mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
mlaga97-nix/systems/fortress/configuration.nix
Lauren Lagarde fe091379ee Move fortress local config to subdirectory
2025-08-06 21:52:15 -05:00

150 lines
4.2 KiB
Nix
Raw Blame History

# To recover/repeat this monstrosity:
# - Comment out the digital-ocean-image.nix import
# - Build qcow2 image with `nixos-rebuild build-image --image-variant digital-ocean --flake ".#fortress"`
# - Convert image output from .qcow2.gz to .img.zst
# - Pipe the .img.zst over ssh into dd on the "Recovery ISO" environment of the droplet
# - Resize the partition and reboot
# - ????
# - Profit
{ lib, config, pkgs, inputs, ... }: {
imports = [
# NOTE: This has to be uncommented to rebuild on a live system, but commented for build-image to work.
"${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
# Core Features
../../nixos/features/base.nix
../../nixos/features/tui-apps.nix
../../nixos/features/openssh-server.nix
# Core Tweaks
../../nixos/tweaks/zram.nix
../../nixos/tweaks/enable_flakes.nix
../../nixos/tweaks/systemd-resolved_nonsense.nix
# Users
../../users/lauren_lagarde/lauren_lagarde.nix
# Additional Software
../../nixos/tweaks/disable_firewall.nix
#../../nixos/features/virtualization/dockge.nix
../../nixos/features/virtualization/docker.nix
../../secrets/dotspace.nix
# Local Config
./gatus.nix
./coturn.nix
./haproxy.nix
./wireguard.nix
];
##############################################################################
##############################################################################
##############################################################################
# Services
services.smartd.enable = lib.mkForce false;
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"10.86.84.0/24" # Tinc
"10.13.13.0/24" # Wireguard
];
bantime = "1h";
};
virtualisation.oci-containers.backend = "docker";
virtualisation.oci-containers.containers = {
dozzle = {
image = "amir20/dozzle:latest";
ports = [ "10.86.84.1:9999:8080" ];
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
};
dnsmasq = {
image = "jpillora/dnsmasq";
ports = [
"10.86.84.1:53:53/udp"
"10.86.84.1:5380:8080"
];
volumes = [
"/home/lauren_lagarde/fortress/dnsmasq.conf:/etc/dnsmasq.conf" # TODO
];
capabilities = { NET_ADMIN = true; };
};
httpd = {
image = "httpd:latest";
ports = [ "10.86.84.1:8080:80" ];
volumes = [
"/home/lauren_lagarde/fortress/httpd/dotspace:/usr/local/apache2/htdocs" # TODO
];
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
networking.nameservers = [
"67.207.67.3"
"67.207.67.2"
"2001:4860:4860::8844"
"2001:4860:4860::8888"
];
networking.useNetworkd = true;
systemd.network = {
enable = true;
# Public IP
networks."30-ens3" = {
matchConfig.PermanentMACAddress = "c2:6c:55:d5:99:6a";
address = [
"68.183.54.8/20"
"10.17.0.6/16"
"2604:a880:800:10::d60:9001/64"
];
routes = [
{ Gateway = "68.183.48.1"; }
{
Destination = "2604:a880:800:10::1";
Scope = "link";
Metric = 100;
}
{
Gateway = "2604:a880:800:10::1";
GatewayOnLink = true;
Metric = 100;
}
];
};
# Private IP
networks."30-ens4" = {
matchConfig.PermanentMACAddress = "5a:b1:f4:39:a2:87";
address = [ "10.132.86.139/16" ];
};
};
##############################################################################
# Tinc
sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
systemd.network.networks."90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.1/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
services.tinc.networks.dotspace = {
name = "fortress";
ed25519PrivateKeyFile = "/run/secrets/dotspace/fortress/keys/tinc/ed25519_key.priv";
chroot = false;
#settings.ConnectTo = [ "stronghold" ];
};
}
Reference in a new issue View git blame Copy permalink