citadel

My dotfiles, scripts and nix configs
git clone git://jb55.com/citadel
Log | Files | Refs | README | LICENSE

default.nix (14837B)

      1 extra:
      2 { config, lib, pkgs, ... }:
      3 let util = extra.util;
      4     nix-serve = extra.machine.nix-serve;
      5     zenstates = pkgs.fetchFromGitHub {
      6       owner  = "r4m0n";
      7       repo   = "ZenStates-Linux";
      8       rev    = "0bc27f4740e382f2a2896dc1dabfec1d0ac96818";
      9       sha256 = "1h1h2n50d2cwcyw3zp4lamfvrdjy1gjghffvl3qrp6arfsfa615y";
     10     };
     11     jb55pkgs = import <jb55pkgs> { inherit pkgs; };
     12     git-email-contacts = "${jb55pkgs.git-email-contacts}/bin/git-email-contacts";
     13     email-notify = util.writeBash "email-notify-user" ''
     14       export HOME=/home/jb55
     15       export PATH=${lib.makeBinPath (with pkgs; [ eject libnotify muchsync notmuch openssh ])}:$PATH
     16       (
     17         flock -x -w 100 200 || exit 1
     18 
     19         muchsync charon
     20 
     21         #DISPLAY=:0 notify-send --category=email "you got mail"
     22 
     23       ) 200>/tmp/email-notify.lock
     24     '';
     25 
     26 in
     27 {
     28   imports = [
     29     ./hardware
     30     (import ./rocksmith.nix)
     31     # ./contracts/commit
     32     # ./contracts/plastiq
     33 
     34     #(import ../../misc/dnsmasq-adblock.nix)
     35     (import ../../misc/msmtp extra)
     36     (import ./networking extra)
     37     (import ../../misc/imap-notifier extra)
     38   ] ++ (if !extra.is-minimal then [ (import ./bitcoin extra) ] else []);
     39 
     40   #hardware.steam-hardware.enable = true;
     41 
     42   #boot.zfs.enableUnstable = true;
     43   boot.zfs.removeLinuxDRM = true;
     44   #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     45 
     46   # ai
     47   #services.comfyui.enable = false;
     48   #services.comfyui.rocmSupport = true;
     49   #services.comfyui.dataPath = "/titan/ai/comfyui";
     50   services.ollama = {
     51     enable = true;
     52     host = "0.0.0.0";
     53     acceleration = "rocm";
     54     environmentVariables = {
     55       HCC_AMDGPU_TARGET = "gfx1010"; # used to be necessary, but doesn't seem to anymore
     56     };
     57     rocmOverrideGfx = "10.1.0";
     58   };
     59 
     60   services.n8n.enable = true;
     61 
     62   services.ofono.enable = false;
     63   services.ofono.plugins = with pkgs; [ ofono-phonesim ];
     64 
     65   services.open-webui.enable = true;
     66   services.open-webui.port = 8090;
     67 
     68   services.prometheus.enable = false;
     69   # services.prometheus.dataDir = "/zbig/data/prometheus";
     70   services.grafana.enable = false;
     71   services.grafana.port = 3005;
     72   services.grafana.provision.datasources = [
     73     { name = "bitcoin";
     74       type = "prometheus";
     75       access = "direct";
     76       isDefault = true;
     77     }
     78   ];
     79 
     80   # services.guix.enable = true;
     81   services.synergy.client.enable = if extra.is-minimal then false else false;
     82   services.synergy.client.autoStart = true;
     83   services.synergy.client.serverAddress = "10.100.0.2";
     84   services.synergy.client.screenName = "monad";
     85 
     86   services.bitlbee.enable = if extra.is-minimal then false else false;
     87   services.bitlbee.libpurple_plugins = with pkgs; [
     88     pidgin-skypeweb
     89     purple-facebook
     90     purple-hangouts
     91     telegram-purple
     92     purple-matrix
     93   ];
     94 
     95   # services.thelounge.enable = true;
