From 72fca31cf32f330702b9be6e23b04f6a46b6aa4c Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Wed, 29 Jan 2025 13:26:10 -0500 Subject: [PATCH] Repurpose nixnas1 as beancoin1 This includes configuring Nix Bitcoin within my existing flake. The intent is to run Bitcoin Core, LND, Electrs, Mempool, and Alby Hub here instead of via Umbrel. Note, Fulcrum was tried but kept crashing and losing state... which is not okay with me. --- .sops.yaml | 8 +- flake.lock | 90 ++++++- flake.nix | 9 + lib/default.nix | 2 + lib/mkNixBitcoinHost.nix | 36 +++ modules/hosts/nixos/beancoin1/default.nix | 225 ++++++++++++++++++ .../{nixnas1 => beancoin1}/disk-config.nix | 0 .../hardware-configuration.nix | 0 .../{nixnas1 => beancoin1}/home-gene.nix | 0 .../nixos/{nixnas1 => beancoin1}/secrets.yaml | 0 modules/hosts/nixos/nixnas1/default.nix | 125 ---------- 11 files changed, 364 insertions(+), 131 deletions(-) create mode 100644 lib/mkNixBitcoinHost.nix create mode 100644 modules/hosts/nixos/beancoin1/default.nix rename modules/hosts/nixos/{nixnas1 => beancoin1}/disk-config.nix (100%) rename modules/hosts/nixos/{nixnas1 => beancoin1}/hardware-configuration.nix (100%) rename modules/hosts/nixos/{nixnas1 => beancoin1}/home-gene.nix (100%) rename modules/hosts/nixos/{nixnas1 => beancoin1}/secrets.yaml (100%) delete mode 100644 modules/hosts/nixos/nixnas1/default.nix diff --git a/.sops.yaml b/.sops.yaml index 6759356e..55ce6cd5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: - &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu - &system_hetznix02 age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm - &system_kiosk_gene_desk age1an6t5f0rr6h55rzsv5ejycxju72rp46jka840fwvupwfk65jegrq7hmkl9 - - &system_nixnas1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl + - &system_beancoin1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 @@ -27,10 +27,10 @@ creation_rules: key_groups: - age: - *system_kiosk_gene_desk - - path_regex: nixnas1/secrets.yaml$ + - path_regex: beancoin1/secrets.yaml$ key_groups: - age: - - *system_nixnas1 + - *system_beancoin1 - path_regex: nixnuc/secrets.yaml$ key_groups: - age: @@ -58,7 +58,7 @@ creation_rules: - *system_hetznix01 - *system_hetznix02 - *system_kiosk_gene_desk - - *system_nixnas1 + - *system_beancoin1 - *system_nixnuc - *system_rainbow_planet - *user_airpuppet diff --git a/flake.lock b/flake.lock index 632d293c..660e4bde 100644 --- a/flake.lock +++ b/flake.lock @@ -112,6 +112,32 @@ "type": "github" } }, + "extra-container": { + "inputs": { + "flake-utils": [ + "nix-bitcoin", + "flake-utils" + ], + "nixpkgs": [ + "nix-bitcoin", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734005403, + "narHash": "sha256-vgh3TqfkFdnPxREBedw4MQehIDc3N8YyxBOB45n+AvU=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "f4de6c329b306a9d3a9798a30e060c166f781baa", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "ref": "0.13", + "repo": "extra-container", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -233,6 +259,24 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flox": { "inputs": { "crane": "crane", @@ -317,6 +361,32 @@ "type": "github" } }, + "nix-bitcoin": { + "inputs": { + "extra-container": "extra-container", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-unstable": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1737481937, + "narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=", + "owner": "fort-nix", + "repo": "nix-bitcoin", + "rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287", + "type": "github" + }, + "original": { + "owner": "fort-nix", + "ref": "nixos-24.11", + "repo": "nix-bitcoin", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -543,7 +613,7 @@ "nixpkgs-1_9": [ "nixpkgs-unstable" ], - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1735874994, @@ -645,6 +715,7 @@ "flox": "flox", "genebean-omp-themes": "genebean-omp-themes", "home-manager": "home-manager", + "nix-bitcoin": "nix-bitcoin", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", "nix-homebrew": "nix-homebrew", @@ -787,9 +858,24 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1709126324, diff --git a/flake.nix b/flake.nix index b1cc3f4c..3d51c106 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nix-bitcoin = { + url = "github:fort-nix/nix-bitcoin/nixos-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-unstable.follows = "nixpkgs-unstable"; + }; + # Controls system level software and settings including fonts on macOS nix-darwin = { url = "github:lnl7/nix-darwin/nix-darwin-24.11"; @@ -125,6 +131,9 @@ # NixOS hosts nixosConfigurations = { + beancoin1 = localLib.mkNixBitcoinHost { + hostname = "beancoin1"; + }; bigboy = localLib.mkNixosHost { hostname = "bigboy"; additionalModules = [ diff --git a/lib/default.nix b/lib/default.nix index 37766972..2e8f28c9 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,7 +1,9 @@ { inputs, ... }: let mkDarwinHost = import ./mkDarwinHost.nix { inherit inputs; }; mkNixosHost = import ./mkNixosHost.nix { inherit inputs; }; + mkNixBitcoinHost = import ./mkNixBitcoinHost.nix { inherit inputs; }; in { inherit (mkDarwinHost) mkDarwinHost; inherit (mkNixosHost) mkNixosHost; + inherit (mkNixBitcoinHost) mkNixBitcoinHost; } diff --git a/lib/mkNixBitcoinHost.nix b/lib/mkNixBitcoinHost.nix new file mode 100644 index 00000000..d3f8d43e --- /dev/null +++ b/lib/mkNixBitcoinHost.nix @@ -0,0 +1,36 @@ +{ inputs, ... }: { + mkNixBitcoinHost = { + system ? "x86_64-linux", + hostname, + username ? "gene", + additionalModules ? [], + additionalSpecialArgs ? {} + }: inputs.nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs hostname username; } // additionalSpecialArgs; + modules = [ + ./nixpkgs-settings.nix + + inputs.disko.nixosModules.disko + inputs.nix-bitcoin.nixosModules.default + inputs.sops-nix.nixosModules.sops # system wide secrets management + + ../modules/hosts/nixos # system-wide stuff + ../modules/hosts/nixos/${hostname} # host specific stuff + + inputs.home-manager.nixosModules.home-manager { + home-manager = { + extraSpecialArgs = { inherit inputs hostname username; }; + useGlobalPkgs = true; + useUserPackages = true; + users.${username}.imports = [ + ../modules/hosts/common + ../modules/hosts/common/linux/home.nix + ../modules/hosts/nixos/${hostname}/home-${username}.nix + ]; + }; + } + + ] ++ additionalModules; + }; +} diff --git a/modules/hosts/nixos/beancoin1/default.nix b/modules/hosts/nixos/beancoin1/default.nix new file mode 100644 index 00000000..d43b9a4c --- /dev/null +++ b/modules/hosts/nixos/beancoin1/default.nix @@ -0,0 +1,225 @@ +{ inputs, config, pkgs, username, ... }: { + imports = [ + ./disk-config.nix + ./hardware-configuration.nix + ../../common/linux/restic.nix + + # Optional: + # Import the secure-node preset, an opinionated config to enhance security + # and privacy. + # + #(inputs.nix-bitcoin + "/modules/presets/secure-node.nix") + ]; + + system.stateVersion = "24.11"; + + # The nix-bitcoin release version that your config is compatible with. + # When upgrading to a backwards-incompatible release, nix-bitcoin will display an + # an error and provide instructions for migrating your config to the new release. + nix-bitcoin.configVersion = "0.0.85"; + + # Use the GRUB 2 boot loader. + boot = { + loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + mirroredBoots = [ + { + devices = ["/dev/disk/by-uuid/02A5-6FCC"]; + path = "/boot"; + } + { + devices = ["/dev/disk/by-uuid/02F1-B12D"]; + path = "/boot-fallback"; + } + ]; + }; + supportedFilesystems = ["zfs"]; + zfs = { + extraPools = [ "storage" ]; + forceImportRoot = false; + }; + }; + + environment.systemPackages = with pkgs; [ + net-snmp + ]; + + networking = { + # Open ports in the firewall. + firewall.allowedTCPPorts = [ + 22 # ssh + config.services.bitcoind.port + config.services.bitcoind.rpc.port + config.services.electrs.port + config.services.mempool.frontend.port + ]; + + hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4 + hostName = "beancoin1"; + + networkmanager.enable = false; + useNetworkd = true; + }; + + nix-bitcoin = { + # Automatically generate all secrets required by services. + # The secrets are stored in /etc/nix-bitcoin-secrets + generateSecrets = true; + + nodeinfo.enable = true; + onionAddresses.access.${username} = [ + "bitcoind" + "lnd" + ]; + + # When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable + # interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user + operator = { + enable = true; + name = "${username}"; + }; + + # Set this to accounce the onion service address to peers. + # The onion service allows accepting incoming connections via Tor. + onionServices = { + bitcoind.public = true; + lnd.public = true; + }; + }; + + programs.mtr.enable = true; + + services = { + # Set this to enable nix-bitcoin's own backup service. By default, it + # uses duplicity to incrementally back up all important files in /var/lib to + # /var/lib/localBackups once a day. + backups.enable = true; + bitcoind = { + enable = true; + address = "0.0.0.0"; + dataDir = "/storage/bitcoin"; + # discover = true; + # getPublicAddressCmd = ""; + i2p = true; + listen = true; + rpc = { + address = "0.0.0.0"; + allowip = [ + "192.168.20.0/24" + "192.168.25.0/24" + ]; + }; + tor = { + # If you're using the `secure-node.nix` template, set this to allow non-Tor connections to bitcoind + enforce = false; + # Also set this if bitcoind should not use Tor for outgoing peer connections + proxy = false; + }; + extraConfig = '' + bind=:: + ''; + }; + electrs = { + address = "0.0.0.0"; # Listen to connections on all interfaces + tor.enforce = false; # Set this if you're using the `secure-node.nix` template + }; + lightning-loop.enable = true; + lldpd.enable = true; + lnd ={ + enable = true; + lndconnect = { + enable = true; + onion = true; + }; + }; + mempool = { + enable = true; + electrumServer = "electrs"; + frontend = { + enable = true; + address = "0.0.0.0"; + port = 80; + }; + }; + resolved.enable = true; + restic.backups.daily.paths = [ + # "/storage/foo" + ]; + tailscale = { + enable = true; + extraUpFlags = [ + "--operator" + "${username}" + "--ssh" + ]; + useRoutingFeatures = "both"; + }; + zfs.autoScrub.enable = true; + }; + + sops = { + age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "${config.users.users.${username}.home}/.private-env"; + }; + }; + }; + + systemd.network = { + enable = true; + netdevs = { + "10-bond0" = { + netdevConfig = { + Kind = "bond"; + Name = "bond0"; + }; + bondConfig = { + Mode = "802.3ad"; + TransmitHashPolicy = "layer2+3"; + }; + }; + }; + networks = { + "30-eno1" = { + matchConfig.Name = "eno1"; + networkConfig.Bond = "bond0"; + }; + "30-enp3s0" = { + matchConfig.Name = "enp3s0"; + networkConfig.Bond = "bond0"; + }; + "40-bond0" = { + matchConfig.Name = "bond0"; + linkConfig = { + RequiredForOnline = "carrier"; + }; + networkConfig = { + DHCP = "yes"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + }; + }; + }; + }; + + users.users.