retooling and updated README

2026-03-24 16:38:45 -05:00
parent 6202faa622
commit bae37a7059
12 changed files with 754 additions and 55 deletions
--- a/modules/bip110.nix
+++ b/modules/bip110.nix
@@ -0,0 +1,7 @@
+{ config, lib, pkgs, bip110, ... }:
+
+{
+
+services.bitcoind.packages = lib.mkForce bip110.packages.x86_64-linux.bitcoind-knots-bip-110;
+
+}
--- a/modules/bitcoin-core.nix
+++ b/modules/bitcoin-core.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.bitcoind.package = lib.mkForce config.nix-bitcoin.pkgs.bitcoind;
+
+}
--- a/modules/core/role-logix.nix
+++ b/modules/core/role-logix.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkMerge [
+
+    # Server-Desktop Role most services enabled
+    (lib.mkIf config.sovran_systemsOS.roles.server-desktop {
+      sovran_systemsOS.features = {
+        synapse = true;
+        bitcoin = true;
+        coturn = true;
+        vaultwarden = true;
+        haven = false;
+        mempool = false;
+        bip110 = false;
+        element-calling = false;
+        bitcoin-core = false;
+        rdp = false;
+      };
+    })
+
+    # Desktop role
+    (lib.mkIf config.sovran_systemsOS.roles.desktop {
+      services.xserver.enable = true;
+      services.desktopManager.gnome.enable = true;
+    })
+
+    # Bitcoin node role
+    (lib.mkIf config.sovran_systemsOS.roles.node {
+      sovran_systemsOS.features = {
+        bitcoin = true;
+        bip110 = false;
+      };
+    })
+
+  ];
+}
--- a/modules/core/roles.nix
+++ b/modules/core/roles.nix
@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+
+{
+  options.sovran_systemsOS = {
+    roles = {
+      server-desktop = lib.mkOption {
+        type = lib.types.bool;
+        default = !config.sovran_sovransystemsOS.roles.desktop && !config.sovran_systemsOS.roles.node;
+      };
+      desktop = lib.mkEnableOption "Desktop Role";
+      node = lib.mkEnableOption "Bitcoin Node Only Role";
+    };
+
+    features = {
+      coturn = lib.mkEnableOption "TURN server";
+      synapse = lib.mkEnableOption "Matrix Synapse";
+      bitcoin = lib.mkEnableOption "Bitcoin Ecosystem";
+      vaultwarden = lib.mkEnableOption "Vaultwarden";
+      haven = lib.mkEnableOption "Haven NOSTR relay";
+      bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money";
+      mempool = lib.mkEnableOption "Bitcoin Mempool Explorer";
+      element-calling = lib.mkEnableOption "Element Video and Audio Calling";
+      bitcoin-core = lib.mkEnableOption "Bitcoin Core";
+      rdp = lib.mkEnableOption "Gnome Remote Desktop";
+    };
+  };
+}
--- a/modules/element-calling.nix
+++ b/modules/element-calling.nix
@@ -0,0 +1,161 @@
+{ config, pkgs, lib, ... }:
+
+let
+
+personalization = import ./personalization.nix;
+
+in
+  
+{
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/domains/element-calling 0750 caddy php -"
+  ];
+
+
+  "${personalization.matrix_url}" = lib.mkForce {
+    extraConfig = ''
+      reverse_proxy /_matrix/* http://localhost:8008 
+      reverse_proxy /_synapse/client/* http://localhost:8008  
+      header /.well-known/matrix/* Content-Type "application/json"
+      header /.well-known/matrix/* Access-Control-Allow-Origin "*"
+      header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+      header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
+      respond /.well-known/matrix/client `{ "m.homeserver": {"base_url": "https://anarchyislove.xyz" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://${personalization.element-calling_url}/livekit/jwt" }] }`
+    '';				
+  };
+				
+
+		"${personalization.element-calling_url}" = {
+			extraConfig = ''
+				handle /livekit/jwt/sfu/get {
+				  uri strip_prefix /livekit/jwt
+				  reverse_proxy [::1]:8073 {
+				    header_up Host {host}
+				    header_up X-Forwarded-Server {host}
+				    header_up X-Real-IP {remote_host}
+				    header_up X-Forwarded-For {remote_host}
