diff --git a/.sops.yaml b/.sops.yaml index 6759356e..55ce6cd5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: - &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu - &system_hetznix02 age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm - &system_kiosk_gene_desk age1an6t5f0rr6h55rzsv5ejycxju72rp46jka840fwvupwfk65jegrq7hmkl9 - - &system_nixnas1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl + - &system_beancoin1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 @@ -27,10 +27,10 @@ creation_rules: key_groups: - age: - *system_kiosk_gene_desk - - path_regex: nixnas1/secrets.yaml$ + - path_regex: beancoin1/secrets.yaml$ key_groups: - age: - - *system_nixnas1 + - *system_beancoin1 - path_regex: nixnuc/secrets.yaml$ key_groups: - age: @@ -58,7 +58,7 @@ creation_rules: - *system_hetznix01 - *system_hetznix02 - *system_kiosk_gene_desk - - *system_nixnas1 + - *system_beancoin1 - *system_nixnuc - *system_rainbow_planet - *user_airpuppet diff --git a/flake.lock b/flake.lock index 632d293c..660e4bde 100644 --- a/flake.lock +++ b/flake.lock @@ -112,6 +112,32 @@ "type": "github" } }, + "extra-container": { + "inputs": { + "flake-utils": [ + "nix-bitcoin", + "flake-utils" + ], + "nixpkgs": [ + "nix-bitcoin", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734005403, + "narHash": "sha256-vgh3TqfkFdnPxREBedw4MQehIDc3N8YyxBOB45n+AvU=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "f4de6c329b306a9d3a9798a30e060c166f781baa", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "ref": "0.13", + "repo": "extra-container", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -233,6 +259,24 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flox": { "inputs": { "crane": "crane", @@ -317,6 +361,32 @@ "type": "github" } }, + "nix-bitcoin": { + "inputs": { + "extra-container": "extra-container", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-unstable": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1737481937, + "narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=", + "owner": "fort-nix", + "repo": "nix-bitcoin", + "rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287", + "type": "github" + }, + "original": { + "owner": "fort-nix", + "ref": "nixos-24.11", + "repo": "nix-bitcoin", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -543,7 +613,7 @@ "nixpkgs-1_9": [ "nixpkgs-unstable" ], - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1735874994, @@ -645,6 +715,7 @@ "flox": "flox", "genebean-omp-themes": "genebean-omp-themes", "home-manager": "home-manager", + "nix-bitcoin": "nix-bitcoin", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", "nix-homebrew": "nix-homebrew", @@ -787,9 +858,24 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index b1cc3f4c..3d51c106 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nix-bitcoin = { + url = "github:fort-nix/nix-bitcoin/nixos-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-unstable.follows = "nixpkgs-unstable"; + }; + # Controls system level software and settings including fonts on macOS nix-darwin = { url = "github:lnl7/nix-darwin/nix-darwin-24.11"; @@ -125,6 +131,9 @@ # NixOS hosts nixosConfigurations = { + beancoin1 = localLib.mkNixBitcoinHost { + hostname = "beancoin1"; + }; bigboy = localLib.mkNixosHost { hostname = "bigboy"; additionalModules = [ diff --git a/lib/default.nix b/lib/default.nix index 37766972..2e8f28c9 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,7 +1,9 @@ { inputs, ... }: let mkDarwinHost = import ./mkDarwinHost.nix { inherit inputs; }; mkNixosHost = import ./mkNixosHost.nix { inherit inputs; }; + mkNixBitcoinHost = import ./mkNixBitcoinHost.nix { inherit inputs; }; in { inherit (mkDarwinHost) mkDarwinHost; inherit (mkNixosHost) mkNixosHost; + inherit (mkNixBitcoinHost) mkNixBitcoinHost; } diff --git a/lib/mkNixBitcoinHost.nix b/lib/mkNixBitcoinHost.nix new file mode 100644 index 00000000..d3f8d43e --- /dev/null +++ b/lib/mkNixBitcoinHost.nix @@ -0,0 +1,36 @@ +{ inputs, ... }: { + mkNixBitcoinHost = { + system ? "x86_64-linux", + hostname, + username ? "gene", + additionalModules ? [], + additionalSpecialArgs ? {} + }: inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs hostname username; } // additionalSpecialArgs; + modules = [ + ./nixpkgs-settings.nix + + inputs.disko.nixosModules.disko + inputs.nix-bitcoin.nixosModules.default + inputs.sops-nix.nixosModules.sops # system wide secrets management + + ../modules/hosts/nixos # system-wide stuff + ../modules/hosts/nixos/${hostname} # host specific stuff + + inputs.home-manager.nixosModules.home-manager { + home-manager = { + extraSpecialArgs = { inherit inputs hostname username; }; + useGlobalPkgs = true; + useUserPackages = true; + users.