${username} = { + isNormalUser = true; + description = "Gene Liverman"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" + ]; + }; +} diff --git a/modules/hosts/nixos/nixnas1/disk-config.nix b/modules/hosts/nixos/beancoin1/disk-config.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/disk-config.nix rename to modules/hosts/nixos/beancoin1/disk-config.nix diff --git a/modules/hosts/nixos/nixnas1/hardware-configuration.nix b/modules/hosts/nixos/beancoin1/hardware-configuration.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/hardware-configuration.nix rename to modules/hosts/nixos/beancoin1/hardware-configuration.nix diff --git a/modules/hosts/nixos/nixnas1/home-gene.nix b/modules/hosts/nixos/beancoin1/home-gene.nix similarity index 100% rename from modules/hosts/nixos/nixnas1/home-gene.nix rename to modules/hosts/nixos/beancoin1/home-gene.nix diff --git a/modules/hosts/nixos/nixnas1/secrets.yaml b/modules/hosts/nixos/beancoin1/secrets.yaml similarity index 100% rename from modules/hosts/nixos/nixnas1/secrets.yaml rename to modules/hosts/nixos/beancoin1/secrets.yaml diff --git a/modules/hosts/nixos/nixnas1/default.nix b/modules/hosts/nixos/nixnas1/default.nix deleted file mode 100644 index 7146c5c7..00000000 --- a/modules/hosts/nixos/nixnas1/default.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, pkgs, username, ... }: { - imports = [ - ./disk-config.nix - ./hardware-configuration.nix - ../../../system/common/linux/restic.nix - ]; - - system.stateVersion = "24.05"; - - # Use the GRUB 2 boot loader. - boot = { - loader.grub = { - enable = true; - zfsSupport = true; - efiSupport = true; - efiInstallAsRemovable = true; - device = "nodev"; - mirroredBoots = [ - { - devices = ["/dev/disk/by-uuid/02A5-6FCC"]; - path = "/boot"; - } - { - devices = ["/dev/disk/by-uuid/02F1-B12D"]; - path = "/boot-fallback"; - } - ]; - }; - supportedFilesystems = ["zfs"]; - zfs = { - extraPools = [ "storage" ]; - forceImportRoot = false; - }; - }; - - environment.systemPackages = with pkgs; [ - net-snmp - ]; - - networking = { - # Open ports in the firewall. - firewall.allowedTCPPorts = [ - 22 # ssh - ]; - - hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4 - hostName = "nixnas1"; - - networkmanager.enable = false; - useNetworkd = true; - }; - - programs.mtr.enable = true; - services = { - fwupd.enable = true; - lldpd.enable = true; - resolved.enable = true; - restic.backups.daily.paths = [ - # "/storage/foo" - ]; - zfs.autoScrub.enable = true; - }; - - sops = { - age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt"; - defaultSopsFile = ./secrets.yaml; - secrets = { - local_git_config = { - owner = "${username}"; - path = "${config.users.users.${username}.home}/.gitconfig-local"; - }; - local_private_env = { - owner = "${username}"; - path = "${config.users.users.${username}.home}/.private-env"; - }; - }; - }; - - systemd.network = { - enable = true; - netdevs = { - "10-bond0" = { - netdevConfig = { - Kind = "bond"; - Name = "bond0"; - }; - bondConfig = { - Mode = "802.3ad"; - TransmitHashPolicy = "layer2+3"; - }; - }; - }; - networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bond = "bond0"; - }; - "30-enp3s0" = { - matchConfig.Name = "enp3s0"; - networkConfig.Bond = "bond0"; - }; - "40-bond0" = { - matchConfig.Name = "bond0"; - linkConfig = { - RequiredForOnline = "carrier"; - }; - networkConfig = { - DHCP = "yes"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - }; - }; - }; - }; - - users.users.${username} = { - isNormalUser = true; - description = "Gene Liverman"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" - ]; - }; -}