Merge 72fca31cf3 into 9a20cd567f

modules/hosts/nixos/beancoin1/default.nix

@@ -0,0 +1,225 @@
+{ inputs, config, pkgs, username, ... }: {
+  imports = [
+    ./disk-config.nix
+    ./hardware-configuration.nix
+    ../../common/linux/restic.nix
+
+    # Optional:
+    # Import the secure-node preset, an opinionated config to enhance security
+    # and privacy.
+    #
+    #(inputs.nix-bitcoin + "/modules/presets/secure-node.nix")
+  ];
+
+  system.stateVersion = "24.11";
+
+  # The nix-bitcoin release version that your config is compatible with.
+  # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
+  # an error and provide instructions for migrating your config to the new release.
+  nix-bitcoin.configVersion = "0.0.85";
+
+  # Use the GRUB 2 boot loader.
+  boot = {
+    loader.grub = {
+      enable = true;
+      zfsSupport = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+      mirroredBoots = [
+        {
+          devices = ["/dev/disk/by-uuid/02A5-6FCC"];
+          path = "/boot";
+        }
+        {
+          devices = ["/dev/disk/by-uuid/02F1-B12D"];
+          path = "/boot-fallback";
+        }
+      ];
+    };
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      extraPools = [ "storage" ];
+      forceImportRoot = false;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    net-snmp
+  ];
+
+  networking = {
+    # Open ports in the firewall.
+    firewall.allowedTCPPorts = [
+      22 # ssh
+      config.services.bitcoind.port
+      config.services.bitcoind.rpc.port
+      config.services.electrs.port
+      config.services.mempool.frontend.port
+    ];
+
+    hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4
+    hostName = "beancoin1";
+
+    networkmanager.enable = false;
+    useNetworkd = true;
+  };
+
+  nix-bitcoin = {
+    # Automatically generate all secrets required by services.
+    # The secrets are stored in /etc/nix-bitcoin-secrets
+    generateSecrets = true;
+
+    nodeinfo.enable = true;
+    onionAddresses.access.${username} = [
+      "bitcoind"
+      "lnd"
+    ];
+
+    # When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable
+    # interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user
+    operator = {
+      enable = true;
+      name = "${username}";
+    };
+
+    # Set this to accounce the onion service address to peers.
+    # The onion service allows accepting incoming connections via Tor.
+    onionServices = {
+      bitcoind.public = true;
+      lnd.public = true;
+    };
+  };
+
+  programs.mtr.enable = true;
+
+  services = {
+    # Set this to enable nix-bitcoin's own backup service. By default, it
+    # uses duplicity to incrementally back up all important files in /var/lib to
+    # /var/lib/localBackups once a day.
+    backups.enable = true;
+    bitcoind = {
+      enable = true;
+      address = "0.0.0.0";
+      dataDir = "/storage/bitcoin";
+      # discover = true;
+      # getPublicAddressCmd = "";
+      i2p = true;
+      listen = true;
+      rpc = {
+        address = "0.0.0.0";
+        allowip = [
+          "192.168.20.0/24"
+          "192.168.25.0/24"
+        ];
+      };
+      tor = {
+        # If you're using the `secure-node.nix` template, set this to allow non-Tor connections to bitcoind
+        enforce = false;
+        # Also set this if bitcoind should not use Tor for outgoing peer connections
+        proxy = false;
+      };
+      extraConfig = ''
+        bind=::
+      '';
+    };
+    electrs = {
+      address = "0.0.0.0"; # Listen to connections on all interfaces
+      tor.enforce = false; # Set this if you're using the `secure-node.nix` template
+    };
+    lightning-loop.enable = true;
+    lldpd.enable = true;
+    lnd ={
+      enable = true;
+      lndconnect = {
+        enable = true;
+        onion = true;
+      };
+    };
+    mempool = {
+      enable = true;
+      electrumServer = "electrs";
+      frontend = {
+        enable = true;
+        address = "0.0.0.0";
+        port = 80;
+      };
+    };
+    resolved.enable = true;
+    restic.backups.daily.paths = [
+      # "/storage/foo"
+    ];
+    tailscale = {
+      enable = true;
+      extraUpFlags = [
+        "--operator"
+        "${username}"
+        "--ssh"
+      ];
+      useRoutingFeatures = "both";
+    };
+    zfs.autoScrub.enable = true;
+  };
+
+  sops = {
+    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.private-env";
+      };
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      "10-bond0" = {
+        netdevConfig = {
+          Kind = "bond";
+          Name = "bond0";
+        };
+        bondConfig = {
+          Mode = "802.3ad";
+          TransmitHashPolicy = "layer2+3";
+        };
+      };
+    };
+    networks = {
+      "30-eno1" = {
+        matchConfig.Name = "eno1";
+        networkConfig.Bond = "bond0";
+      };
+      "30-enp3s0" = {
+        matchConfig.Name = "enp3s0";
+        networkConfig.Bond = "bond0";
+      };
+      "40-bond0" = {
+        matchConfig.Name = "bond0";
+        linkConfig = {
+          RequiredForOnline = "carrier";
+        };
+        networkConfig = {
+          DHCP = "yes";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "Gene Liverman";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
+    ];
+  };
+}

