citadel

My dotfiles, scripts and nix configs
git clone git://jb55.com/citadel
Log | Files | Refs | README | LICENSE

default.nix (14486B)

      1 extra:
      2 { config, lib, pkgs, ... }:
      3 let util = extra.util;
      4     nix-serve = extra.machine.nix-serve;
      5     zenstates = pkgs.fetchFromGitHub {
      6       owner  = "r4m0n";
      7       repo   = "ZenStates-Linux";
      8       rev    = "0bc27f4740e382f2a2896dc1dabfec1d0ac96818";
      9       sha256 = "1h1h2n50d2cwcyw3zp4lamfvrdjy1gjghffvl3qrp6arfsfa615y";
     10     };
     11     jb55pkgs = import <jb55pkgs> { inherit pkgs; };
     12     git-email-contacts = "${jb55pkgs.git-email-contacts}/bin/git-email-contacts";
     13     email-notify = util.writeBash "email-notify-user" ''
     14       export HOME=/home/jb55
     15       export PATH=${lib.makeBinPath (with pkgs; [ eject libnotify muchsync notmuch openssh ])}:$PATH
     16       (
     17         flock -x -w 100 200 || exit 1
     18 
     19         muchsync charon
     20 
     21         #DISPLAY=:0 notify-send --category=email "you got mail"
     22 
     23       ) 200>/tmp/email-notify.lock
     24     '';
     25 
     26 in
     27 {
     28   imports = [
     29     ./hardware
     30     # ./contracts/commit
     31     # ./contracts/plastiq
     32 
     33     #(import ../../misc/dnsmasq-adblock.nix)
     34     (import ../../misc/msmtp extra)
     35     (import ./networking extra)
     36     (import ../../misc/imap-notifier extra)
     37   ] ++ (if !extra.is-minimal then [ (import ./bitcoin extra) ] else []);
     38 
     39   #hardware.steam-hardware.enable = true;
     40 
     41   boot.zfs.enableUnstable = true;
     42   boot.zfs.removeLinuxDRM = true;
     43   boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     44 
     45   services.ofono.enable = false;
     46   services.ofono.plugins = with pkgs; [ ofono-phonesim ];
     47 
     48   services.prometheus.enable = false;
     49   # services.prometheus.dataDir = "/zbig/data/prometheus";
     50   services.grafana.enable = false;
     51   services.grafana.port = 3005;
     52   services.grafana.provision.datasources = [
     53     { name = "bitcoin";
     54       type = "prometheus";
     55       access = "direct";
     56       isDefault = true;
     57     }
     58   ];
     59 
     60   # services.guix.enable = true;
     61   services.synergy.client.enable = if extra.is-minimal then false else true;
     62   services.synergy.client.autoStart = true;
     63   services.synergy.client.serverAddress = "10.100.0.2";
     64   services.synergy.client.screenName = "monad";
     65 
     66   services.bitlbee.enable = if extra.is-minimal then false else false;
     67   services.bitlbee.libpurple_plugins = with pkgs; [
     68     pidgin-skypeweb
     69     purple-facebook
     70     purple-hangouts
     71     telegram-purple
     72     purple-matrix
     73   ];
     74 
     75   # services.thelounge.enable = true;
     76   # services.thelounge.theme = "thelounge-theme-mininapse";
     77   # services.thelounge.port = 9002;
     78 
     79   services.dnscrypt-proxy2.enable = false;
     80   services.dnscrypt-proxy2.settings = {
     81 
     82     listen_addresses = [ "127.0.0.1:43" ];
     83     server_names = ["cs-ca2" "ev-to"];
     84     fallback_resolver = "1.1.1.1:53";
     85     sources = {
     86       public-resolvers = {
     87         urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md"
     88                 "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md"
     89                ];
     90         cache_file = "public-resolvers.md";
     91         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
     92         refresh_delay = 71;
     93       };
     94 
     95       relays = {
     96         urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md"];
     97         cache_file = "relays.md";
     98         minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
     99         refresh_delay = 71;
    100       };
    101     };
    102     anonymized_dns.routes = [
    103       { server_name="cs-ca2"; via=["anon-ev-va"]; }
    104       { server_name="ev-to"; via=["anon-cs-ca2"]; }
    105     ];
    106   };
    107 
    108   services.dnsmasq.enable = true;
    109   services.dnsmasq.resolveLocalQueries = true;
    110   #services.dnsmasq.servers = ["127.0.0.1#43"];
    111   # services.dnsmasq.servers = ["127.0.0.1#43" "1.1.1.1" "8.8.8.8"];
    112   services.dnsmasq.settings.server = ["8.8.8.8" "8.8.4.4" ];
    113   services.dnsmasq.settings.conf-file = "/var/dnsmasq-hosts";
    114   services.dnsmasq.settings.addn-hosts = "/var/hosts";
    115   services.dnsmasq.settings.dns-forward-max = 1024;
    116 
    117   services.bitlbee.plugins = with pkgs; [
    118     bitlbee-mastodon
    119   ];
    120 
    121   # shitcoin vendor
    122   services.keybase.enable = false;
    123 
    124   systemd.services.block-distracting-hosts = {
    125     description = "Block Distracting Hosts";
    126 
    127     path = with pkgs; [ systemd procps ];
    128 
    129     serviceConfig.ExecStart = util.writeBash "block-distracting-hosts" ''
    130       set -e
    131       cp /var/undistracting-hosts /var/distracting-hosts
    132 
    133       # crude way to clear the cache...