     96   # services.thelounge.theme = "thelounge-theme-mininapse";
     97   # services.thelounge.port = 9002;
     98 
     99   services.dnscrypt-proxy2.enable = false;
    100   services.dnscrypt-proxy2.settings = {
    101 
    102     listen_addresses = [ "127.0.0.1:43" ];
    103     server_names = ["cs-ca2" "ev-to"];
    104     fallback_resolver = "1.1.1.1:53";
    105     sources = {
    106       public-resolvers = {
    107         urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md"
    108                 "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md"
    109                ];
    110         cache_file = "public-resolvers.md";
    111         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    112         refresh_delay = 71;
    113       };
    114 
    115       relays = {
    116         urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md"];
    117         cache_file = "relays.md";
    118         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    119         refresh_delay = 71;
    120       };
    121     };
    122     anonymized_dns.routes = [
    123       { server_name="cs-ca2"; via=["anon-ev-va"]; }
    124       { server_name="ev-to"; via=["anon-cs-ca2"]; }
    125     ];
    126   };
    127 
    128   services.dnsmasq.enable = true;
    129   services.dnsmasq.resolveLocalQueries = false;
    130   #services.dnsmasq.servers = ["127.0.0.1#43"];
    131   # services.dnsmasq.servers = ["127.0.0.1#43" "1.1.1.1" "8.8.8.8"];
    132   services.dnsmasq.settings.server = ["8.8.8.8" "8.8.4.4" ];
    133   services.dnsmasq.settings.conf-file = "/var/dnsmasq-hosts";
    134   services.dnsmasq.settings.addn-hosts = "/var/hosts";
    135   services.dnsmasq.settings.dns-forward-max = 12000;
    136   services.dnsmasq.settings.min-cache-ttl = 300;
    137   services.dnsmasq.settings.rebind-domain-ok = "";
    138 
    139   services.bitlbee.plugins = with pkgs; [
    140     bitlbee-mastodon
    141   ];
    142 
    143   # shitcoin vendor
    144   services.keybase.enable = false;
    145 
    146   systemd.services.block-distracting-hosts = {
    147     description = "Block Distracting Hosts";
    148 
    149     path = with pkgs; [ systemd procps ];
    150 
    151     serviceConfig.ExecStart = util.writeBash "block-distracting-hosts" ''
    152       set -e
    153       cp /var/undistracting-hosts /var/distracting-hosts
    154 
    155       # crude way to clear the cache...
    156       systemctl restart dnsmasq
    157     '';
    158 
    159     startAt = "Mon..Fri *-*-* 09:00:00";
    160   };
    161 
    162   systemd.user.services.bitcoin-contacts = {
    163     enable = false;
    164     description = "Email bitcoin PR patches that have me as a git-contact";
    165 
    166     wantedBy    = [ "graphical-session.target" ];
    167     after       = [ "graphical-session.target" ];
    168 
    169     path = with pkgs; [ openssh msmtp libnotify netcat gitFull ];
    170 
    171     environment = {
    172 	SSH_AUTH_SOCK = "/run/user/1000/ssh-agent";
    173     };
    174 
    175     serviceConfig.ExecStart = util.writeBash "bitcoin-contacts" ''
    176 	export SSH_ASKPASS="${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"
    177 	while true
    178 	do
    179 		duration="30m"
    180 		cd /home/jb55/dev/github/bitcoin/bitcoin 
    181 		${git-email-contacts}
    182 		git gc
    183 		cd /home/jb55/dev/github/bitcoin-core/gui 
    184 		${git-email-contacts}
    185 		git gc
    186 		cd /home/jb55/etc/nixpkgs-master
    187 		git fetch -p upstream
    188 		${git-email-contacts}
    189 		git gc
    190 		printf "done for now, waiting %s...\n" $duration 2>&1
