{ config, pkgs, lib, unstablePkgs, ... }: let importedVars = import ./variables.nix { inherit config pkgs lib unstablePkgs; }; in with importedVars; { imports = [ ./hardware-configuration.nix ]; boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; }; networking = { hostName = "${host_name}"; firewall = { # enable = false; # secure-node.nix enforces a firewall allowedTCPPorts = [ 22 80 443 config.services.bitcoind.rpc.port config.services.electrs.port 9101 # lnd/prometheus 9735 # lnd/p2p 10009 # lnd/rpc 10010 # lnd/rest ]; allowedTCPPortRanges = [ { from = 4400; to = 4499; } { from = 28332; to = 28334; } ]; }; interfaces = { eno1.ipv4.addresses = [{ address = "192.168.0.44"; prefixLength = 24; }]; }; defaultGateway = { address = "192.168.0.1"; interface = "eno1"; }; nameservers = [ "1.1.1.1" "8.8.8.8" ]; wireguard.interfaces = let secrets = import ./secrets.nix; in { lanturn = { ips = [ "10.19.21.44/24" ]; privateKey = "${secrets.wireguardPrivatekey}"; peers = [{ publicKey = "${wireguardPublicKey}"; endpoint = "${lanturnAddress}:61420"; allowedIPs = [ "0.0.0.0/0" ]; }]; }; }; # Adding routes this way is janky and probably means it's time to switch to systemd-networking for wireguard localCommands = '' ip route add ${lanturnAddress}/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true ip route add 192.168.0.0/23 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true ip route add 192.168.254.0/24 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true ip route add 10.19.21.11/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # timburr ip route add 10.19.21.34/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # weavile ''; }; time.timeZone = "America/Los_Angeles"; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; # keyMap = "us"; useXkbConfig = true; # use xkbOptions in tty. }; users = { groups = { bitcoind = {}; lnd = {}; }; users = { root = { openssh.authorizedKeys.keyFiles = [ # /etc/nixos/ssh/authorized_keys ./ssh/authorized_keys ]; shell = pkgs.fish; # Set root's shell to fish }; pleb = { openssh.authorizedKeys.keyFiles = [ # /etc/nixos/ssh/authorized_keys ./ssh/authorized_keys ]; isNormalUser = true; extraGroups = [ "wheel" ]; }; lnd = { isSystemUser = true; group = "lnd"; home = "/var/lib/lnd"; createHome = true; description = "System account for lnd"; shell = pkgs.fish; openssh.authorizedKeys.keys = []; # fix ssh-agent warnings due to missing .ssh directory packages = [ unstablePkgs.lnd ]; # packages = with packagesForTesting; [ # albyhub # lnd # ]; }; }; }; environment = { variables = { EDITOR = "vim"; VISUAL = "vim"; }; systemPackages = with pkgs; [ cryptsetup curl difftastic dig dnsutils doas file fzf git htop iftop iperf jq net-snmp # snmpwalk netcat nettools parted pass psmisc rsync tcpdump tmux tree unzip vim wget whois wireguard-tools zip ]; shellInit = '' pheonix() { systemctl restart "$1" journalctl -fu "$1" } ''; }; programs = { fish.enable = true; vim = { enable = true; defaultEditor = true; }; bash = { shellAliases = { ll = "ls -lAF --classify --group-directories-first"; l = "ls -lF --classify --group-directories-first"; }; # https://nixos.wiki/wiki/Fish interactiveShellInit = interactiveShellInit; }; mtr.