    134       systemctl restart dnsmasq
    135       pkill qutebrowser
    136     '';
    137 
    138     startAt = "Mon..Fri *-*-* 09:00:00";
    139   };
    140 
    141   systemd.user.services.bitcoin-contacts = {
    142     enable = false;
    143     description = "Email bitcoin PR patches that have me as a git-contact";
    144 
    145     wantedBy    = [ "graphical-session.target" ];
    146     after       = [ "graphical-session.target" ];
    147 
    148     path = with pkgs; [ openssh msmtp libnotify netcat gitFull ];
    149 
    150     environment = {
    151 	SSH_AUTH_SOCK = "/run/user/1000/ssh-agent";
    152     };
    153 
    154     serviceConfig.ExecStart = util.writeBash "bitcoin-contacts" ''
    155 	export SSH_ASKPASS="${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"
    156 	while true
    157 	do
    158 		duration="30m"
    159 		cd /home/jb55/dev/github/bitcoin/bitcoin 
    160 		${git-email-contacts}
    161 		git gc
    162 		cd /home/jb55/dev/github/bitcoin-core/gui 
    163 		${git-email-contacts}
    164 		git gc
    165 		cd /home/jb55/etc/nixpkgs-master
    166 		git fetch -p upstream
    167 		${git-email-contacts}
    168 		git gc
    169 		printf "done for now, waiting %s...\n" $duration 2>&1
    170 		sleep $duration
    171 	done
    172     '';
    173   };
    174 
    175   systemd.user.services.stop-spotify-bedtime = {
    176     enable      = if extra.is-minimal then false else true;
    177     description = "Stop spotify when Elliott goes to bed";
    178     wantedBy    = [ "graphical-session.target" ];
    179     after       = [ "graphical-session.target" ];
    180     serviceConfig.ExecStart = "${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Stop";
    181 
    182     startAt = "*-*-* 19:30:00";
    183   };
    184 
    185   systemd.services.unblock-distracting-hosts = {
    186     enable = if extra.is-minimal then false else true;
    187 
    188     description = "Unblock Distracting Hosts";
    189 
    190     path = with pkgs; [ systemd ];
    191 
    192     serviceConfig.ExecStart = util.writeBash "unblock-distracting-hosts" ''
    193       set -e
    194       echo "" > /var/distracting-hosts
    195       systemctl restart dnsmasq
    196     '';
    197 
    198     startAt = "Mon..Fri *-*-* 17:00:00";
    199   };
    200 
    201   #virtualisation.docker.enable = if extra.is-minimal then false else true;
    202 
    203   boot.kernelPatches = [
    204     #{ # pci acs hack, not really safe or a good idea
    205     #  name = "acs-overrides";
    206     #  patch = pkgs.fetchurl {
    207     #    url = "https://aur.archlinux.org/cgit/aur.git/plain/add-acs-overrides.patch?h=linux-vfio";
    208     #    sha256 = "1b1qjlqkbwpv82aja48pj9vpi9p6jggc8g92p4rg7zjjjs2ldp24";
    209     #  };
    210     #}
    211   ];
    212 
    213   #boot.kernelParams = [ "pcie_acs_override=downstream" ];
    214 
    215   systemd.user.services.clightning-rpc-tunnel = {
    216     description = "clightning mainnet rpc tunnel";
    217     wantedBy = [ "default.target" ];
    218     after    = [ "default.target" ];
    219 
    220     serviceConfig.ExecStart = extra.util.writeBash "lightning-tunnel" ''
    221       ${pkgs.socat}/bin/socat -d -d TCP-LISTEN:7878,fork,reuseaddr,range=10.100.0.2/32 UNIX-CONNECT:/home/jb55/.lightning/bitcoin/lightning-rpc
    222     '';
    223   };
    224 
    225   #virtualisation.libvirtd.enable = false;
    226   #virtualisation.libvirtd.qemuOvmf = false;
    227   #virtualisation.libvirtd.qemuVerbatimConfig = ''
    228   #  user = "jb55"
    229   #  group = "kvm"
    230   #  cgroup_device_acl = [
    231   #    "/dev/input/by-id/usb-Topre_Corporation_Realforce-event-kbd",
    232   #    "/dev/input/by-id/usb-Razer_Razer_DeathAdder_2013-event-mouse",
    233   #    "/dev/null", "/dev/full", "/dev/zero",
    234   #    "/dev/random", "/dev/urandom",
    235   #    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
    236   #    "/dev/rtc","/dev/hpet", "/dev/sev"
    237   #  ]
    238   #'';
    239 
    240   systemd.user.services.btc-ban-aws = {
    241     enable   = if extra.is-minimal then false else true;