    191 		sleep $duration
    192 	done
    193     '';
    194   };
    195 
    196   systemd.user.services.stop-spotify-bedtime = {
    197     enable      = if extra.is-minimal then false else true;
    198     description = "Stop spotify when Elliott goes to bed";
    199     wantedBy    = [ "graphical-session.target" ];
    200     after       = [ "graphical-session.target" ];
    201     serviceConfig.ExecStart = "${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Stop";
    202 
    203     startAt = "*-*-* 19:30:00";
    204   };
    205 
    206   systemd.services.unblock-distracting-hosts = {
    207     enable = if extra.is-minimal then false else true;
    208 
    209     description = "Unblock Distracting Hosts";
    210 
    211     path = with pkgs; [ systemd ];
    212 
    213     serviceConfig.ExecStart = util.writeBash "unblock-distracting-hosts" ''
    214       set -e
    215       echo "" > /var/distracting-hosts
    216       systemctl restart dnsmasq
    217     '';
    218 
    219     startAt = "Mon..Fri *-*-* 17:00:00";
    220   };
    221 
    222   #virtualisation.docker.enable = if extra.is-minimal then false else true;
    223 
    224   boot.kernelPatches = [
    225     #{ # pci acs hack, not really safe or a good idea
    226     #  name = "acs-overrides";
    227     #  patch = pkgs.fetchurl {
    228     #    url = "https://aur.archlinux.org/cgit/aur.git/plain/add-acs-overrides.patch?h=linux-vfio";
    229     #    sha256 = "1b1qjlqkbwpv82aja48pj9vpi9p6jggc8g92p4rg7zjjjs2ldp24";
    230     #  };
    231     #}
    232   ];
    233 
    234   #boot.kernelParams = [ "pcie_acs_override=downstream" ];
    235 
    236   systemd.user.services.clightning-rpc-tunnel = {
    237     description = "clightning mainnet rpc tunnel";
    238     wantedBy = [ "default.target" ];
    239     after    = [ "default.target" ];
    240 
    241     serviceConfig.ExecStart = extra.util.writeBash "lightning-tunnel" ''
    242       ${pkgs.socat}/bin/socat -d -d TCP-LISTEN:7878,fork,reuseaddr,range=10.100.0.2/32 UNIX-CONNECT:/home/jb55/.lightning/bitcoin/lightning-rpc
    243     '';
    244   };
    245 
    246   virtualisation.libvirtd = {
    247     enable = false;
    248     qemu = {
    249       package = pkgs.qemu_kvm;
    250       runAsRoot = true;
    251       swtpm.enable = true;
    252       ovmf = {
    253         enable = false;
    254         #packages = [(pkgs.OVMF.override {
    255         #  secureBoot = true;
    256         #  tpmSupport = true;
    257         #}).fd];
    258       };
    259     };
    260   };
    261 
    262   systemd.user.services.btc-ban-aws = {
    263     enable   = if extra.is-minimal then false else true;
    264     description = "Ban Bitcoin EC2 nodes";
    265     wantedBy = [ "bitcoind-mainnet.service" ];
    266     after    = [ "bitcoind-mainnet.service" ];
    267     serviceConfig.ExecStart = util.writeBash "btc-ban-ec2" ''
    268       # lets chill for a bit before we do this
    269       ${pkgs.curl}/bin/curl -s 'https://ip-ranges.amazonaws.com/ip-ranges.json' |
    270       ${pkgs.jq}/bin/jq -rc '.prefixes[].ip_prefix | {"jsonrpc": "1.0", "id":"aws-banscript", method: "setban", "params": [., "add", 3450]}' |
    271       ${pkgs.jq}/bin/jq -s  |
    272       ${pkgs.curl}/bin/curl -s -u ${extra.private.btc-user}:${extra.private.btc-pass} --data-binary @/dev/stdin -H 'content-type: text/plain' ${extra.private.btc-rpc-host}:${extra.private.btc-rpc-port}
    273     '';
    274     startAt = "*-*-* *:00:00"; #hourly
    275   };
    276 
    277   environment.systemPackages = [ pkgs.virt-manager ];
    278 
