pleb/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nix/squirtle.satstack.dev/configuration.nix
Brian Lee 7a6ac25c40 init squirtle
2025-06-01 11:47:30 -07:00

347 lines
9.0 KiB
Nix
Raw Blame History

{ config, pkgs, lib, unstablePkgs, ... }:
let
importedVars = import ./variables.nix { inherit config pkgs lib unstablePkgs; };
in
with importedVars;
{
imports = [
./hardware-configuration.nix
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
networking = {
hostName = "${host_name}";
firewall = {
# enable = false; # secure-node.nix enforces a firewall
allowedTCPPorts = [
22
80
443
config.services.bitcoind.rpc.port
config.services.electrs.port
9101 # lnd/prometheus
9735 # lnd/p2p
10009 # lnd/rpc
10010 # lnd/rest
];
allowedTCPPortRanges = [
{ from = 4400; to = 4499; }
{ from = 28332; to = 28334; }
];
};
interfaces = {
eno1.ipv4.addresses = [{
address = "192.168.0.44";
prefixLength = 24;
}];
};
defaultGateway = {
address = "192.168.0.1";
interface = "eno1";
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
wireguard.interfaces = let
secrets = import ./secrets.nix;
in {
lanturn = {
ips = [ "10.19.21.44/24" ];
privateKey = "${secrets.wireguardPrivatekey}";
peers = [{
publicKey = "${wireguardPublicKey}";
endpoint = "${lanturnAddress}:61420";
allowedIPs = [
"0.0.0.0/0"
];
}];
};
};
# Adding routes this way is janky and probably means it's time to switch to systemd-networking for wireguard
localCommands = ''
ip route add ${lanturnAddress}/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true
ip route add 192.168.0.0/23 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true
ip route add 192.168.254.0/24 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true
ip route add 10.19.21.11/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # timburr
ip route add 10.19.21.34/32 dev ${config.networking.defaultGateway.interface} via ${config.networking.defaultGateway.address} || true # weavile
'';
};
time.timeZone = "America/Los_Angeles";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
# keyMap = "us";
useXkbConfig = true; # use xkbOptions in tty.
};
users = {
groups = {
bitcoind = {};
lnd = {};
};
users = {
root = {
openssh.authorizedKeys.keyFiles = [
# /etc/nixos/ssh/authorized_keys
./ssh/authorized_keys
];
shell = pkgs.fish; # Set root's shell to fish
};
pleb = {
openssh.authorizedKeys.keyFiles = [
# /etc/nixos/ssh/authorized_keys
./ssh/authorized_keys
];
isNormalUser = true;
extraGroups = [ "wheel" ];
};
lnd = {
isSystemUser = true;
group = "lnd";
home = "/var/lib/lnd";
createHome = true;
description = "System account for lnd";
shell = pkgs.fish;
openssh.authorizedKeys.keys = []; # fix ssh-agent warnings due to missing .ssh directory
packages = [
unstablePkgs.lnd
];
# packages = with packagesForTesting; [
# albyhub
# lnd
# ];
};
};
};
environment = {
variables = { EDITOR = "vim"; VISUAL = "vim"; };
systemPackages = with pkgs; [
cryptsetup
curl
difftastic
dig
dnsutils
doas
file
fzf
git
htop
iftop
iperf
jq
net-snmp # snmpwalk
netcat
nettools
parted
pass
psmisc
rsync
tcpdump
tmux
tree
unzip
vim
wget
whois
wireguard-tools
zip
];
shellInit = ''
pheonix() {
systemctl restart "$1"
journalctl -fu "$1"
}
'';
};
programs = {
fish.enable = true;
vim = {
enable = true;
defaultEditor = true;
};
bash = {
shellAliases = {
ll = "ls -lAF --classify --group-directories-first";
l = "ls -lF --classify --group-directories-first";
};
# https://nixos.wiki/wiki/Fish
interactiveShellInit = interactiveShellInit;
};
mtr.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
{
users = [ "pleb" ];
persist = true;
}
];
};
};
services = {
