# To recover/repeat this monstrosity: # - Comment out the digital-ocean-image.nix import # - Build qcow2 image with `nixos-rebuild build-image --image-variant digital-ocean --flake ".#fortress"` # - Convert image output from .qcow2.gz to .img.zst # - Pipe the .img.zst over ssh into dd on the "Recovery ISO" environment of the droplet # - Resize the partition and reboot # - ???? # - Profit { lib, config, pkgs, inputs, ... }: { imports = [ # NOTE: This has to be uncommented to rebuild on a live system, but commented for build-image to work. "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" # Core Features ../../nixos/features/base.nix ../../nixos/features/tui-apps.nix ../../nixos/features/openssh-server.nix # Core Tweaks ../../nixos/tweaks/zram.nix ../../nixos/tweaks/enable_flakes.nix ../../nixos/tweaks/systemd-resolved_nonsense.nix # Users ../../users/lauren_lagarde/lauren_lagarde.nix # Additional Software ../../nixos/tweaks/disable_firewall.nix #../../nixos/features/virtualization/dockge.nix ../../nixos/features/virtualization/docker.nix ../../secrets/dotspace.nix # Local Config ./gatus.nix ./coturn.nix ./haproxy.nix ./wireguard.nix ]; ############################################################################## ############################################################################## ############################################################################## # Services services.smartd.enable = lib.mkForce false; services.fail2ban = { enable = true; maxretry = 5; ignoreIP = [ "10.86.84.0/24" # Tinc "10.13.13.0/24" # Wireguard ]; bantime = "1h"; }; virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.containers = { dozzle = { image = "amir20/dozzle:latest"; ports = [ "10.86.84.1:9999:8080" ]; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; }; dnsmasq = { image = "jpillora/dnsmasq"; ports = [ "10.86.84.1:53:53/udp" "10.86.84.1:5380:8080" ]; volumes = [ "/home/lauren_lagarde/fortress/dnsmasq.conf:/etc/dnsmasq.conf" # TODO ]; capabilities = { NET_ADMIN = true; }; }; httpd = { image = "httpd:latest"; ports = [ "10.86.84.1:8080:80" ]; volumes = [ "/home/lauren_lagarde/fortress/httpd/dotspace:/usr/local/apache2/htdocs" # TODO ]; }; }; ############################################################################## ############################################################################## ############################################################################## # Networking networking.nameservers = [ "67.207.67.3" "67.207.67.2" "2001:4860:4860::8844" "2001:4860:4860::8888" ]; networking.useNetworkd = true; systemd.network = { enable = true; # Public IP networks."30-ens3" = { matchConfig.PermanentMACAddress = "c2:6c:55:d5:99:6a"; address = [ "68.183.54.8/20" "10.17.0.6/16" "2604:a880:800:10::d60:9001/64" ]; routes = [ { Gateway = "68.183.48.1"; } { Destination = "2604:a880:800:10::1"; Scope = "link"; Metric = 100; } { Gateway = "2604:a880:800:10::1"; GatewayOnLink = true; Metric = 100; } ]; }; # Private IP networks."30-ens4" = { matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87"; address = [ "10.132.86.139/16" ]; }; }; ############################################################################## # Tinc sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; }; sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; }; systemd.network.networks."90-tinc" = { matchConfig.Name = "tinc.dotspace"; address = [ "10.86.84.1/32" ]; routes = [ { Destination = "10.86.84.0/24"; } ]; }; services.tinc.networks.dotspace = { name = "fortress"; ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv"; chroot = false; #settings.ConnectTo = [ "stronghold" ]; }; }