Stronghold WIP

2025-08-23 01:15:41 -05:00 · 2025-08-23 01:15:41 -05:00 · a113294ec1
commit a113294ec1
parent b704bad251
6 changed files with 186 additions and 37 deletions
--- a/systems/stronghold/configuration.nix
+++ b/systems/stronghold/configuration.nix
@ -15,7 +15,6 @@
    # Core Tweaks
    ../../nixos/tweaks/zram.nix
    ../../nixos/tweaks/enable_flakes.nix
-    ../../nixos/tweaks/disable_nixos_user.nix
    ../../nixos/tweaks/systemd-resolved_nonsense.nix

    # Dotspace
@ -28,17 +27,31 @@
    # Docker Host Stuff
    ../../nixos/tweaks/disable_firewall.nix
    ../../nixos/features/virtualization/docker.nix
-    ../../nixos/features/virtualization/dockge.nix

-    # UEFI SSH ZFS
-    #../../nixos/tweaks/zfs.nix
-    #../../nixos/features/initrd-ssh.nix
-    #../../nixos/features/virtualization/libvirt-guest-uefi.nix
+    ../../secrets/dotspace.nix

-    #../../nixos/disko/libvirt/uefi-zfs-base.nix
-    #../../nixos/disko/libvirt/zfs-encrypted.nix
+    # Local Config
+    #./gatus.nix
+    #./haproxy.nix
+    ./wireguard.nix
  ];

+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+
+  services.smartd.enable = lib.mkForce false;
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dozzle = {
+      image = "amir20/dozzle:latest";
+      ports = [ "10.86.84.3:9999:8080" ];
+      volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    };
+  };
+
  ##############################################################################
  ##############################################################################
  ##############################################################################
@ -46,35 +59,30 @@

  # To generate keys:
  # sudo mkdir -p /root/wireguard && wg genkey | sudo tee /root/wireguard/dotspace.priv | wg pubkey
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces."wg.dotspace" = {
-    ips = [ "10.13.13.2" ];
-    listenPort = 51820;
-    privateKeyFile = "/root/wireguard/dotspace.priv";
-  };

+  networking.useNetworkd = true;
  systemd.network = {
-    networks = {
-      "90-tinc-dotspace" = {
-        matchConfig.Name = "tinc.dotspace";
-        address = [ "10.86.84.3/32" ];
-        routes = [ { Destination = "10.86.84.0/24"; } ];
-      };
-    };
+    enable = true;
+
+    # TODO: Interfaces
+  };
+
+  ##############################################################################
+  # Tinc
+
+  sops.secrets."dotspace/stronghold/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
+
+  systemd.network.networks."90-tinc-dotspace" = {
+    matchConfig.Name = "tinc.dotspace";
+    address = [ "10.86.84.2/32" ]; # TODO: 2?
+    routes = [ { Destination = "10.86.84.0/24"; } ];
  };

-  # To Generate Keys:
-  # sudo tinc -b -n dotspace generate-ed25519-keys; cat /etc/tinc/dotspace/hosts/$(hostname) | grep "^Ed"
  services.tinc.networks.dotspace = {
    name = "stronghold";
-    ed25519PrivateKeyFile = "/etc/tinc/dotspace/ed25519_key.priv";
+    ed25519PrivateKeyFile = "/run/secrets/dotspace/stronghold/keys/tinc/ed25519_key.priv";

    chroot = false;
-    settings.ConnectTo = [ "fortress" "citadel" ];
+    settings.ConnectTo = [ "fortress" ];
  };
-
-  ##############################################################################
-  ##############################################################################
-  ##############################################################################
-  # Services
 }