Repurpose nixnas1 as beancoin1

This includes configuring Nix Bitcoin within my existing flake. The
intent is to run Bitcoin Core, LND, Electrs, Mempool, and Alby Hub here
instead of via Umbrel.

Note, Fulcrum was tried but kept crashing and losing state... which is
not okay with me.

modules/hosts/nixos/beancoin1/default.nix

@@ -0,0 +1,225 @@
+{ inputs, config, pkgs, username, ... }: {
+  imports = [
+    ./disk-config.nix
+    ./hardware-configuration.nix
+    ../../common/linux/restic.nix
+
+    # Optional:
+    # Import the secure-node preset, an opinionated config to enhance security
+    # and privacy.
+    #
+    #(inputs.nix-bitcoin + "/modules/presets/secure-node.nix")
+  ];
+
+  system.stateVersion = "24.11";
+
+  # The nix-bitcoin release version that your config is compatible with.
+  # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
+  # an error and provide instructions for migrating your config to the new release.
+  nix-bitcoin.configVersion = "0.0.85";
+
+  # Use the GRUB 2 boot loader.
+  boot = {
+    loader.grub = {
+      enable = true;
+      zfsSupport = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+      mirroredBoots = [
+        {
+          devices = ["/dev/disk/by-uuid/02A5-6FCC"];
+          path = "/boot";
+        }
+        {
+          devices = ["/dev/disk/by-uuid/02F1-B12D"];
+          path = "/boot-fallback";
+        }
+      ];
+    };
+    supportedFilesystems = ["zfs"];
+    zfs = {
+      extraPools = [ "storage" ];
+      forceImportRoot = false;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    net-snmp
+  ];
+
+  networking = {
+    # Open ports in the firewall.
+    firewall.allowedTCPPorts = [
+      22 # ssh
+      config.services.bitcoind.port
+      config.services.bitcoind.rpc.port
+      config.services.electrs.port
+      config.services.mempool.frontend.port
+    ];
+
+    hostId = "da074317"; # head -c4 /dev/urandom | od -A none -t x4
+    hostName = "beancoin1";
+
+    networkmanager.enable = false;
+    useNetworkd = true;
+  };
+
+  nix-bitcoin = {
+    # Automatically generate all secrets required by services.
+    # The secrets are stored in /etc/nix-bitcoin-secrets
+    generateSecrets = true;
+
+    nodeinfo.enable = true;
+    onionAddresses.access.${username} = [
+      "bitcoind"
+      "lnd"
+    ];
+
+    # When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable
+    # interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user
+    operator = {
+      enable = true;
+      name = "${username}";
+    };
+
+    # Set this to accounce the onion service address to peers.
+    # The onion service allows accepting incoming connections via Tor.
+    onionServices = {
+      bitcoind.public = true;
+      lnd.public = true;
+    };
+  };
+
+  programs.mtr.enable = true;
+
+  services = {
+    # Set this to enable nix-bitcoin's own backup service. By default, it
+    # uses duplicity to incrementally back up all important files in /var/lib to
+    # /var/lib/localBackups once a day.
+    backups.enable = true;
+    bitcoind = {
+      enable = true;
+      address = "0.0.0.0";
+      dataDir = "/storage/bitcoin";
+      # discover = true;
+      # getPublicAddressCmd = "";
+      i2p = true;
+      listen = true;
+      rpc = {
+        address = "0.0.0.0";
+        allowip = [
+          "192.168.20.0/24"
+          "192.168.25.0/24"
+        ];
+      };
+      tor = {
+        # If you're using the `secure-node.nix` template, set this to allow non-Tor connections to bitcoind
+        enforce = false;
+        # Also set this if bitcoind should not use Tor for outgoing peer connections
+        proxy = false;
+      };
+      extraConfig = ''
+        bind=::
+      '';
+    };
+    electrs = {
+      address = "0.0.0.0"; # Listen to connections on all interfaces
+      tor.enforce = false; # Set this if you're using the `secure-node.nix` template
+    };
+    lightning-loop.enable = true;
+    lldpd.enable = true;
+    lnd ={
+      enable = true;
+      lndconnect = {
+        enable = true;
+        onion = true;
+      };
+    };
+    mempool = {
+      enable = true;
+      electrumServer = "electrs";
+      frontend = {
+        enable = true;
+        address = "0.0.0.0";
+        port = 80;
+      };
+    };
+    resolved.enable = true;
+    restic.backups.daily.paths = [
+      # "/storage/foo"
+    ];
+    tailscale = {
+      enable = true;
+      extraUpFlags = [
+        "--operator"
+        "${username}"
+        "--ssh"
+      ];
+      useRoutingFeatures = "both";
+    };
+    zfs.autoScrub.enable = true;
+  };
+
+  sops = {
+    age.keyFile = "${config.users.users.${username}.home}/.config/sops/age/keys.txt";
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "${config.users.users.${username}.home}/.private-env";
+      };
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      "10-bond0" = {
+        netdevConfig = {
+          Kind = "bond";
+          Name = "bond0";
+        };
+        bondConfig = {
+          Mode = "802.3ad";
+          TransmitHashPolicy = "layer2+3";
+        };
+      };
+    };
+    networks = {
+      "30-eno1" = {
+        matchConfig.Name = "eno1";
+        networkConfig.Bond = "bond0";
+      };
+      "30-enp3s0" = {
+        matchConfig.Name = "enp3s0";
+        networkConfig.Bond = "bond0";
+      };
+      "40-bond0" = {
+        matchConfig.Name = "bond0";
+        linkConfig = {
+          RequiredForOnline = "carrier";
+        };
+        networkConfig = {
+          DHCP = "yes";
+          # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+          IPv6AcceptRA = true;
+        };
+      };
+    };
+  };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "Gene Liverman";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
+    ];
+  };
+}

