genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-28 09:57:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 72fca31cf3 into 9a20cd567f

Browse source
This commit is contained in:
Gene Liverman 2025-02-10 09:12:35 -05:00 committed by GitHub
commit 32492bdd30
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 364 additions and 131 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -4,7 +4,7 @@ keys:
- &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu - &system_hetznix01 age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
- &system_hetznix02 age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm - &system_hetznix02 age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
- &system_kiosk_gene_desk age1an6t5f0rr6h55rzsv5ejycxju72rp46jka840fwvupwfk65jegrq7hmkl9 - &system_kiosk_gene_desk age1an6t5f0rr6h55rzsv5ejycxju72rp46jka840fwvupwfk65jegrq7hmkl9
- &system_nixnas1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl - &system_beancoin1 age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl
- &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
- &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
- &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
@ -27,10 +27,10 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *system_kiosk_gene_desk - *system_kiosk_gene_desk
- path_regex: nixnas1/secrets.yaml$ - path_regex: beancoin1/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *system_nixnas1 - *system_beancoin1
- path_regex: nixnuc/secrets.yaml$ - path_regex: nixnuc/secrets.yaml$
key_groups: key_groups:
- age: - age:
@ -58,7 +58,7 @@ creation_rules:
- *system_hetznix01 - *system_hetznix01
- *system_hetznix02 - *system_hetznix02
- *system_kiosk_gene_desk - *system_kiosk_gene_desk
- *system_nixnas1 - *system_beancoin1
- *system_nixnuc - *system_nixnuc
- *system_rainbow_planet - *system_rainbow_planet
- *user_airpuppet - *user_airpuppet

90
flake.lock generated
View file

@ -112,6 +112,32 @@
"type": "github" "type": "github"
} }
}, },
"extra-container": {
"inputs": {
"flake-utils": [
"nix-bitcoin",
"flake-utils"
],
"nixpkgs": [
"nix-bitcoin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1734005403,
"narHash": "sha256-vgh3TqfkFdnPxREBedw4MQehIDc3N8YyxBOB45n+AvU=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "f4de6c329b306a9d3a9798a30e060c166f781baa",
"type": "github"
},
"original": {
"owner": "erikarvstedt",
"ref": "0.13",
"repo": "extra-container",
"type": "github"
}
},
"fenix": { "fenix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -233,6 +259,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flox": { "flox": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
@ -317,6 +361,32 @@
"type": "github" "type": "github"
} }
}, },
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-unstable": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1737481937,
"narHash": "sha256-FJ0ATgYWavH3ZeA0ofTEMS+22HqYN2Lqu3G6IsqbKIg=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "dc4d14e07324e43b8773e3eb5eb2a10c6b469287",
"type": "github"
},
"original": {
"owner": "fort-nix",
"ref": "nixos-24.11",
"repo": "nix-bitcoin",
"type": "github"
}
},
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -543,7 +613,7 @@
"nixpkgs-1_9": [ "nixpkgs-1_9": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"systems": "systems_2" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1735874994, "lastModified": 1735874994,
@ -645,6 +715,7 @@
"flox": "flox", "flox": "flox",
"genebean-omp-themes": "genebean-omp-themes", "genebean-omp-themes": "genebean-omp-themes",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-bitcoin": "nix-bitcoin",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-flatpak": "nix-flatpak", "nix-flatpak": "nix-flatpak",
"nix-homebrew": "nix-homebrew", "nix-homebrew": "nix-homebrew",
@ -787,9 +858,24 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1709126324, "lastModified": 1709126324,

9
flake.nix
View file

@ -34,6 +34,12 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-bitcoin = {
url = "github:fort-nix/nix-bitcoin/nixos-24.11";
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs-unstable.follows = "nixpkgs-unstable";
};
# Controls system level software and settings including fonts on macOS # Controls system level software and settings including fonts on macOS
nix-darwin = { nix-darwin = {
url = "github:lnl7/nix-darwin/nix-darwin-24.11"; url = "github:lnl7/nix-darwin/nix-darwin-24.11";
@ -125,6 +131,9 @@
# NixOS hosts # NixOS hosts
nixosConfigurations = { nixosConfigurations = {
beancoin1 = localLib.mkNixBitcoinHost {
hostname = "beancoin1";
};
bigboy = localLib.mkNixosHost { bigboy = localLib.mkNixosHost {
hostname = "bigboy"; hostname = "bigboy";
additionalModules = [ additionalModules = [

