1 files changed, 56 insertions, 2 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy.nix
index 5c30175..c444fef 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy.nix
@@ -1,11 +1,65 @@
 {
   inputs,
-  config,
-  pkgs,
   lib,
+  pkgs,
+  config,
+  modulesPath,
   ...
 }:
 {
+  age = {
+    secrets = {
+      cloudflare-nginx = {
+        file = ../../../secrets/cloudflare-nginx.age;
+      };
+      wireguard = {
+        file = ../../../secrets/do/wireguard.age;
+      };
+    };
+  };
+
+  imports = [
+    (modulesPath + "/virtualisation/digital-ocean-config.nix")
+    ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/server.nix
+    ../../../profiles/cgroups.nix
+  ];
+
+  disko.devices.disk.disk1.device = "/dev/vda";
+
+  networking.hostName = "do-rproxy";
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.50/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # vm-synology
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.40/32" ];
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  my.modules.hardware.do-droplet.enable = true;
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
   networking.firewall.allowedTCPPorts = [
     80
     443