+				  }
+				}
+				  
+				handle {
+				  reverse_proxy localhost:7880
+				}
+			'';	
+		};
+
+  services.livekit = {
+    enable = true;
+    openFirewall = true; 
+    settings = {
+      rtc.use_external_ip = true;
+      rtc.udp_port = "7882-7894";
+    room = {
+      auto_create = false;
+    };
+    turn = {
+      enabled = true;
+      domain = "${personalization.matrix_url}";
+      tls_port = 5349;
+      udp_port = 3478;
+      cert_file = "/var/lib/livekit/${personalization.matrix_url}.crt";
+      key_file = "/var/lib/livekit/${personalization.matrix_url}.key";
+      };
+    };
+    keyFile = "/var/lib/livekit/livekit_keyFile";
+  };
+  
+  networking.firewall.allowedTCPPorts = [ 7881 ]; #Livekit TCP Port
+		
+  networking.firewall.allowedUDPPortRanges = [
+	  { from=7882; to=7894; }
+  ];
+
+  services.lk-jwt-service = {
+	enable = true;
+	port = 8073;
+	livekitUrl = "wss://${personalization.element-calling_url}";
+	keyFile = "/var/lib/livekit/livekit_keyFile";	
+  };
+
+  services.matrix-synapse = {
+    settings = lib.mkForce {
+    
+      serve_server_wellknown = true;
+
+      public_baseurl = ${personalization.matrix_url};
+
+      experimental_features = {
+        msc3266_enabled = true;
+        msc4222_enabled = true;
+      };
+
+      max_event_delay_duration = "24h";
+
+      rc_message = { 
+        per_second = 0.5;
+        burst_count = 30;
+      };
+
+      rc_delayed_event_mgmt = {
+        per_second = 1;
+        burst_count = 20;
+      };
+
+      push.include_content = false;
+      server_name = personalization.matrix_url;
+      url_preview_enabled = true;
+      max_upload_size = "1024M";
+      group_unread_count_by_room = false;
+      encryption_enabled_by_default_for_room_type = "invite";
+      allow_profile_lookup_over_federation = false;
+      allow_device_name_lookup_over_federation = false;
+       
+      url_preview_ip_range_blacklist = [
+          "10.0.0.0/8"
+          "100.64.0.0/10"
+          "169.254.0.0/16"
+          "172.16.0.0/12"
+          "192.0.0.0/24"
+          "192.0.2.0/24"
+          "192.168.0.0/16"
+          "192.88.99.0/24"
+          "198.18.0.0/15"
+          "198.51.100.0/24"
+          "2001:db8::/32"
+          "203.0.113.0/24"
+          "224.0.0.0/4"
+          "::1/128"
+          "fc00::/7"
+          "fe80::/10"
+          "fec0::/10"
+          "ff00::/8"
+        ];
+
+       url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
+       presence.enabled = true;
+       enable_registration = false;
+       registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
+       listeners = [
+        {
+          port = 8008;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [ 
+            {
+              names = [ "client" ];
+              compress = true;
+            } 
+            {
+              names = [ "federation" ];
+              compress = false;
+            } 
+          ];
+        }
+      ];
+    };
+  };
+}
+
--- a/modules/haven.nix
+++ b/modules/haven.nix
@@ -0,0 +1,150 @@
+{config, pkgs, lib, ...}:
+
+let
+
+personalization = import ./personalization.nix;
+
+in
+
+{
+
+	services.haven = {
+		enable = true;
+		settings = {
+			OWNER_NPUB="";
+			RELAY_URL="*name*";
+
+			RELAY_PORT=3355;
+			RELAY_BIND_ADDRESS="0.0.0.0"; # Can be set to a specific IP4 or IP6 address ("" for all interfaces)
+			DB_ENGINE="badger"; # badger, lmdb (lmdb works best with an nvme, otherwise you might have stability issues)
+			LMDB_MAPSIZE=3000000000; # 0 for default (currently ~273GB), or set to a different size in bytes, e.g. 10737418240 for 10GB
+			BLOSSOM_PATH="blossom/";
+
+## Private Relay Settings
+			PRIVATE_RELAY_NAME="*name* private relay";
+			PRIVATE_RELAY_NPUB="";
+			PRIVATE_RELAY_DESCRIPTION="The Relay From Sovran Systems";
+#PRIVATE_RELAY_ICON="https://i.nostr.build/6G6wW.gif"
+
