Yoink a bunch of stuff out of compose and into fortress/configuration.nix

systems/fortress/configuration.nix

@@ -28,6 +28,8 @@
     ../../nixos/tweaks/disable_firewall.nix
     #../../nixos/features/virtualization/dockge.nix
     ../../nixos/features/virtualization/docker.nix
+
+    ../../secrets/dotspace.nix
   ];
 
   ##############################################################################
@@ -37,10 +39,38 @@
 
   services.smartd.enable = lib.mkForce false;
 
+  users.users.haproxy = {
+    uid = 99;
+    group = "haproxy";
+  };
+  users.groups.haproxy.gid = 99;
+
   sops.secrets = {
-    "dotspace/pki/lagarde.dev.pem" = {};
-    "dotspace/pki/mlaga97.space.pem" = {};
-    "dotspace/pki/bauble.boutique.pem" = {};
+    "dotspace/coturn/cert.pem" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+    "dotspace/coturn/pkey.pem" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+    "dotspace/coturn/static_auth_secret" = {
+      owner = config.systemd.services.coturn.serviceConfig.User;
+    };
+
+    "dotspace/pki/lagarde.dev.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
+    "dotspace/pki/mlaga97.space.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
+    "dotspace/pki/bauble.boutique.pem" = {
+      mode = "0660";
+      owner = "haproxy";
+      group = "haproxy";
+    };
 
     "dotspace/fortress/keys/wireguard.priv" = {
       sopsFile = ./secrets.yaml;
@@ -53,6 +83,58 @@
     };
   };
 
+  # https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f
+  services.coturn = {
+    enable = true;
+
+    # syslog
+    # verbose
+
+    lt-cred-mech = true;
+    use-auth-secret = true;
+
+    static-auth-secret-file = "/run/secrets/dotspace/coturn/static_auth_secret";
+    realm = "turn.mlaga97.space";
+
+    cert = "/run/secrets/dotspace/coturn/cert.pem";
+    pkey = "/run/secrets/dotspace/coturn/pkey.pem";
+
+    no-udp = true;
+
+    listening-ips = [
+      "68.183.54.8"
+      "10.86.84.1"
+    ];
+  };
+
+  virtualisation.oci-containers.backend = "docker";
+  virtualisation.oci-containers.containers = {
+    dockge = {
+      image = "louislam/dockge";
+      ports = [
+        "10.86.84.1:5001:5001"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+        "/opt/stacks/dockge/data:/app/data"
+        "/root/.docker/:/root/.docker"
+        "/opt/stacks:/opt/stacks"
+      ];
+      environment = {
+        DOCKGE_STACKS_DIR = "/opt/stacks";
+      };
+    };
+    dozzle = {
+      image = "amir20/dozzle:latest";
+      ports = [
+        "10.86.84.1:9999:8080"
+      ];
+      volumes = [
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+    };
+  };
+
   ##############################################################################
   ##############################################################################
   ##############################################################################
@@ -97,5 +179,19 @@
       matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
       address = [ "10.132.86.139/16" ];
     };
+
+    networks."90-tinc" = {
+      matchConfig.Name = "tinc.dotspace";
+      address = [ "10.86.84.1/32" ];
+      routes = [ { Destination = "10.86.84.0/24"; } ];
+    };
+  };
+
+  services.tinc.networks.dotspace = {
+    name = "fortress";
+    ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";
+
+    chroot = false;
+    #settings.ConnectTo = [ "stronghold" ];
   };
 }