Sun Nov 27 08:48:03 PM CET 2022

machine/vps.nix

@@ -2,6 +2,22 @@
 let
   secrets = import ../configs/secrets.nix;
   be = import ../configs/borg-exclude.nix;
+  unstable = import <nixos-unstable> { config.allowUnfree = true; };
+
+  configFile = pkgs.writeText "monero.conf" ''
+    log-file=/dev/stdout
+    data-dir=/var/lib/monero
+    rpc-bind-ip=127.0.0.1
+    rpc-bind-port=18081
+    enforce-dns-checkpointing=true
+    enable-dns-blocklist=true # Block known-malicious nodes
+    no-igd=true # Disable UPnP port mapping
+    no-zmq=true # ZMQ configuration
+
+    # bandwidth settings
+    out-peers=32 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
+    in-peers=32 # The default is unlimited; we prefer to put a cap on this
+  '';
 in {
   imports = [
     /etc/nixos/hardware-configuration.nix
@@ -10,21 +26,21 @@ in {
     ../configs/user.nix
   ];
 
-  # Use the GRUB 2 boot loader.
+  boot.loader.grub = {
-  boot.loader.grub.enable = true;
+    enable = true;
-  boot.loader.grub.version = 2;
+    version = 2;
-  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+    device = "/dev/sda"; # or "nodev" for efi only
-
+  };
-  networking.hostName = "vps"; # Define your hostname.
 
   fileSystems."/export/docker" = {
     device = "/home/alex/docker";
     options = [ "bind" ];
   };
 
-  # Set your time zone.
   time.timeZone = "Europe/Berlin";
+
   networking = {
+    hostName = "vps"; # Define your hostname.
     useDHCP = false;
     #    defaultGateway = {
     #     "address" = "gw.contabo.net";
@@ -61,7 +77,7 @@ in {
           {
             publicKey = secrets.wireguard-mini-public;
             presharedKey = secrets.wireguard-preshared;
-            allowedIPs = [ "10.100.0.3/32" ];
+            allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ];
           }
           {
             publicKey = secrets.wireguard-mbp-public;
@@ -81,7 +97,6 @@ in {
         ];
       };
     };
-
     nat = {
       enable = true;
       externalInterface = "ens18";
@@ -89,19 +104,42 @@ in {
     };
     firewall = {
       allowPing = true;
-      allowedTCPPorts = [ 80 443 22000 ];
+      allowedTCPPorts = [
-      allowedUDPPorts = [ 80 443 51820 ];
+        80 # web
-      interfaces.wg0 = { allowedTCPPorts = [ 61208 19999 2049 ]; };
+        443 # web
+        9898 # i2p
+        9899
+        18080
+        22000 # syncthing
+      ];
+      allowedUDPPorts = [
+        80 # web
+        443 # web
+        9898 # i2p
+        51820 # wireguard
+      ];
+      interfaces.wg0 = {
+        allowedTCPPorts = [
+          19999 # netdata
+          2049
+          4444 # i2p http proxy
+          61208 # foo
+          7070 # i2p control
+          7654 # i2p torrent
+        ];
+      };
       # extraCommands = ''
       #   iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
       # '';
     };
   };
 
-  environment.systemPackages = with pkgs; [ goaccess ];
+  environment.systemPackages = with pkgs; [ goaccess xd nyx ];
 
-  programs.mtr.enable = true;
+  programs = {
-  programs.fuse.userAllowOther = true;
+    mtr.enable = true;
+    fuse.userAllowOther = true;
+  };
 
   security.acme.defaults.email = "webmaster@szczepan.ski";
   security.acme.acceptTerms = true;
@@ -128,6 +166,7 @@ in {
         "szczepan.ski" = {
           forceSSL = true;
           enableACME = true;
+          globalRedirect = "www.linkedin.com/in/alexander-szczepanski-0254967b";
           #root = "/var/www/myhost.org";
         };
         "nextcloud.szczepan.ski" = {
@@ -208,6 +247,11 @@ in {
           enableACME = true;
           locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
         };
+        "photoprism.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = { "/" = { proxyPass = "http://127.0.0.1:2342/"; }; };
+        };
         "syncthing.szczepan.ski" = {
           forceSSL = true;
           enableACME = true;
@@ -233,7 +277,7 @@ in {
           enableACME = true;
           locations = {
             "/" = {
-              proxyPass = "http://10.100.0.6:8123/";
+              proxyPass = "http://10.100.0.3:8123/";
               proxyWebsockets = true;
             };
           };
@@ -250,6 +294,24 @@ in {
             };
           };
         };
+        "vaultwarden.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:8092/";
+              proxyWebsockets = true;
+            };
+            "/notifications/hub" = {
+              proxyPass = "http://127.0.0.1:3012";
+              proxyWebsockets = true;
+            };
+            "/notifications/hub/negotiate" = {
+              proxyPass = "http://127.0.0.1:8092/";
+              proxyWebsockets = true;
+            };
+          };
+        };
       };
     };
 
@@ -270,26 +332,6 @@ in {
       };
     };
 