+## Private Relay Rate Limiters
+			PRIVATE_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL=50;
+			PRIVATE_RELAY_EVENT_IP_LIMITER_INTERVAL=1;
+			PRIVATE_RELAY_EVENT_IP_LIMITER_MAX_TOKENS=100;
+			PRIVATE_RELAY_ALLOW_EMPTY_FILTERS=true;
+			PRIVATE_RELAY_ALLOW_COMPLEX_FILTERS=true;
+			PRIVATE_RELAY_CONNECTION_RATE_LIMITER_TOKENS_PER_INTERVAL=3;
+			PRIVATE_RELAY_CONNECTION_RATE_LIMITER_INTERVAL=5;
+			PRIVATE_RELAY_CONNECTION_RATE_LIMITER_MAX_TOKENS=9;
+
+## Chat Relay Settings
+			CHAT_RELAY_NAME="*name* chat relay";
+			CHAT_RELAY_NPUB="";
+			CHAT_RELAY_DESCRIPTION="a relay for private chats";
+#CHAT_RELAY_ICON="https://i.nostr.build/6G6wW.gif"
+			CHAT_RELAY_WOT_DEPTH=3;
+			CHAT_RELAY_WOT_REFRESH_INTERVAL_HOURS=24;
+			CHAT_RELAY_MINIMUM_FOLLOWERS=3;
+
+## Chat Relay Rate Limiters
+			CHAT_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL=50;
+			CHAT_RELAY_EVENT_IP_LIMITER_INTERVAL=1;
+			CHAT_RELAY_EVENT_IP_LIMITER_MAX_TOKENS=100;
+			CHAT_RELAY_ALLOW_EMPTY_FILTERS=false;
+			CHAT_RELAY_ALLOW_COMPLEX_FILTERS=false;
+			CHAT_RELAY_CONNECTION_RATE_LIMITER_TOKENS_PER_INTERVAL=3;
+			CHAT_RELAY_CONNECTION_RATE_LIMITER_INTERVAL=3;
+			CHAT_RELAY_CONNECTION_RATE_LIMITER_MAX_TOKENS=9;
+
+## Outbox Relay Settings
+			OUTBOX_RELAY_NAME="*name* outbox relay";
+			OUTBOX_RELAY_NPUB="";
+			OUTBOX_RELAY_DESCRIPTION="a relay and Blossom server for public messages and media";
+#OUTBOX_RELAY_ICON="https://i.nostr.build/6G6wW.gif"
+
+## Outbox Relay Rate Limiters
+			OUTBOX_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL=100;
+			OUTBOX_RELAY_EVENT_IP_LIMITER_INTERVAL=600;
+			OUTBOX_RELAY_EVENT_IP_LIMITER_MAX_TOKENS=1000;
+			OUTBOX_RELAY_ALLOW_EMPTY_FILTERS=true;
+			OUTBOX_RELAY_ALLOW_COMPLEX_FILTERS=true;
+			OUTBOX_RELAY_CONNECTION_RATE_LIMITER_TOKENS_PER_INTERVAL=30;
+			OUTBOX_RELAY_CONNECTION_RATE_LIMITER_INTERVAL=10;
+			OUTBOX_RELAY_CONNECTION_RATE_LIMITER_MAX_TOKENS=90;
+
+## Inbox Relay Settings
+			INBOX_RELAY_NAME="*name* inbox relay";
+			INBOX_RELAY_NPUB="";
+			INBOX_RELAY_DESCRIPTION="send your interactions with my notes here";
+#INBOX_RELAY_ICON="https://i.nostr.build/6G6wW.gif"
+			INBOX_PULL_INTERVAL_SECONDS=600;
+
+## Inbox Relay Rate Limiters
+			INBOX_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL=10;
+			INBOX_RELAY_EVENT_IP_LIMITER_INTERVAL=1;
+			INBOX_RELAY_EVENT_IP_LIMITER_MAX_TOKENS=20;
+			INBOX_RELAY_ALLOW_EMPTY_FILTERS=false;
+			INBOX_RELAY_ALLOW_COMPLEX_FILTERS=false;
+			INBOX_RELAY_CONNECTION_RATE_LIMITER_TOKENS_PER_INTERVAL=3;
+			INBOX_RELAY_CONNECTION_RATE_LIMITER_INTERVAL=1;
+			INBOX_RELAY_CONNECTION_RATE_LIMITER_MAX_TOKENS=9;
+
+## WOT Settings
+			WOT_FETCH_TIMEOUT_SECONDS=60;
+			
+			WHITELISTED_NPUBS_FILE="/var/lib/haven/whitelisted_npubs.json";
+			
+			BLACKLISTED_NPUBS_FILE="";
+
+
+## LOGGING
+			HAVEN_LOG_LEVEL="INFO"; # DEBUG, INFO, WARNING or ERROR
+		};
+		
+		blastrRelays  = [
+			"nos.lol"
+			"relay.nostr.band"
+			"relay.snort.social"
+			"nostr.mom"
+			"relay.primal.net"
+			"no.str.cr"
+			"nostr21.com"
+			"nostrue.com"
+			"wot.nostr.party"
+			"wot.sovbit.host"
+			"wot.girino.org"
+			"relay.lexingtonbitcoin.org"
+			"zap.watch"
+			"satsage.xyz"
+			"wons.calva.dev"
+		];
+	
+	};
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/haven 0750 haven haven -"
+    "f /var/lib/haven/whitelisted_npubs.json 0770 haven haven -"
+  ];
+
+	services.caddy = {
+		virtualHosts = {
+			"${personalization.haven_url}" = {
+				extraConfig = ''					
+					reverse_proxy localhost:3355 {
+						header_up Host {host}
+						header_up X-Real-IP {remote_host}
+						header_up X-Forwarded-For {remote_host}
+						header_up X-Forwarded-Proto {scheme}
+						transport http {
+							versions 1.1
+						}
+					}
+					request_body {
+						max_size 100MB
+					}					
+				'';
+			};
+		};
+	};
+}	
+
+
--- a/modules/mempool.nix
+++ b/modules/mempool.nix
