155,7 +155,7 @@
   sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
   sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
 
-  systemd.network.networks."90-tinc" = {
+  systemd.network.networks."90-tinc-dotspace" = {
     matchConfig.Name = "tinc.dotspace";
     address = [ "10.86.84.1/32" ];
     routes = [ { Destination = "10.86.84.0/24"; } ];

systems/stronghold/.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+  - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - pgp:
+          - *yubikey_lauren_primary
+        age:
+          - *system_ll_latitude

systems/stronghold/configuration.nix

@@ -15,7 +15,6 @@
     # Core Tweaks
     ../../nixos/tweaks/zram.nix
     ../../nixos/tweaks/enable_flakes.nix
-    ../../nixos/tweaks/disable_nixos_user.nix
     ../../nixos/tweaks/systemd-resolved_nonsense.nix
 
     # Dotspace
@@ -28,17 +27,31 @@
     # Docker Host Stuff
     ../../nixos/tweaks/disable_firewall.nix
     ../../nixos/features/virtualization/docker.nix
-    ../../nixos/features/virtualization/dockge.nix
 
-    # UEFI SSH ZFS
-    #../../nixos/tweaks/zfs.nix
-    #../../nixos/features/initrd-ssh.nix
-    #../../nixos/features/virtualization/libvirt-guest-uefi.nix
+    ../../secrets/dotspace.nix
 
-    #../../nixos/disko/libvirt/uefi-zfs-base.nix
-    #../../nixos/disko/libvirt/zfs-encrypted.nix
+    # Local Config
+    #./gatus.nix
+    #./haproxy.nix
+    ./wireguard.nix
   ];
 
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+
+  services.smartd.enable = lib.mkForce false;
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dozzle = {
+      image = "amir20/dozzle:latest";
+      ports = [ "10.86.84.3:9999:8080" ];
+      volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    };
+  };
+
   ##############################################################################
   ##############################################################################
   ##############################################################################
@@ -46,35 +59,30 @@
 
   # To generate keys:
   # sudo mkdir -p /root/wireguard && wg genkey | sudo tee /root/wireguard/dotspace.priv | wg pubkey
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces."wg.dotspace" = {
-    ips = [ "10.13.13.2" ];
-    listenPort = 51820;
-    privateKeyFile = "/root/wireguard/dotspace.priv";
-  };
 
+  networking.useNetworkd = true;
   systemd.network = {
-    networks = {
-      "90-tinc-dotspace" = {
-        matchConfig.Name = "tinc.dotspace";
-        address = [ "10.86.84.3/32" ];
-        routes = [ { Destination = "10.86.84.0/24"; } ];
-      };
-    };
+    enable = true;
+
+    # TODO: Interfaces
+  };
+
+  ##############################################################################
+  # Tinc
+
+  sops.secrets."dotspace/stronghold/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+
+  systemd.network.networks."90-tinc-dotspace" = {
+    matchConfig.Name = "tinc.dotspace";
+    address = [ "10.86.84.2/32" ]; # TODO: 2?
+    routes = [ { Destination = "10.86.84.0/24"; } ];
   };
 
-  # To Generate Keys:
-  # sudo tinc -b -n dotspace generate-ed25519-keys; cat /etc/tinc/dotspace/hosts/$(hostname) | grep "^Ed"
   services.tinc.networks.dotspace = {
     name = "stronghold";
-    ed25519PrivateKeyFile = "/etc/tinc/dotspace/ed25519_key.priv";
+    ed25519PrivateKeyFile = "/run/secrets/dotspace/stronghold/keys/tinc/ed25519_key.priv";
 
     chroot = false;
-    settings.ConnectTo = [ "fortress" "citadel" ];
+    settings.ConnectTo = [ "fortress" ];
   };
-
-  ##############################################################################
-  ##############################################################################
-  ##############################################################################
-  # Services
 }