    279   services.minecraft-server.enable = false;
    280   services.minecraft-server.eula = true;
    281   services.minecraft-server.openFirewall = true;
    282   services.minecraft-server.declarative = true;
    283   services.minecraft-server.serverProperties = {
    284     server-port = 25565;
    285     difficulty = "normal";
    286     gamemode = "survival";
    287     force-gamemode = true;
    288     max-players = 2;
    289     motd = "NixOS Minecraft server!";
    290     white-list = false;
    291     enable-rcon = true;
    292     "rcon.password" = "minecraft";
    293   };
    294 
    295   virtualisation.virtualbox.host.enable = true;
    296   virtualisation.virtualbox.host.enableHardening = false;
    297   #virtualization.virtualbox.host.enableExtensionPack = true;
    298 
    299   users.extraUsers.jb55.extraGroups = [ "vboxusers" "bitcoin" "kvm" "qemu-libvirtd" "libvirtd" "input" ];
    300 
    301   services.xserver.videoDrivers = [ ];
    302 
    303   users.extraGroups.tor.members = [ "jb55" "nginx" ];
    304   users.extraGroups.bitcoin.members = [ "jb55" ];
    305   users.extraGroups.nginx.members = [ "jb55" ];
    306   users.extraGroups.transmission.members = [ "nginx" "jb55" ];
    307 
    308   programs.mosh.enable = false;
    309   programs.adb.enable = true;
    310 
    311   documentation.nixos.enable = false;
    312 
    313   services.redis.enable = if extra.is-minimal then false else false;
    314   services.mongodb.enable = if extra.is-minimal then false else false;
    315 
    316   services.zeronet.enable = false;
    317   #services.zeronet.trackers = ''
    318   #  http://tracker.nyap2p.com:8080/announce
    319   #  http://tracker3.itzmx.com:6961/announce
    320   #  http://tracker1.itzmx.com:8080/announce
    321   #  https://trakx.herokuapp.com:443/announce
    322   #  udp://ultra.zt.ua:6969/announce
    323   #'';
    324 
    325   services.tor.enable = if extra.is-minimal then false else true;
    326   services.tor.controlPort = 9051;
    327   services.tor.client.enable = true;
    328   services.tor.settings = extra.private.tor.settings;
    329 
    330   services.nix-serve.enable = false;
    331   services.nix-serve.bindAddress = nix-serve.bindAddress;
    332   services.nix-serve.port = nix-serve.port;
    333 
    334   services.xserver.screenSection = ''
    335     Option "metamodes" "1920x1080_144 +0+0"
    336     Option "dpi" "96 x 96"
    337   '';
    338 
    339   services.nginx.enable = if extra.is-minimal then false else true;
    340   systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
    341   services.nginx.httpConfig = ''
    342       server {
    343         listen 80 default_server;
    344         listen ${extra.machine.ztip}:80 default_server;
    345         listen 192.168.87.26 default_server;
    346 
    347         server_name monad.jb55.com;
    348 
    349         location / {
    350           root                  /var/www/public;
    351           autoindex on;
    352           index index.html;
    353         }
    354       }
    355 
    356       server {
    357         listen 80;
    358         listen ${extra.machine.ztip}:80;
    359         listen 192.168.87.26;
    360 
    361 	server_name notes.jb55.com;
    362 
    363 	location / {
    364 	    root                  /var/www/notes;
    365 	    autoindex on;
    366             index index.html;
    367 
    368 	    client_body_temp_path /var/www/tmp;
    369 
    370 	    dav_methods PUT DELETE MKCOL COPY MOVE;
    371 	    dav_ext_methods PROPFIND OPTIONS;
    372 
    373 	    client_max_body_size 10M;
    374 
    375 	    create_full_put_path  on;