@@ -0,0 +1,25 @@
+{ config, pkgs, lib, ... }:
+
+{
+
+  services.mempool = {
+      enable = true;
+      frontend.enable = true;
+  };
+
+  services.mysql.package = lib.mkForce pkgs.mariadb;
+
+  nix-bitcoin.onionServices.mempool-frontend.enable = true;
+
+  services.caddy = {
+      virtualHosts = {
+          ":60847" = {
+              extraConfig = ''
+                  reverse_proxy :60845
+                  encode gzip zstd
+              '';
+          };
+      };
+  };
+
+}
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,15 +1,21 @@
 { config, pkgs, lib, ... }:

 {
-
-	imports = [	
-		
-		./php.nix
-		./synapse.nix
-		./coturn.nix
-		./bitcoinecosystem.nix
-		./vaultwarden.nix
-		./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
-
-		];
+  imports =
+    [
+      ./core/roles.nix
+      ./core/role-logic.nix
+      ./php.nix
+      ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
+    ]
+    ++ lib.optional config.sovran_systemsOS.features.synapse ./synapse.nix
+    ++ lib.optional config.sovran_systemsOS.features.coturn ./coturn.nix
+    ++ lib.optional config.sovran_systemsOS.features.bitcoin ./bitcoinecosystem.nix
+    ++ lib.optional config.sovran_systemsOS.features.vaultwarden ./vaultwarden.nix
+    ++ lib.optional config.sovran_systemsOS.features.haven ./haven.nix
+    ++ lib.optional config.sovran_systemsOS.features.bip110 ./bip110.nix
+    ++ lib.optional config.sovran_systemsOS.features.element-calling ./element-calling.nix
+    ++ lib.optional config.sovran_systemsOS.features.mempool ./mempool.nix
+    ++ lib.optional config.sovran_systemsOS.features.bitcoin-core ./bitcoin-core.nix
+    ++ lib.optional config.sovran_systemsOS.features.rdp ./rdp.nix;
 }
--- a/modules/personalization.nix
+++ b/modules/personalization.nix
@@ -6,6 +6,8 @@ nextcloud_url = builtins.readFile /var/lib/domains/nextcloud;
 btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver;
 caddy_email_for_acme = builtins.readFile /var/lib/domains/sslemail;
 vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden;
+haven_url = builtins.readFile /var/lib/domains/haven;
+element-calling_url = builtins.readFile /var/lib/domains/element-calling;

 ##

--- a/modules/rdp.nix
+++ b/modules/rdp.nix
@@ -0,0 +1,52 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.gnome.gnome-remote-desktop.enable = true;
+  
+  systemd.services.gnome-remote-desktop = { 
+    wantedBy = [ "graphical.target" ]; # for starting the unit automatically at boot
+  };
+  
+  services.displayManager.autoLogin.enable = lib.mkForce false;
+  
+  networking.firewall.allowedTCPPorts = [ 3389 ];
+
+  environment.systemPackages = with pkgs; [
+    freerdp
+  ];
+
+  systemd.services.gnome-remote-desktop-setup = {
+    description = "Initialize GNOME Remote Desktop RDP TLS and config";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "gnome-remote-desktop.service" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      StateDirectory = "gnome-remote-desktop";
+    };
+
+    script = ''
+      set -e
+
+      CERT_DIR=/var/lib/gnome-remote-desktop
+      KEY_FILE=$CERT_DIR/rdp-tls.key
+      CRT_FILE=$CERT_DIR/rdp-tls.crt
+
+      if [ ! -f "$KEY_FILE" ]; then
+        echo "Generating RDP TLS certificate..."
+
+        runuser -u gnome-remote-desktop -- \
+          ${pkgs.freerdp}/bin/winpr-makecert -silent -rdp \
+          -path "$CERT_DIR" rdp-tls
+      else
+        echo "TLS key already exists, skipping generation"
+      fi
+
+      # Always ensure config is set (safe to re-run)
+      ${pkgs.gnome.gnome-remote-desktop}/bin/grdctl --system rdp set-tls-key "$KEY_FILE"
+      ${pkgs.gnome.gnome-remote-desktop}/bin/grdctl --system rdp set-tls-cert "$CRT_FILE"
+      ${pkgs.gnome.gnome-remote-desktop}/bin/grdctl --system rdp enable
+      ${pkgs.gnome.gnome-remote-desktop}/bin/grdctl --system rdp set-credentials "free" "a"
+    '';
+  };
+}