-    samba = {
-      enable = false;
-      openFirewall = true;
-
-      # This adds to the [global] section:
-      extraConfig = ''
-        browseable = yes
-        smb encrypt = required
-      '';
-
-      shares = {
-        homes = {
-          browseable =
-            "no"; # note: each home will be browseable; the "homes" share will not.
-          "read only" = "no";
-          "guest ok" = "no";
-        };
-      };
-    };
-
     nfs.server = {
       enable = false;
       exports = ''
@@ -298,6 +340,107 @@ in {
       '';
     };
 
+    # vaultwarden = {
+    #   enable = true;
+    #   config = {
+    #     domain = "https://vaultwarden.szczepan.ski";
+    #     signupsAllowed = false;
+    #     rocketPort = 8092;
+    #     rocketAddress = "127.0.0.1";
+    #     # adminToken =
+    #     #   "jCehRECvxqWmXKMZx3dgtVEdJuqUxXoODEagItTPptBizG9SGQLCpTqjZoBM4ZDa";
+    #     websocketEnabled = true;
+    #     websocketAddress = "127.0.0.1";
+    #     websocketPort = 3012;
+    #   };
+    # };
+
+    # bitcoind.main = { enable = false; };
+    # monero = {
+    #   enable = true;
+    #   # limits = { threads = 4; };
+    #   rpc = {
+    #     user = "alex";
+    #     password = secrets.moneroUserPassword;
+    #     #address = "10.100.0.1";
+    #   };
+    #   limits = {
+    #     download = 1048576;
+    #     upload = 1048576;
+    #   };
+    #   extraConfig = ''
+    #     enforce-dns-checkpointing=true
+    #     enable-dns-blocklist=true # Block known-malicious nodes
+    #     no-igd=true # Disable UPnP port mapping
+    #     no-zmq=true # ZMQ configuration
+
+    #     # bandwidth settings
+    #     out-peers=32 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
+    #     in-peers=32 # The default is unlimited; we prefer to put a cap on this
+    #   '';
+    # };
+
+    i2pd = {
+      enable = true;
+      ifname = "ens18";
+      address = "207.180.220.97";
+      # TCP & UDP
+      port = 9898;
+      #   myEep = {
+      #     enable = true;
+      #     keys = "myEep-keys.dat";
+      #     inPort = 80;
+      #     address = "::1";
+      #     destination = "::1";
+      #     port = 8081;
+      #     # inbound.length = 1;
+      #     # outbound.length = 1;
+      #   };
+      # };
+      # websocket = {
+      #   enable = true;
+      #   address = "10.100.0.1";
+      # };
+      proto = {
+        http = {
+          enable = true;
+          address = "10.100.0.1";
+        };
+
+        httpProxy = {
+          enable = true;
+          address = "10.100.0.1";
+        };
+
+        socksProxy = {
+          enable = true;
+          address = "10.100.0.1";
+        };
+
+        i2cp = {
+          enable = true;
+          address = "10.100.0.1";
+        };
+
+        sam = { enable = true; };
+      };
+
+      enableIPv4 = true;
+      enableIPv6 = true;
+    };
+
+    tor = {
+      enable = true;
+      # relay = {
+      #   enable = true;
+      #   role = "private-bridge";
+      # };
+      settings = {
+        ORPort = 9001;
+        ControlPort = 9051;
+      };
+    };
+
     fail2ban = {
       enable = true;
 
@@ -330,22 +473,50 @@ in {
         passphrase = secrets.borg-key;
       };
       extraCreateArgs =
-        "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
+        "--stats --verbose --checkpoint-interval 600 --exclude-caches";
       environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
-      paths = "/home/alex";
+      paths = [ "/home/alex" "/var/lib" ];
       repo = secrets.borg-repo;
       startAt = "daily";
-      # user = "alex";
       prune.keep = {
         daily = 7;
         weekly = 4;
         monthly = 6;
       };
-      extraPruneArgs = "--save-space --list --stats";
+      extraPruneArgs = "--save-space --stats";
-      exclude = map (x: paths + "/" + x) be.borg-exclude;
+      exclude = [
+        "/home/alex/docker/jellyfin/data"
+        "/home/alex/.cache"
+        "/var/lib/monero"
+      ];
     };
   };
 
+  # users.users.monero = {
+  #   isSystemUser = true;
+  #   group = "monero";
+  #   description = "Monero daemon user";
+  #   home = "/var/lib/monero";
+  #   createHome = true;
+  # };
+
+  # users.groups.monero = { };
+
+  # systemd.services.monero = {
+  #   description = "monero daemon";
+  #   after = [ "network.target" ];
+  #   wantedBy = [ "multi-user.target" ];
+
+  #   serviceConfig = {
+  #     User = "monero";
+  #     Group = "monero";
+  #     ExecStart =
+  #       "${unstable.pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive";
+  #     Restart = "always";
+  #     SuccessExitStatus = [ 0 1 ];
+  #   };
+  # };
+
   # Limit stack size to reduce memory usage
   systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;