    376 	    dav_access            user:rw group:rw  all:rw;
    377 	}
    378       }
    379 
    380     '' + (if config.services.nix-serve.enable then ''
    381       server {
    382         listen ${nix-serve.bindAddress}:80;
    383         server_name cache.monad.jb55.com;
    384 
    385         location / {
    386           proxy_pass  http://${nix-serve.bindAddress}:${toString nix-serve.port};
    387           proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    388           proxy_redirect off;
    389           proxy_buffering off;
    390           proxy_set_header        Host            $host;
    391           proxy_set_header        X-Real-IP       $remote_addr;
    392           proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    393         }
    394       }
    395     '' else "") + (if config.services.tor.enable then extra.private.tor.nginx else "");
    396 
    397   # services.footswitch = {
    398   #   enable = false;
    399   #   enable-led = true;
    400   #   led = "input5::numlock";
    401   # };
    402 
    403   systemd.services.disable-c6 = {
    404     description = "Ryzen Disable C6 State";
    405 
    406     wantedBy = [ "basic.target" ];
    407     after = [ "sysinit.target" "local-fs.target" ];
    408 
    409     serviceConfig.Type = "oneshot";
    410     serviceConfig.ExecStart = util.writeBash "disable-c6-state" ''
    411       ${pkgs.kmod}/bin/modprobe msr
    412       ${pkgs.python3}/bin/python ${zenstates}/zenstates.py --c6-disable --list
    413     '';
    414   };
    415 
    416   services.mysql.enable = false;
    417   services.mysql.package = pkgs.mariadb;
    418 
    419   # services.postgresql = {
    420   #   dataDir = "/var/db/postgresql/100/";
    421   #   enable = true;
    422   #   package = pkgs.postgresql_10;
    423   #   # extraPlugins = with pkgs; [ pgmp ];
    424   #   authentication = pkgs.lib.mkForce ''
    425   #     # type db  user address            method
    426   #     local  all all                     trust
    427   #     host   all all  127.0.0.1/32       trust
    428   #     host   all all  192.168.87.0/24    trust
    429   #   '';
    430   #   extraConfig = ''
    431   #     listen_addresses = '0.0.0.0'
    432   #   '';
    433   # };
    434 
    435   # services.postgresql = {
    436   #   dataDir = "/var/db/postgresql/96/";
    437   #   enable = true;
    438   #   package = pkgs.postgresql96;
    439   #   # extraPlugins = with pkgs; [ pgmp ];
    440   #   authentication = pkgs.lib.mkForce ''
    441   #     # type db  user address            method
    442   #     local  all all                     trust
    443   #     host   all all  127.0.0.1/32       trust
    444   #     host   all all  192.168.87.0/24    trust
    445   #   '';
    446   #   extraConfig = ''
    447   #     listen_addresses = '0.0.0.0'
    448   #   '';
    449   # };
    450 
    451   # for kmsgrab streaming
    452   security.wrappers.ffmpeg = {
    453     source = "${pkgs.ffmpeg}/bin/ffmpeg";
    454     capabilities = "cap_sys_admin+ep";
    455     owner = "root";
    456     group = "root";
    457   };
    458 
    459   # security.pam.u2f = {
    460   #   enable = true;
    461   #   interactive = true;
    462   #   cue = true;
    463   #   control = "sufficient";
    464   #   authfile = "${pkgs.writeText "pam-u2f-config" ''
    465   #     jb55:vMXUgYb1ytYmOVgqFDwVOxJmvVI9F3gdSJVbvsi1A1VA-3mftTUhgARo4Kmm_8SAH6IJJ8p3LSXPSbtTSXMIpQ,04d8c1542a7391ee83112a577db968b84351f0090a9abe7c75bedcd94777cf15727c68ce4ac8858ff2812ded3c86d978efc5893b25cf906032632019fe792d3ec4
    466   #   ''}";
    467   # };
    468 
    469 }