    242     description = "Ban Bitcoin EC2 nodes";
    243     wantedBy = [ "bitcoind-mainnet.service" ];
    244     after    = [ "bitcoind-mainnet.service" ];
    245     serviceConfig.ExecStart = util.writeBash "btc-ban-ec2" ''
    246       # lets chill for a bit before we do this
    247       ${pkgs.curl}/bin/curl -s 'https://ip-ranges.amazonaws.com/ip-ranges.json' |
    248       ${pkgs.jq}/bin/jq -rc '.prefixes[].ip_prefix | {"jsonrpc": "1.0", "id":"aws-banscript", method: "setban", "params": [., "add", 3450]}' |
    249       ${pkgs.jq}/bin/jq -s  |
    250       ${pkgs.curl}/bin/curl -s -u ${extra.private.btc-user}:${extra.private.btc-pass} --data-binary @/dev/stdin -H 'content-type: text/plain' ${extra.private.btc-rpc-host}:${extra.private.btc-rpc-port}
    251     '';
    252     startAt = "*-*-* *:00:00"; #hourly
    253   };
    254 
    255   environment.systemPackages = [ pkgs.virt-manager ];
    256 
    257   services.minecraft-server.enable = false;
    258   services.minecraft-server.eula = true;
    259   services.minecraft-server.openFirewall = true;
    260   services.minecraft-server.declarative = true;
    261   services.minecraft-server.serverProperties = {
    262     server-port = 25565;
    263     difficulty = "normal";
    264     gamemode = "survival";
    265     force-gamemode = true;
    266     max-players = 2;
    267     motd = "NixOS Minecraft server!";
    268     white-list = false;
    269     enable-rcon = true;
    270     "rcon.password" = "minecraft";
    271   };
    272 
    273   virtualisation.virtualbox.host.enable = false;
    274   virtualisation.virtualbox.host.enableHardening = false;
    275   #virtualization.virtualbox.host.enableExtensionPack = true;
    276 
    277   users.extraUsers.jb55.extraGroups = [ "vboxusers" "bitcoin" "kvm" "input" ];
    278 
    279   services.xserver.videoDrivers = [ ];
    280 
    281   users.extraGroups.tor.members = [ "jb55" "nginx" ];
    282   users.extraGroups.bitcoin.members = [ "jb55" ];
    283   users.extraGroups.nginx.members = [ "jb55" ];
    284   users.extraGroups.transmission.members = [ "nginx" "jb55" ];
    285 
    286   programs.mosh.enable = false;
    287   programs.adb.enable = true;
    288 
    289   documentation.nixos.enable = false;
    290 
    291   services.redis.enable = if extra.is-minimal then false else false;
    292   services.mongodb.enable = if extra.is-minimal then false else false;
    293 
    294   services.zeronet.enable = false;
    295   #services.zeronet.trackers = ''
    296   #  http://tracker.nyap2p.com:8080/announce
    297   #  http://tracker3.itzmx.com:6961/announce
    298   #  http://tracker1.itzmx.com:8080/announce
    299   #  https://trakx.herokuapp.com:443/announce
    300   #  udp://ultra.zt.ua:6969/announce
    301   #'';
    302 
    303   services.tor.enable = if extra.is-minimal then false else true;
    304   services.tor.controlPort = 9051;
    305   services.tor.client.enable = true;
    306   services.tor.settings = extra.private.tor.settings;
    307 
    308   services.fcgiwrap.enable = if extra.is-minimal then false else true;
    309 
    310   services.nix-serve.enable = false;
    311   services.nix-serve.bindAddress = nix-serve.bindAddress;
    312   services.nix-serve.port = nix-serve.port;
    313 
    314   services.xserver.screenSection = ''
    315     Option "metamodes" "1920x1080_144 +0+0"
    316     Option "dpi" "96 x 96"
    317   '';
    318 
    319   services.nginx.enable = if extra.is-minimal then false else true;
    320   systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
    321   services.nginx.httpConfig = ''
    322       server {
    323         listen 80 default_server;
    324         listen ${extra.machine.ztip}:80 default_server;
    325         listen 192.168.87.26 default_server;
    326 
    327         server_name monad.jb55.com;
    328 
    329         location / {
    330           root                  /var/www/public;
    331           autoindex on;
    332           index index.html;
    333         }
    334       }
    335 
    336       server {
    337         listen 80;
    338         listen ${extra.machine.ztip}:80;
