add crypto

modules/nixos/hardware/gpu-passthru/default.nix

@@ -24,9 +24,9 @@ with lib.custom; let
     echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
 
     # Isolate host to core 0
-    systemctl set-property --runtime -- user.slice AllowedCPUs=0-8
-    systemctl set-property --runtime -- system.slice AllowedCPUs=0-8
-    systemctl set-property --runtime -- init.scope AllowedCPUs=0-8
+    systemctl set-property --runtime -- user.slice AllowedCPUs=0-15
+    systemctl set-property --runtime -- system.slice AllowedCPUs=0-15
+    systemctl set-property --runtime -- init.scope AllowedCPUs=0-15
 
     # disable vpn
     mullvad disconnect -w
@@ -237,9 +237,11 @@ in {
       ln -Tfs /etc/libvirt/hooks /var/lib/libvirt/hooks
     '';
 
-    environment.systemPackages = with pkgs; [
-      libguestfs-with-appliance
-    ];
+    # environment.systemPackages = with pkgs; [
+    #   libguestfs
+    # ];
+
+    networking.firewall.trustedInterfaces = ["virbr0"];
 
     environment.etc = {
       "/libvirt/hooks/qemu" = {

modules/nixos/hardware/nvidia/default.nix

@@ -37,7 +37,7 @@ in {
       # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
       # Only available from driver 515.43.04+
       # Currently alpha-quality/buggy, so false is currently the recommended setting.
-      open = true;
+      open = false;
 
       # Enable the Nvidia settings menu,
       # accessible via `nvidia-settings`.

modules/nixos/services/crypto/default.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.services.crypto;
+in {
+  options.services.crypto = with types; {
+    enable = mkBoolOpt false "Enable Monero";
+  };
+  config = mkIf cfg.enable {
+    services.wg-container.enable = true;
+
+    systemd.services.monero.vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+
+    services.monero = {
+      enable = true;
+      mining.enable = false;
+      rpc = {address = "192.168.15.1";};
+      extraConfig = ''
+        confirm-external-bind=1
+      '';
+    };
+  };
+}

modules/nixos/services/mail/default.nix

@@ -66,7 +66,7 @@ in {
 
       certificateScheme = "acme-nginx";
       virusScanning = true;
-      stateVersion = 1;
+      stateVersion = 3;
     };
 
     # services.nginx = {

modules/nixos/services/transmission/default.nix

@@ -0,0 +1,38 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.services.torrent;
+in {
+  options.services.torrent = with types; {
+    enable = mkBoolOpt false "Enable Transmission Service (for Linux ISOs)";
+  };
+  config = mkIf cfg.enable {
+    services.wg-container.enable = true;
+
+    systemd.services.transmission.vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+
+    services.transmission = {
+      enable = true;
+      package = pkgs.transmission_4;
+      settings = {
+        incomplete-dir-enabled = true;
+        rpc-bind-address = "192.168.15.1"; # Bind RPC/WebUI to VPN network namespace address
+        rpc-whitelist-enabled = false;
+        rpc-whitelist = [
+          "192.168.15.1"
+          "192.168.15.5" # Access from default network namespace
+          "192.168.1.*" # Access from other machines on specific subnet
+          "127.0.0.1" # Access through loopback within VPN network namespace
+        ];
+      };
+    };
+  };
+}

modules/nixos/services/wg-container/default.nix

@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.services.wg-container;
+in {
+  options.services.wg-container = with types; {
+    enable = mkBoolOpt false "Enable Wireguard Container";
+  };
+  config = mkIf cfg.enable {
+    sops = {
+      defaultSopsFile = ../../../.sops.yaml;
+      gnupg.home = "/var/lib/sops";
+      gnupg.sshKeyPaths = [];
+
+      secrets = {
+        "vpn_config_file" = {
+          sopsFile = ../../../../secrets/vpn-config.yaml;
+          owner = "root";
+          group = "root";
+          mode = "0400";
+          neededForUsers = true;
+        };
+      };
+    };
+
+    vpnNamespaces.wg = {
+      enable = true;
+      wireguardConfigFile = config.sops.secrets.vpn_config_file.path;
+      accessibleFrom = [
+        "192.168.0.0/24"
+      ];
+      portMappings = [
+        {
+          from = 18081;
+          to = 18081;
+          protocol = "both";
+        }
+        {
+          from = 9091;
+          to = 9091;
+        }
+      ];
+    };
+  };
+}