${username}.imports = [ + ../modules/hosts/common + ../modules/hosts/common/linux/home.nix + ../modules/hosts/nixos/${hostname}/home-${username}.nix + ]; + }; + } + + ] ++ additionalModules; + }; +} diff --git a/modules/hosts/nixos/beancoin1/default.nix b/modules/hosts/nixos/beancoin1/default.nix new file mode 100644 index 00000000..d43b9a4c --- /dev/null +++ b/modules/hosts/nixos/beancoin1/default.nix @@ -0,0 +1,225 @@ +{ inputs, config, pkgs, username, ... }: { + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + ../../common/linux/restic.nix + + # Optional: + # Import the secure-node preset, an opinionated config to enhance security + # and privacy. + # + #(inputs.nix-bitcoin + "/modules/presets/secure-node.nix") + ]; + + system.stateVersion = "24.11"; + + # The nix-bitcoin release version that your config is compatible with. + # When upgrading to a backwards-incompatible release, nix-bitcoin will display an + # an error and provide instructions for migrating your config to the new release. + nix-bitcoin.configVersion = "0.0.85"; + + # Use the GRUB 2 boot loader. + boot = { + loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + mirroredBoots = [ + { + devices = ["/dev/disk/by-uuid/02A5-6FCC"]; + path = "/boot"; + } + { + devices = ["/dev/disk/by-uuid/02F1-B12D"]; + path = "/boot-fallback"; + } + ]; + }; + supportedFilesystems = ["zfs"]; + zfs = { + extraPools = [ "storage" ]; + forceImportRoot = false; + }; + }; + + environment.systemPackages = with pkgs; [ + net-snmp + ]; + + networking = { + # Open ports in the firewall. + firewall.allowedTCPPorts = [ + 22 # ssh + config.services.bitcoind.port + config.services.bitcoind.rpc.port + config.services.electrs.port + config.services.mempool.frontend.port + ]; + + hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4 + hostName = "beancoin1"; + + networkmanager.enable = false; + useNetworkd = true; + }; + + nix-bitcoin = { + # Automatically generate all secrets required by services. + # The secrets are stored in /etc/nix-bitcoin-secrets + generateSecrets = true; + + nodeinfo.enable = true; + onionAddresses.access.${username} = [ + "bitcoind" + "lnd" + ]; + + # When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable + # interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user + operator = { + enable = true; + name = "${username}"; + }; + + # Set this to accounce the onion service address to peers. + # The onion service allows accepting incoming connections via Tor. + onionServices = { + bitcoind.public = true; + lnd.public = true; + }; + }; + + programs.mtr.enable = true; + + services = { + # Set this to enable nix-bitcoin's own backup service. By default, it + # uses duplicity to incrementally back up all important files in /var/lib to + # /var/lib/localBackups once a day. + backups.enable = true; + bitcoind = { + enable = true; + address = "0.0.0.0"; + dataDir = "/storage/bitcoin"; + # discover = true; + # getPublicAddressCmd = ""; + i2p = true; + listen = true; + rpc = { + address = "0.0.0.0"; + allowip = [ + "192.168.20.0/24" + "192.168.25.0/24" + ]; + }; + tor = { + # If you're using the `secure-node.nix` template, set this to allow non-Tor connections to bitcoind + enforce = false; + # Also set this if bitcoind should not use Tor for outgoing peer connections + proxy = false; + }; + extraConfig = '' + bind=:: + ''; + }; + electrs = { + address = "0.0.0.0"; # Listen to connections on all interfaces + tor.enforce = false; # Set this if you're using the `secure-node.nix` template + }; + lightning-loop.enable = true; + lldpd.enable = true; + lnd ={ + enable = true; + lndconnect = { + enable = true; + onion = true; + }; + }; + mempool = { + enable = true; + electrumServer = "electrs"; + frontend = { + enable = true; + address = "0.0.0.0"; + port = 80; + }; + }; + resolved.enable = true; + restic.backups.daily.paths = [ + # "/storage/foo" + ]; + tailscale = { + enable = true; + extraUpFlags = [ + "--operator" + "${username}" + "--ssh" + ]; + useRoutingFeatures = "both"; + }; + zfs.autoScrub.enable = true; + }; + + sops = { + age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.private-env"; + }; + }; + }; + + systemd.network = { + enable = true; + netdevs = { + "10-bond0" = { + netdevConfig = { + Kind = "bond"; + Name = "bond0"; + }; + bondConfig = { + Mode = "802.3ad"; + TransmitHashPolicy = "layer2+3"; + }; + }; + }; + networks = { + "30-eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bond = "bond0"; + }; + "30-enp3s0" = { + matchConfig.Name = "enp3s0"; + networkConfig.Bond = "bond0"; + }; + "40-bond0" = { + matchConfig.Name = "bond0"; + linkConfig = { + RequiredForOnline = "carrier"; + }; + networkConfig = { + DHCP = "yes"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + }; + }; + }; + }; + + users.users.${username} = { + isNormalUser = true; + description = "Gene Liverman"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" + ]; + }; +} diff --git a/modules/hosts/nixos/nixnas1/disk-config.nix b/modules/hosts/nixos/beancoin1/disk-config.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/disk-config.nix rename to modules/hosts/nixos/beancoin1/disk-config.nix diff --git a/modules/hosts/nixos/nixnas1/hardware-configuration.nix b/modules/hosts/nixos/beancoin1/hardware-configuration.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/hardware-configuration.nix rename to modules/hosts/nixos/beancoin1/hardware-configuration.nix diff --git a/modules/hosts/nixos/nixnas1/home-gene.nix b/modules/hosts/nixos/beancoin1/home-gene.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/home-gene.nix rename to modules/hosts/nixos/beancoin1/home-gene.nix diff --git a/modules/hosts/nixos/nixnas1/secrets.yaml b/modules/hosts/nixos/beancoin1/secrets.yaml similarity index 100% rename from modules/hosts/nixos/nixnas1/secrets.yaml rename to modules/hosts/nixos/beancoin1/secrets.yaml diff --git a/modules/hosts/nixos/nixnas1/default.nix b/modules/hosts/nixos/nixnas1/default.nix deleted file mode 100644 index 7146c5c7..00000000 --- a/modules/hosts/nixos/nixnas1/default.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, pkgs, username, ... }: { - imports = [ - ./disk-config.nix - ./hardware-configuration.nix - ../../../system/common/linux/restic.nix - ]; - - system.stateVersion = "24.05"; - - # Use the GRUB 2 boot loader. - boot = { - loader.grub = { - enable = true; - zfsSupport = true; - efiSupport = true; - efiInstallAsRemovable = true; - device = "nodev"; - mirroredBoots = [ - { - devices = ["/dev/disk/by-uuid/02A5-6FCC"]; - path = "/boot"; - } - { - devices = ["/dev/disk/by-uuid/02F1-B12D"]; - path = "/boot-fallback"; - } - ]; - }; - supportedFilesystems = ["zfs"]; - zfs = { - extraPools = [ "storage" ]; - forceImportRoot = false; - }; - }; - - environment.systemPackages = with pkgs; [ - net-snmp - ]; - - networking = { - # Open ports in the firewall. - firewall.allowedTCPPorts = [ - 22 # ssh - ]; - - hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4 - hostName = "nixnas1"; - - networkmanager.enable = false; - useNetworkd = true; - }; - - programs.mtr.enable = true; - services = { - fwupd.enable = true; - lldpd.enable = true; - resolved.enable = true; - restic.backups.daily.paths = [ - # "/storage/foo" - ]; - zfs.autoScrub.enable = true; - }; - - sops = { - age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; - defaultSopsFile = ./secrets.yaml; - secrets = { - local_git_config = { - owner = "${username}"; - path = "${config.users.users.${username}.home}/.gitconfig-local"; - }; - local_private_env = { - owner = "${username}"; - path = "${config.users.users.${username}.home}/.private-env"; - }; - }; - }; - - systemd.network = { - enable = true; - netdevs = { - "10-bond0" = { - netdevConfig = { - Kind = "bond"; - Name = "bond0"; - }; - bondConfig = { - Mode = "802.3ad"; - TransmitHashPolicy = "layer2+3"; - }; - }; - }; - networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bond = "bond0"; - }; - "30-enp3s0" = { - matchConfig.Name = "enp3s0"; - networkConfig.Bond = "bond0"; - }; - "40-bond0" = { - matchConfig.Name = "bond0"; - linkConfig = { - RequiredForOnline = "carrier"; - }; - networkConfig = { - DHCP = "yes"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - }; - }; - }; - }; - - users.users.${username} = { - isNormalUser = true; - description = "Gene Liverman"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" - ]; - }; -}