mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
mlaga97-nix/systems/fortress/configuration.nix

197 lines
5.2 KiB
Nix
Raw Blame History

# To recover/repeat this monstrosity:
# - Comment out the digital-ocean-image.nix import
# - Build qcow2 image with `nixos-rebuild build-image --image-variant digital-ocean --flake ".#fortress"`
# - Convert image output from .qcow2.gz to .img.zst
# - Pipe the .img.zst over ssh into dd on the "Recovery ISO" environment of the droplet
# - Resize the partition and reboot
# - ????
# - Profit
{ lib, config, pkgs, inputs, ... }: {
imports = [
# NOTE: This has to be uncommented to rebuild on a live system, but commented for build-image to work.
"${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
# Core Features
../../nixos/features/base.nix
../../nixos/features/tui-apps.nix
../../nixos/features/openssh-server.nix
# Core Tweaks
../../nixos/tweaks/zram.nix
../../nixos/tweaks/enable_flakes.nix
../../nixos/tweaks/systemd-resolved_nonsense.nix
# Users
../../users/lauren_lagarde/lauren_lagarde.nix
# Additional Software
../../nixos/tweaks/disable_firewall.nix
#../../nixos/features/virtualization/dockge.nix
../../nixos/features/virtualization/docker.nix
../../secrets/dotspace.nix
];
##############################################################################
##############################################################################
##############################################################################
# Services
services.smartd.enable = lib.mkForce false;
users.users.haproxy = {
uid = 99;
group = "haproxy";
};
users.groups.haproxy.gid = 99;
sops.secrets = {
"dotspace/coturn/cert.pem" = {
owner = config.systemd.services.coturn.serviceConfig.User;
};
"dotspace/coturn/pkey.pem" = {
owner = config.systemd.services.coturn.serviceConfig.User;
};
"dotspace/coturn/static_auth_secret" = {
owner = config.systemd.services.coturn.serviceConfig.User;
};
"dotspace/pki/lagarde.dev.pem" = {
mode = "0660";
owner = "haproxy";
group = "haproxy";
};
"dotspace/pki/mlaga97.space.pem" = {
mode = "0660";
owner = "haproxy";
group = "haproxy";
};
"dotspace/pki/bauble.boutique.pem" = {
mode = "0660";
owner = "haproxy";
group = "haproxy";
};
"dotspace/fortress/keys/wireguard.priv" = {
sopsFile = ./secrets.yaml;
};
"dotspace/fortress/keys/tinc/rsa_key.priv" = {
sopsFile = ./secrets.yaml;
};
"dotspace/fortress/keys/tinc/ed25519_key.priv" = {
sopsFile = ./secrets.yaml;
};
};
# https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f
services.coturn = {
enable = true;
# syslog
# verbose
lt-cred-mech = true;
use-auth-secret = true;
static-auth-secret-file = "/run/secrets/dotspace/coturn/static_auth_secret";
realm = "turn.mlaga97.space";
cert = "/run/secrets/dotspace/coturn/cert.pem";
pkey = "/run/secrets/dotspace/coturn/pkey.pem";
no-udp = true;
listening-ips = [
"68.183.54.8"
"10.86.84.1"
];
};
virtualisation.oci-containers.backend = "docker";
virtualisation.oci-containers.containers = {
dockge = {
image = "louislam/dockge";
ports = [
"10.86.84.1:5001:5001"
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/opt/stacks/dockge/data:/app/data"
"/root/.docker/:/root/.docker"
"/opt/stacks:/opt/stacks"
];
environment = {
DOCKGE_STACKS_DIR = "/opt/stacks";
};
};
dozzle = {
image = "amir20/dozzle:latest";
ports = [
"10.86.84.1:9999:8080"
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
networking.nameservers = [
"67.207.67.3"
"67.207.67.2"
"2001:4860:4860::8844"
"2001:4860:4860::8888"
];
networking.useNetworkd = true;
systemd.network = {
enable = true;
# Public IP
networks."30-ens3" = {
matchConfig.PermanentMACAddress = "c2:6c:55:d5:99:6a";
address = [
"68.183.54.8/20"
"10.17.0.6/16"
"2604:a880:800:10::d60:9001/64"
];
routes = [
{ Gateway = "68.183.48.1"; }
{
Destination = "2604:a880:800:10::1";
Scope = "link";
Metric = 100;
}
{
Gateway = "2604:a880:800:10::1";
GatewayOnLink = true;
Metric = 100;
}
];
};
# Private IP
networks."30-ens4" = {
matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
address = [ "10.132.86.139/16" ];
};
networks."90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.1/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
services.tinc.networks.dotspace = {
name = "fortress";
ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";
chroot = false;
#settings.ConnectTo = [ "stronghold" ];
};
}
Reference in a new issue View git blame Copy permalink