2
lib/default.nix
View file

@ -1,7 +1,9 @@
{ inputs, ... }: let { inputs, ... }: let
mkDarwinHost = import ./mkDarwinHost.nix { inherit inputs; }; mkDarwinHost = import ./mkDarwinHost.nix { inherit inputs; };
mkNixosHost = import ./mkNixosHost.nix { inherit inputs; }; mkNixosHost = import ./mkNixosHost.nix { inherit inputs; };
mkNixBitcoinHost = import ./mkNixBitcoinHost.nix { inherit inputs; };
in { in {
inherit (mkDarwinHost) mkDarwinHost; inherit (mkDarwinHost) mkDarwinHost;
inherit (mkNixosHost) mkNixosHost; inherit (mkNixosHost) mkNixosHost;
inherit (mkNixBitcoinHost) mkNixBitcoinHost;
} }

36
lib/mkNixBitcoinHost.nix Normal file
View file

@ -0,0 +1,36 @@
{ inputs, ... }: {
mkNixBitcoinHost = {
system ? "x86_64-linux",
hostname,
username ? "gene",
additionalModules ? [],
additionalSpecialArgs ? {}
}: inputs.nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs hostname username; } // additionalSpecialArgs;
modules = [
./nixpkgs-settings.nix
inputs.disko.nixosModules.disko
inputs.nix-bitcoin.nixosModules.default
inputs.sops-nix.nixosModules.sops # system wide secrets management
../modules/hosts/nixos # system-wide stuff
../modules/hosts/nixos/${hostname} # host specific stuff
inputs.home-manager.nixosModules.home-manager {
home-manager = {
extraSpecialArgs = { inherit inputs hostname username; };
useGlobalPkgs = true;
useUserPackages = true;
users.${username}.imports = [
../modules/hosts/common
../modules/hosts/common/linux/home.nix
../modules/hosts/nixos/${hostname}/home-${username}.nix
];
};
}
] ++ additionalModules;
};
}

225
modules/hosts/nixos/beancoin1/default.nix Normal file
View file

@ -0,0 +1,225 @@
{ inputs, config, pkgs, username, ... }: {
imports = [
./disk-config.nix
./hardware-configuration.nix
../../common/linux/restic.nix
# Optional:
# Import the secure-node preset, an opinionated config to enhance security
# and privacy.
#
#(inputs.nix-bitcoin + "/modules/presets/secure-node.nix")
];
system.stateVersion = "24.11";
# The nix-bitcoin release version that your config is compatible with.
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
# an error and provide instructions for migrating your config to the new release.
nix-bitcoin.configVersion = "0.0.85";
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
mirroredBoots = [
{
devices = ["/dev/disk/by-uuid/02A5-6FCC"];
path = "/boot";
}
{
devices = ["/dev/disk/by-uuid/02F1-B12D"];
path = "/boot-fallback";
}
];
};
supportedFilesystems = ["zfs"];
zfs = {
extraPools = [ "storage" ];
forceImportRoot = false;
};
};
environment.systemPackages = with pkgs; [
net-snmp
];
networking = {
# Open ports in the firewall.
firewall.allowedTCPPorts = [
22 # ssh
config.services.bitcoind.port
config.services.bitcoind.rpc.port
config.services.electrs.port
config.services.mempool.frontend.port
];
hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4
hostName = "beancoin1";
networkmanager.enable = false;
useNetworkd = true;
};
nix-bitcoin = {
# Automatically generate all secrets required by services.
# The secrets are stored in /etc/nix-bitcoin-secrets
generateSecrets = true;
nodeinfo.enable = true;
onionAddresses.access.${username} = [
"bitcoind"
"lnd"
];
# When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable
# interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user
operator = {
enable = true;
name = "${username}";
};
# Set this to accounce the onion service address to peers.
# The onion service allows accepting incoming connections via Tor.
onionServices = {
bitcoind.public = true;
lnd.public = true;
};
};
programs.mtr.enable = true;
services = {
# Set this to enable nix-bitcoin's own backup service. By default, it
# uses duplicity to incrementally back up all important files in /var/lib to
# /var/lib/localBackups once a day.
backups.enable = true;
bitcoind = {
enable = true;
address = "0.0.0.0";
dataDir = "/storage/bitcoin";
# discover = true;
# getPublicAddressCmd = "";
i2p = true;
listen = true;
rpc = {
address = "0.0.0.0";
allowip = [
"192.168.20.0/24"
"192.168.25.0/24"
];
};
tor = {
# If you're using the `secure-node.nix` template, set this to allow non-Tor connections to bitcoind
enforce = false;
# Also set this if bitcoind should not use Tor for outgoing peer connections
proxy = false;
};
extraConfig = ''
bind=::
'';
};
electrs = {
address = "0.0.0.0"; # Listen to connections on all interfaces
tor.enforce = false; # Set this if you're using the `secure-node.nix` template
};
lightning-loop.enable = true;
lldpd.enable = true;
lnd ={
enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
mempool = {
enable = true;
electrumServer = "electrs";
frontend = {
enable = true;
address = "0.0.0.0";
port = 80;
};
};
resolved.enable = true;
restic.backups.daily.paths = [
# "/storage/foo"
];
tailscale = {
enable = true;
extraUpFlags = [
"--operator"
"${username}"
"--ssh"
];
useRoutingFeatures = "both";
};
zfs.autoScrub.enable = true;
};
sops = {
age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "${config.users.users.${username}.home}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "${config.users.users.${username}.home}/.private-env";
};
};
};
systemd.network = {
enable = true;
netdevs = {
"10-bond0" = {
netdevConfig = {
Kind = "bond";
Name = "bond0";
};
bondConfig = {
Mode = "802.3ad";
TransmitHashPolicy = "layer2+3";
};
};
};
networks = {
"30-eno1" = {
matchConfig.Name = "eno1";
networkConfig.Bond = "bond0";
};
"30-enp3s0" = {
matchConfig.Name = "enp3s0";
networkConfig.Bond = "bond0";
};
"40-bond0" = {
matchConfig.Name = "bond0";
linkConfig = {
RequiredForOnline = "carrier";
};
networkConfig = {
DHCP = "yes";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
};
};
};
};
users.users.${username} = {
isNormalUser = true;
description = "Gene Liverman";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
];
};
}