systems/stronghold/secrets.yaml

@@ -0,0 +1,81 @@
+dotspace:
+    stronghold:
+        keys:
+            wireguard:
+                private.key: ENC[AES256_GCM,data:8Ay1/jxFay9NuJyyab3bq0RH9S+nBLEtUW82SN8wNWYVdV+wdKhVHQdmOks=,iv:A0hnQJL1mc6MNhite33L1zk4QZFPwPfB9GtXEIT+CXM=,tag:oaHrFPAdTgig9pCqEpVPBg==,type:str]
+                lauren-phone.psk: ENC[AES256_GCM,data:fZCG7LobFo1vI84jn8gdLoLEXwFHsF3z6hHa5pOqkxHYyOf/ljWpcgYMXNE=,iv:9W4Y8Z9voYEC8SrHWhtkBY0jflfcqTfIYi2HS4VIEV0=,tag:+3vTGZgIppAV+INBdPA90A==,type:str]
+            tinc:
+                ed25519_key.pub: ENC[AES256_GCM,data:a2GF7wUoQmIzhBSrOHEcs8oTm81QzsZayorlAiPPt3piOl1gmi4iac1qvK9lV/6wK3Oq4NRrvoIWKtZyvGw=,iv:RcAjzpZIpjmtqQYK+c4W90NyJJgnngR2quLWI7R2fXU=,tag:ABwOJXqJ33GTUQ5hBAI0oA==,type:str]
+                ed25519_key.priv: ENC[AES256_GCM,data:EDAKMQFfq5vAsDZUtU2aqUuio71r3EUx7Gn+hBptKEFQWYRhSazSj5MD7IImgbqbbyfA3dWrnt2UT/JO/X6sp73qsOw2sk9mJ9RmW5OrutHRYe3z5DFyku+JyFEKLxHnuelogIS0ebvUxz6vJhj28jpSTjUExqAndGHx2wJcu6Tj+peB3bXSOUjlY6K8sCNYJGJDGdoHMhSA0q5q3TDdSmhex3P6izA++A8vmWqNOvZFyNGBwYrxHb77eibcuqY9ybE6tUPdMA==,iv:vmm5yjzueV8BDEGNRlXZZlykfacMxqigdUHUV+5GL24=,tag:rzmdFrYFm9i6q52iSKf2Tg==,type:str]
+sops:
+    age:
+        - recipient: age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NU5aN0w1czVkc2VoaW5m
+            VUp4VmVKbVFpb0JUeTlEcjNBQjVLMW52Vm1zCng3ZktjczVIZlBUZ2E0d2JkckZR
+            bzUyQnNEeTRpdExTYm56dmFJYkZPQ28KLS0tIElicWxZbzNUNlRkRDgzSlJWU2Ew
+            WWJIN1d6ckdjbWh4U1Z1SGlQNWpjR2sKz2/MwI8rq5Wf7wBVcV0BMMuYAQNpMrAc
+            Ns/Md9FKDjxEsRo5NrJS0bNWedLuWhedzgyvaZ3aCGLJju5BfqSp0g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbDNRaVBrdFJCRktpZmRm
+            V2JFMnJZYkZnQTlLU0RUMWo4eHJqY1IxVFNNCldRK1BwSUpnbzhCWXY0NmtQaFNF
+            NUNGSFQ4aVJ2V05lMTJLUittUzdSaGcKLS0tIFM5d0JzN3d3VDY3a09EU2xDdGlk
+            RTd5MDB0c090OURSMms5VS9KczBUWkUKUxj8bT1gx+y4BJNogGENhS0eL6aOxvFj
+            31mxJkEhLzjB3W/miDgVIR/MbrH+WD5jQ5mdHb8g/hRw5KOBMr758w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGN3N4Y29lNFVhOTI0bUxj
+            eXJxamVtakNGS01EMWtWbnp1UHRPbUhHeDJZClMzZWJSNXhhRjhYQmFKTkZjY3VD
+            UDk1SDRIbmNXZGt2SExuM29ZYzN5aUEKLS0tIGxzME9PMnVBeU9acEpLNTdxUDZk
+            QlF0Y0RyV2pRYlNQU0EyRHlwQm5kMDgKdQ/c0vekhFGnjMq1uwBHwpIMOInWgxpC
+            vbONLm8pEwVYn77lfJDD6IgAILyUFy9fvSBmTGW4QP6agW1rYLqoew==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kmt2khucyvscmwvrjnt0v90zggttuap9utx7rw54g9amhtrkzdlq94fe4j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMDR1bTU5U0VYNUhEbFI2
+            QlZjdkxvZkRZczFjZTRyWjVOUjh3SVFVdEJ3CjhQT1k2M09LSU9WdlpVR3RXczl1
+            TDlKMU90a0NPT0pWUFZFbE1ieGdBRGMKLS0tIHBUTWgrNTNwS2g2ZVdmR3dYdG05
+            R0dCeStsTXlBc2xSQ2lma2EwVGJ1aVkKvF2UTTn19Lvd7nzTAsLUTh+PvurCSZpR
+            jHcCC/53HThnsBHClaKzKSnY1OyJsrptQjSGAsM/8MJMhUdij5+pqA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZXd1dnBVTmRoVkhxNXlT
+            M3Nsb2tWVHlyNnh2UElRRlZqeXJsWU44ZkhZCmZIdjZHY3ZRa3VqRVY3R29DRWF2
+            K3QxZmZlNTBzTlgrZGxZekcyU3J3QXMKLS0tIEdrdTdBaFlXbHlaTGc3Q0ExN1Z3
+            Mmo0UnZiNDhvLzVNRVVjZ2VDWENxeXcKk7iiXOU59DOZC3pP2l7KqlCrPR7ARiVO
+            Uz6VONBvL+IKj8zoIqzozjrh7Q0WMtUIyChhhgEG+vDSC9beWEZvpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-06T23:31:48Z"
+    mac: ENC[AES256_GCM,data:rSF7ScSmJKZgmEi4avv0Dt1qhjlCFwBFMH5TCevvm2nWFwivtLWLzygaIJOM70J80XDV+9QuFgdALbUUS5yxL5RWj3QYYlsXA35RwFZa1Juh7NNqew26sQSV3K/06T7FmfBsNutXCMkFszqlphaSgnNNNtB+BG/ZzRGBqxzoHT0=,iv:WQrmpK3kx/e/gm7EHbiAjEjdmsA+BsojGiI7A+RNU8U=,tag:s8zCc+DeDq45p1NkrTf1ZQ==,type:str]
+    pgp:
+        - created_at: "2025-08-06T23:11:55Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA9BR1U1EkAnnAQ//a2tDEcDDtpnhcMH7TcFX3klc7spWbU+06WpZcdYh44TH
+            fYUQ1EwuVnI0wISiJRysW1uS+7nRxQGLoMheYprCVuGDRXTqz2HObXREyCejf1Wy
+            EYDn2Y1dNChnOFIWfMzhWSZMzKQt9eCtfVdE/IBIFOPRZK8bDhp88hobClkVQ/oM
+            p7Yfe7nGzN/wTzDVSWRo/pnbAVOGDGlMSr87zTPj7Uq0H8ZphlpgdFrnWzLxf2yu
+            tllXLeSdzJ0LFEENp0uPSaLv3psj/WVSzFRA8rrHXPBJtsxp4yDylDHU0yvVOVyx
+            AWs2B/K+BttNMhmBBQVYY02vzvLH/xd9ZLFfezvIPL3dxR0v7wH/aJYPGHL6iifB
+            WG5aZkWsDGW1v4TPKQ1T/RtGAwx5CVYQnAE8ai9oQxbfxDHUvklkqGFMnOecW3ef
+            E9ff7OB9cp1GcXhlywt01i+GtPvOqYmTKG0lM04zvqO/x/4ktALonesgHTbvF6ub
+            +1csR8v5xWcAlS3mahkhXLnHp43OMwA/kwLRM0yc9dUrIv8nzLUVHR6oJ1nG13yX
+            PL2ajz0/htih2t5l087pvGNNugAxeN7gGOl8Igv4HbAr2IphrVG9FfzDxMqPXoB2
+            LLEHTlmhknceJUr2rOI6PJjOC7M9D5gs0uMAVuY4//mahi0erLe4gBMknG+b9B3S
+            XgEBQhHgCiFEuqXB+SLbujwNUNuPtQG43e6n73PZ9ept5NOyXLHyZ3QkHSgNA5GX
+            KbYzFip4Khh0dNBOfwYP/z+o2xAfoMC0MvDAZjjdTDuu7w9HD6zV/mg99/9wLcs=
+            =eDvZ
+            -----END PGP MESSAGE-----
+          fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