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; }; security = { sudo.enable = false; doas = { enable = true; extraRules = [ { users = [ "pleb" ]; persist = true; } ]; }; }; services = { journald.extraConfig = "MaxRetentionSec=30day"; prometheus.exporters.node = { enable = true; port = 8030; # openFirewall = true; enabledCollectors = [ "cpu.info" "interrupts" "netstat" "vmstat" "systemd" "tcpstat" "processes" ]; }; openssh.enable = true; caddy = { enable = false; # package = caddyWithPlugins; logFormat = "output discard"; extraConfig = let tlsConfig = '' tls { dns namecheap { api_key {env.NAMECHEAP_API_KEY} user {env.NAMECHEAP_API_USER} api_endpoint https://api.namecheap.com/xml.response } } ''; in '' ${host_fqdn} { # mempool ${tlsConfig} reverse_proxy http://127.0.0.1:${toString config.services.mempool.frontend.port} } ${host_fqdn}:4430 { # node_exporter ${tlsConfig} reverse_proxy http://127.0.0.1:8030 } ${host_fqdn}:4431 { # albyhub ${tlsConfig} reverse_proxy http://127.0.0.1:8031 } ${host_fqdn}:4432 { # lnd/prometheus ${tlsConfig} reverse_proxy http://127.0.0.1:9101 } :9999 { respond "success" } ''; }; }; systemd = { # services.caddy = { # TODO: replace caddy with an override/overlay so we don't need this # serviceConfig = { # EnvironmentFile = "/var/src/secrets/namecheap"; # ExecStart = [ # "" # This empty string clears the existing ExecStart commands # "/opt/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile" # ]; # ExecReload = [ # "" # This empty string clears the existing ExecReload commands # "/opt/bin/caddy reload --config /etc/caddy/caddy_config --adapter caddyfile --force" # ]; # }; # }; services.lnd = { description = "lightning network daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; unitConfig.ConditionPathIsMountPoint = "/mnt/${host_name}"; serviceConfig = { Type = "notify"; User = "lnd"; Group = "lnd"; ExecStart = "${unstablePkgs.lnd}/bin/lnd --configfile=/mnt/${host_name}/lnd/lnd.conf"; Restart = "on-failure"; RestartSec = "1m"; }; }; # services.albyhub = { # description = "lightning network daemon"; # after = [ "network.target" ]; # wantedBy = [ "multi-user.target" ]; # unitConfig.ConditionPathIsMountPoint = "/mnt/${vars.host_name}"; # serviceConfig = { # User = "lnd"; # albyhub uses the lnd admin macaroon # Group = "lnd"; # ExecStart = "${packagesForTesting.albyhub}/bin/http"; # # Restart = "on-failure"; # # RestartSec = "1m"; # EnvironmentFile = "/mnt/${vars.host_name}/albyhub/.env"; # WorkingDirectory = "/mnt/${vars.host_name}/albyhub"; # }; # }; }; # systemd system.activationScripts.lndFishConfig = { deps = [ "users" ]; # Ensure the lnd user and group are created before this script runs text = '' LND_HOME="/var/lib/lnd" # Ensure .config directory exists with correct owner/perms ${pkgs.coreutils}/bin/install -d -o lnd -g lnd -m 0700 "$LND_HOME/.config" # Ensure .config/fish directory exists with correct owner/perms ${pkgs.coreutils}/bin/install -d -o lnd -g lnd -m 0700 "$LND_HOME/.config/fish" # Install the config.fish file ${pkgs.coreutils}/bin/install -o lnd -g lnd -m 0600 "${lndFishConfigFile}" "$LND_HOME/.config/fish/config.fish" ''; }; system.activationScripts.rootFishConfig = { deps = [ "users" ]; # Ensure the root user is set up text = '' ROOT_HOME="/root" # Ensure .config directory exists with correct owner/perms ${pkgs.coreutils}/bin/install -d -o root -g root -m 0700 "$ROOT_HOME/.config" # Ensure .config/fish directory exists with correct owner/perms ${pkgs.coreutils}/bin/install -d -o root -g root -m 0700 "$ROOT_HOME/.config/fish" # Install the config.fish file ${pkgs.coreutils}/bin/install -o root -g root -m 0600 "${rootFishConfigFile}" "$ROOT_HOME/.config/fish/config.fish" ''; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "25.05"; }