journald.extraConfig = "MaxRetentionSec=30day";
prometheus.exporters.node = {
enable = true;
port = 8030;
# openFirewall = true;
enabledCollectors = [
"cpu.info"
"interrupts"
"netstat"
"vmstat"
"systemd"
"tcpstat"
"processes"
];
};
openssh.enable = true;
caddy = {
enable = false;
# package = caddyWithPlugins;
logFormat = "output discard";
extraConfig = let
tlsConfig = ''
tls {
dns namecheap {
api_key {env.NAMECHEAP_API_KEY}
user {env.NAMECHEAP_API_USER}
api_endpoint https://api.namecheap.com/xml.response
}
}
'';
in ''
${host_fqdn} { # mempool
${tlsConfig}
reverse_proxy http://127.0.0.1:${toString config.services.mempool.frontend.port}
}
${host_fqdn}:4430 { # node_exporter
${tlsConfig}
reverse_proxy http://127.0.0.1:8030
}
${host_fqdn}:4431 { # albyhub
${tlsConfig}
reverse_proxy http://127.0.0.1:8031
}
${host_fqdn}:4432 { # lnd/prometheus
${tlsConfig}
reverse_proxy http://127.0.0.1:9101
}
:9999 {
respond "success"
}
'';
};
};
systemd = {
# services.caddy = { # TODO: replace caddy with an override/overlay so we don't need this
# serviceConfig = {
# EnvironmentFile = "/var/src/secrets/namecheap";
# ExecStart = [
# "" # This empty string clears the existing ExecStart commands
# "/opt/bin/caddy run --config /etc/caddy/caddy_config --adapter caddyfile"
# ];
# ExecReload = [
# "" # This empty string clears the existing ExecReload commands
# "/opt/bin/caddy reload --config /etc/caddy/caddy_config --adapter caddyfile --force"
# ];
# };
# };
services.lnd = {
description = "lightning network daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathIsMountPoint = "/mnt/${host_name}";
serviceConfig = {
Type = "notify";
User = "lnd";
Group = "lnd";
ExecStart = "${unstablePkgs.lnd}/bin/lnd --configfile=/mnt/${host_name}/lnd/lnd.conf";
Restart = "on-failure";
RestartSec = "1m";
};
};
# services.albyhub = {
# description = "lightning network daemon";
# after = [ "network.target" ];
# wantedBy = [ "multi-user.target" ];
# unitConfig.ConditionPathIsMountPoint = "/mnt/${vars.host_name}";
# serviceConfig = {
# User = "lnd"; # albyhub uses the lnd admin macaroon
# Group = "lnd";
# ExecStart = "${packagesForTesting.albyhub}/bin/http";
# # Restart = "on-failure";
# # RestartSec = "1m";
# EnvironmentFile = "/mnt/${vars.host_name}/albyhub/.env";
# WorkingDirectory = "/mnt/${vars.host_name}/albyhub";
# };
# };
}; # systemd
system.activationScripts.lndFishConfig = {
deps = [ "users" ]; # Ensure the lnd user and group are created before this script runs
text = ''
LND_HOME="/var/lib/lnd"
# Ensure .config directory exists with correct owner/perms
${pkgs.coreutils}/bin/install -d -o lnd -g lnd -m 0700 "$LND_HOME/.config"
# Ensure .config/fish directory exists with correct owner/perms
${pkgs.coreutils}/bin/install -d -o lnd -g lnd -m 0700 "$LND_HOME/.config/fish"
# Install the config.fish file
${pkgs.coreutils}/bin/install -o lnd -g lnd -m 0600 "${lndFishConfigFile}" "$LND_HOME/.config/fish/config.fish"
'';
};
system.activationScripts.rootFishConfig = {
deps = [ "users" ]; # Ensure the root user is set up
text = ''
ROOT_HOME="/root"
# Ensure .config directory exists with correct owner/perms
${pkgs.coreutils}/bin/install -d -o root -g root -m 0700 "$ROOT_HOME/.config"
# Ensure .config/fish directory exists with correct owner/perms
${pkgs.coreutils}/bin/install -d -o root -g root -m 0700 "$ROOT_HOME/.config/fish"
# Install the config.fish file
${pkgs.coreutils}/bin/install -o root -g root -m 0600 "${rootFishConfigFile}" "$ROOT_HOME/.config/fish/config.fish"
'';
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "25.05";
}
Reference in New Issue View Git Blame Copy Permalink