systems/stronghold/wireguard.nix

@@ -0,0 +1,56 @@
+{ ... }: let
+  port = 51280;
+  hostname = "stronghold";
+  subnet_prefix = "10.13.14";
+  public_key = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE=";
+
+  peers = [
+    { name = "lauren-phone"; id = 3; }
+  ];
+in {
+  sops.secrets = {
+    "dotspace/${hostname}/keys/wireguard/private.key" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+
+    # TODO: Parameterize
+    "dotspace/${hostname}/keys/wireguard/lauren-phone.psk" = {
+      mode = "0640";
+      group = "systemd-network";
+      sopsFile = ./secrets.yaml;
+    };
+  };
+
+  systemd.network.networks."90-wg.${hostname}" = {
+    matchConfig.Name = "wg.${hostname}";
+    address = [ "${subnet_prefix}.1/24" ];
+    networkConfig = {
+      IPMasquerade = "ipv4";
+      IPv4Forwarding = true;
+    };
+  };
+
+  systemd.network.netdevs."50-wg.${hostname}" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg.${hostname}";
+      MTUBytes = "1300";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/private.key";
+      ListenPort = port;
+      RouteTable = "main";
+    };
+
+    # TODO: Parameterize
+    wireguardPeers = [
+      {
+        PresharedKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/lauren-phone.psk";
+        PublicKey = public_key;
+        AllowedIPs = [ "${subnet_prefix}.2/32" ];
+      }
+    ];
+  };
+}