modules/hosts/nixos/nixnas1/default.nix

@@ -1,125 +0,0 @@
-{ config, pkgs, username, ... }: {
-  imports = [
-    ./disk-config.nix
-    ./hardware-configuration.nix
-    ../../../system/common/linux/restic.nix
-  ];
-
-  system.stateVersion = "24.05";
-
-  # Use the GRUB 2 boot loader.
-  boot = {
-    loader.grub = {
-      enable = true;
-      zfsSupport = true;
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-      device = "nodev";
-      mirroredBoots = [
-        {
-          devices = ["/dev/disk/by-uuid/02A5-6FCC"];
-          path = "/boot";
-        }
-        {
-          devices = ["/dev/disk/by-uuid/02F1-B12D"];
-          path = "/boot-fallback";
-        }
-      ];
-    };
-    supportedFilesystems = ["zfs"];
-    zfs = {
-      extraPools = [ "storage" ];
-      forceImportRoot = false;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    net-snmp
-  ];
-
-  networking = {
-    # Open ports in the firewall.
-    firewall.allowedTCPPorts = [
-      22 # ssh
-    ];
-
-    hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4
-    hostName = "nixnas1";
-
-    networkmanager.enable = false;
-    useNetworkd = true;
-  };
-
-  programs.mtr.enable = true;
-  services = {
-    fwupd.enable = true;
-    lldpd.enable = true;
-    resolved.enable = true;
-    restic.backups.daily.paths = [
-      # "/storage/foo"
-    ];
-    zfs.autoScrub.enable = true;
-  };
-
-  sops = {
-    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
-    defaultSopsFile = ./secrets.yaml;
-    secrets = {
-      local_git_config = {
-        owner = "${username}";
-        path = "${config.users.users.${username}.home}/.gitconfig-local";
-      };
-      local_private_env = {
-        owner = "${username}";
-        path = "${config.users.users.${username}.home}/.private-env";
-      };
-    };
-  };
-
-  systemd.network = {
-    enable = true;
-    netdevs = {
-      "10-bond0" = {
-        netdevConfig = {
-          Kind = "bond";
-          Name = "bond0";
-        };
-        bondConfig = {
-          Mode = "802.3ad";
-          TransmitHashPolicy = "layer2+3";
-        };
-      };
-    };
-    networks = {
-      "30-eno1" = {
-        matchConfig.Name = "eno1";
-        networkConfig.Bond = "bond0";
-      };
-      "30-enp3s0" = {
-        matchConfig.Name = "enp3s0";
-        networkConfig.Bond = "bond0";
-      };
-      "40-bond0" = {
-        matchConfig.Name = "bond0";
-        linkConfig = {
-          RequiredForOnline = "carrier";
-        };
-        networkConfig = {
-          DHCP = "yes";
-          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
-          IPv6AcceptRA = true;
-        };
-      };
-    };
-  };
-
-  users.users.${username} = {
-    isNormalUser = true;
-    description = "Gene Liverman";
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
-    ];
-  };
-}