0
modules/hosts/nixos/nixnas1/disk-config.nix → modules/hosts/nixos/beancoin1/disk-config.nix
View file

0
modules/hosts/nixos/nixnas1/hardware-configuration.nix → modules/hosts/nixos/beancoin1/hardware-configuration.nix
View file

0
modules/hosts/nixos/nixnas1/home-gene.nix → modules/hosts/nixos/beancoin1/home-gene.nix
View file

0
modules/hosts/nixos/nixnas1/secrets.yaml → modules/hosts/nixos/beancoin1/secrets.yaml
View file

125
modules/hosts/nixos/nixnas1/default.nix
View file

@ -1,125 +0,0 @@
{ config, pkgs, username, ... }: {
imports = [
./disk-config.nix
./hardware-configuration.nix
../../../system/common/linux/restic.nix
];
system.stateVersion = "24.05";
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
mirroredBoots = [
{
devices = ["/dev/disk/by-uuid/02A5-6FCC"];
path = "/boot";
}
{
devices = ["/dev/disk/by-uuid/02F1-B12D"];
path = "/boot-fallback";
}
];
};
supportedFilesystems = ["zfs"];
zfs = {
extraPools = [ "storage" ];
forceImportRoot = false;
};
};
environment.systemPackages = with pkgs; [
net-snmp
];
networking = {
# Open ports in the firewall.
firewall.allowedTCPPorts = [
22 # ssh
];
hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4
hostName = "nixnas1";
networkmanager.enable = false;
useNetworkd = true;
};
programs.mtr.enable = true;
services = {
fwupd.enable = true;
lldpd.enable = true;
resolved.enable = true;
restic.backups.daily.paths = [
# "/storage/foo"
];
zfs.autoScrub.enable = true;
};
sops = {
age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
defaultSopsFile = ./secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "${config.users.users.${username}.home}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "${config.users.users.${username}.home}/.private-env";
};
};
};
systemd.network = {
enable = true;
netdevs = {
"10-bond0" = {
netdevConfig = {
Kind = "bond";
Name = "bond0";
};
bondConfig = {
Mode = "802.3ad";
TransmitHashPolicy = "layer2+3";
};
};
};
networks = {
"30-eno1" = {
matchConfig.Name = "eno1";
networkConfig.Bond = "bond0";
};
"30-enp3s0" = {
matchConfig.Name = "enp3s0";
networkConfig.Bond = "bond0";
};
"40-bond0" = {
matchConfig.Name = "bond0";
linkConfig = {
RequiredForOnline = "carrier";
};
networkConfig = {
DHCP = "yes";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
};
};
};
};
users.users.${username} = {
isNormalUser = true;
description = "Gene Liverman";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
];
};
}