modules/hosts/nixos/beancoin1/disk-config.nix

@@ -0,0 +1,127 @@
+{ ... }:
+{
+  disko.devices = {
+    disk = {
+      sdc = {
+        device = "/dev/disk/by-id/ata-SATA_SSD_H2101081000455";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              name = "BOOT";
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      }; # end sdc
+      sdd = {
+        device = "/dev/disk/by-id/ata-SATA_SSD_D2109088000361";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot-fallback = {
+              name = "BOOT-FALLBACK";
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot-fallback";
+              };
+            };
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zroot";
+              };
+            };
+          };
+        };
+      }; # end sdd
+      sda = {
+        device = "/dev/disk/by-id/ata-TEAM_T2532TB_TPBF2401240030200343";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zstorage";
+              };
+            };
+          };
+        };
+      }; # end sda
+      sdb = {
+        device = "/dev/disk/by-id/ata-TEAM_T2532TB_TPBF2401240030201870";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            zfs = {
+              size = "100%";
+              content = {
+                type = "zfs";
+                pool = "zstorage";
+              };
+            };
+          };
+        };
+      }; # end sdb
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        mode = "mirror";
+        # mountpoint = "none";
+        postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank";
+        options = {
+          ashift = "12";
+          autotrim = "on";
+          compatibility = "grub2";
+        };
+        rootFsOptions = {
+          mountpoint = "none";
+          atime = "off";
+          acltype = "posixacl";
+          xattr = "sa";
+        };
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/";
+          };
+          "root/home" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/home";
+          };
+          "root/nix" = {
+            type = "zfs_fs";
+            options.mountpoint = "legacy";
+            mountpoint = "/nix";
+          };
+        };
+      }; # end zroot
+    };
+  };
+}

modules/hosts/nixos/beancoin1/hardware-configuration.nix

@@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "zroot/root/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "zroot/root/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    # { device = "/dev/disk/by-uuid/02A5-6FCC";
+    { device = "/dev/disk/by-partlabel/disk-sdc-BOOT";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/boot-fallback" =
+    # { device = "/dev/disk/by-uuid/02F1-B12D";
+    { device = "/dev/disk/by-partlabel/disk-sdd-BOOT-FALLBACK";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

modules/hosts/nixos/beancoin1/home-gene.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  home.stateVersion = "24.05"; 
+}

modules/hosts/nixos/beancoin1/secrets.yaml

@@ -0,0 +1,22 @@
+local_git_config: ENC[AES256_GCM,data:ToPd/elv3VOuiSQtF/lBvpOwebQLTk986uc/jyYaKx8fepw9VaPPU5E=,iv:clW+JU4HtPo/Kwa95DxLSm71EL+TnBlvmLxUR6GOTEY=,tag:I7cnY580Tb5osur7pfSKTA==,type:str]
+local_private_env: ENC[AES256_GCM,data:xeZv93xCk98UjvAUfjB1eEI9DL9Talpj00oB6zxOYSGnICprIDAzXdV86I5h6H+NgM/q20AsZ8ijpomQiFff,iv:iuhI0sKi0x3Ckw4bNxJAL4T6UzzdkJEMo6VMXl/X3sc=,tag:fHIDWL4Mmn42e2FUoaO/oQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1g4h5a4f5xfle2a6np8te342pphs3mcuan60emz2zp87nrwjzl5yquhr5vl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbTNUaUJDWHliYVJoTStU
+            ZjFlRjExYitrN3BDMWZWUnpTb204aUNRUWxVClZIWlJQeUlrdFhOYXRaQzRFUmNT
+            aTYyKzlZR1JFVkUwQkQyVGV0Mys2NjAKLS0tIEhBNWk5NDFoRnJUVUpnMDl2RlRS
+            bnA3M3dVdWNEVVFVYVF6R2xvQ2s4WTgKl8KsbY8lLraUZmZFlbKS50I+hemSa3lI
+            irdGQWBGL5aaeKFT9bOta9z+1YdMAsXxvAWOM/PZ2hwXTd6CCUpKtg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-27T06:15:28Z"
+    mac: ENC[AES256_GCM,data:d3pkBfhvNpbxKla3Ki0Bcv2KMu0/S818d75e2uwgVXsVMJdiPNIjF1NyleB+6i4LAFnVvYdkVXdIzctWITQrQv/Bq0sQzlZx/EuioYzD9Z7c2SCrf2PWPnorm+1uc23rN8pc9uxCrOqf8P94qxJRieiLOoCQMJDQrAk/bn5NglU=,iv:C6b7z6tg295Peoh1rj+uG4t62AOxJjMf/SQN0DJDdeY=,tag:LneADYRHFVHSqN7PmiE/5w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1