    339         listen 192.168.87.26;
    340 
    341 	server_name notes.jb55.com;
    342 
    343 	location / {
    344 	    root                  /var/www/notes;
    345 	    autoindex on;
    346             index index.html;
    347 
    348 	    client_body_temp_path /var/www/tmp;
    349 
    350 	    dav_methods PUT DELETE MKCOL COPY MOVE;
    351 	    dav_ext_methods PROPFIND OPTIONS;
    352 
    353 	    client_max_body_size 10M;
    354 
    355 	    create_full_put_path  on;
    356 	    dav_access            user:rw group:rw  all:rw;
    357 	}
    358       }
    359 
    360     '' + (if config.services.nix-serve.enable then ''
    361       server {
    362         listen ${nix-serve.bindAddress}:80;
    363         server_name cache.monad.jb55.com;
    364 
    365         location / {
    366           proxy_pass  http://${nix-serve.bindAddress}:${toString nix-serve.port};
    367           proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    368           proxy_redirect off;
    369           proxy_buffering off;
    370           proxy_set_header        Host            $host;
    371           proxy_set_header        X-Real-IP       $remote_addr;
    372           proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    373         }
    374       }
    375     '' else "") + (if config.services.tor.enable then extra.private.tor.nginx else "");
    376 
    377   # services.footswitch = {
    378   #   enable = false;
    379   #   enable-led = true;
    380   #   led = "input5::numlock";
    381   # };
    382 
    383   systemd.services.disable-c6 = {
    384     description = "Ryzen Disable C6 State";
    385 
    386     wantedBy = [ "basic.target" ];
    387     after = [ "sysinit.target" "local-fs.target" ];
    388 
    389     serviceConfig.Type = "oneshot";
    390     serviceConfig.ExecStart = util.writeBash "disable-c6-state" ''
    391       ${pkgs.kmod}/bin/modprobe msr
    392       ${pkgs.python3}/bin/python ${zenstates}/zenstates.py --c6-disable --list
    393     '';
    394   };
    395 
    396   services.mysql.enable = false;
    397   services.mysql.package = pkgs.mariadb;
    398 
    399   # services.postgresql = {
    400   #   dataDir = "/var/db/postgresql/100/";
    401   #   enable = true;
    402   #   package = pkgs.postgresql_10;
    403   #   # extraPlugins = with pkgs; [ pgmp ];
    404   #   authentication = pkgs.lib.mkForce ''
    405   #     # type db  user address            method
    406   #     local  all all                     trust
    407   #     host   all all  127.0.0.1/32       trust
    408   #     host   all all  192.168.87.0/24    trust
    409   #   '';
    410   #   extraConfig = ''
    411   #     listen_addresses = '0.0.0.0'
    412   #   '';
    413   # };
    414 
    415   # services.postgresql = {
    416   #   dataDir = "/var/db/postgresql/96/";
    417   #   enable = true;
    418   #   package = pkgs.postgresql96;
    419   #   # extraPlugins = with pkgs; [ pgmp ];
    420   #   authentication = pkgs.lib.mkForce ''
    421   #     # type db  user address            method
    422   #     local  all all                     trust
    423   #     host   all all  127.0.0.1/32       trust
    424   #     host   all all  192.168.87.0/24    trust
    425   #   '';
    426   #   extraConfig = ''
    427   #     listen_addresses = '0.0.0.0'
    428   #   '';
    429   # };
    430 
    431   # for kmsgrab streaming
    432   security.wrappers.ffmpeg = {
    433     source = "${pkgs.ffmpeg}/bin/ffmpeg";
    434     capabilities = "cap_sys_admin+ep";
    435     owner = "root";
    436     group = "root";
    437   };
    438 
    439   # security.pam.u2f = {
    440   #   enable = true;
    441   #   interactive = true;
    442   #   cue = true;
    443   #   control = "sufficient";
    444   #   authfile = "${pkgs.writeText "pam-u2f-config" ''
    445   #     jb55:vMXUgYb1ytYmOVgqFDwVOxJmvVI9F3gdSJVbvsi1A1VA-3mftTUhgARo4Kmm_8SAH6IJJ8p3LSXPSbtTSXMIpQ,04d8c1542a7391ee83112a577db968b84351f0090a9abe7c75bedcd94777cf15727c68ce4ac8858ff2812ded3c86d978efc5893b25cf906032632019fe792d3ec4
    446   #   ''}";
    447   # };
    448 
    449 }