diff --git a/flake.nix b/flake.nix index d1f24d4..318350b 100644 --- a/flake.nix +++ b/flake.nix @@ -2,79 +2,136 @@ description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image"; inputs = { - nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; + nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release-0.0.85"; # Pin to a stable release nixpkgs.follows = "nix-bitcoin/nixpkgs"; nixos-generators.url = "github:nix-community/nixos-generators"; flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }: - let - system = "x86_64-linux"; - pkgs = import nixpkgs { inherit system; }; + outputs = { + self, + nixpkgs, + nix-bitcoin, + nixos-generators, + flake-utils, + ... + }: let + system = "x86_64-linux"; + pkgs = import nixpkgs {inherit system;}; + in { + nixosConfigurations.btc-pay-server = nixpkgs.lib.nixosSystem { + inherit system; modules = [ nix-bitcoin.nixosModules.default - ./modules/bitcoind - ./modules/nbxplorer - ./modules/btcpay - ]; - in { - nixosConfigurations.btc-pay-server = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = modules ++ [ - ({ config, ... }: { - boot.isContainer = true; - # boot.mountDebugFS = false; - system.stateVersion = "25.05"; - # services.btcpay-full.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" - ]; - # networking.firewall.allowedTCPPorts = [ - # 23002 - # 22 - # 24444 - # 8332 - # 5432 - # 28332 - # 28333 - # ]; - networking.firewall.allowedTCPPorts = [ - config.services.btcpayserver.port - config.services.bitcoind.port - ]; - systemd.suppressedSystemUnits = [ - "dev-mqueue.mount" - "sys-kernel-debug.mount" - "sys-fs-fuse-connections.mount" - ]; - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - }; - }; - }) - ]; - }; + ({ + config, + pkgs, + lib, + ... + }: { + nixpkgs.overlays = [nix-bitcoin.overlays.default]; - devShells = flake-utils.lib.eachDefaultSystem (system: - let - pkgs = import nixpkgs { inherit system; }; - in { - default = pkgs.mkShell { - buildInputs = [ - nixos-generators.packages.${system}.nixos-generate - pkgs.just - ]; - shellHook = '' - echo "💚 Devshell ready: nixos-generate, just available." - ''; + # Enable core services + services.bitcoind = { + enable = true; + dataDir = "/var/lib/bitcoind"; # Explicitly set to your existing path (it's the default, but this confirms reuse) + address = "0.0.0.0"; + port = 23002; + listen = true; + listenWhitelisted = true; + whitelistedPort = 8335; + rpc = { + address = "0.0.0.0"; + port = 8332; + threads = 4; + allowip = ["10.1.1.0/24"]; # Adjust if needed + }; + regtest = false; + network = "mainnet"; + dataDirReadableByGroup = false; + disablewallet = null; + dbCache = 4000; + prune = 10000; # Matches your existing bitcoin.conf; set to 0 to disable pruning (needs more disk space) + zmqpubrawblock = "tcp://0.0.0.0:28332"; + zmqpubrawtx = "tcp://0.0.0.0:28333"; + user = "bitcoind"; + group = "bitcoind"; }; - } - ); + + services.nbxplorer = { + enable = true; + address = "0.0.0.0"; + port = 24444; + user = "nbxplorer"; + group = "nbxplorer"; + }; + + services.btcpayserver = { + enable = true; + address = "0.0.0.0"; + port = 23000; + lbtc = true; # If you want Liquid support + user = "btcpayserver"; + group = "btcpayserver"; + lightningBackend = "clightning"; # Or "lnd" + }; + + # PostgreSQL is handled automatically by nix-bitcoin's BTCPay module + # No need for custom postgresql module + + # Container mode (if desired; test without first) + boot.isContainer = true; + + # Firewall: Open necessary ports + networking.firewall.allowedTCPPorts = [ + config.services.btcpayserver.port + config.services.bitcoind.port + config.services.nbxplorer.port + 22 # SSH + ]; + + # SSH setup + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" + ]; + + # Suppress unnecessary units (as in your original) + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + + # State version + system.stateVersion = "25.05"; + }) + ]; }; + + # Your devShell remains the same + devShells = flake-utils.lib.eachDefaultSystem ( + system: let + pkgs = import nixpkgs {inherit system;}; + in { + default = pkgs.mkShell { + buildInputs = [ + nixos-generators.packages.${system}.nixos-generate + pkgs.just + ]; + shellHook = '' + echo "💚 Devshell ready: nixos-generate, just available." + ''; + }; + } + ); + }; } diff --git a/justfile b/justfile index f3bb369..1bce4a2 100644 --- a/justfile +++ b/justfile @@ -1,25 +1,37 @@ -REMOTE_HOST := "root@10.1.1.163" +# Default command: lists all available just commands +default: + just --list +# Rebuild the local NixOS system using a flake configuration rebuild: - nixos-rebuild switch --flake .#btc-pay-server --extra-experimental-features 'nix-command flakes' + nixos-rebuild switch --flake .#btc-pay-server +# Build the NixOS system configuration without switching build: nix build .#nixosConfigurations.btc-pay-server.config.system.build.toplevel -deploy: - nixos-rebuild switch --flake .#btc-pay-server --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" +# Deploy (rebuild) the NixOS system on the remote host +# Usage: just deploy root@10.1.1.163 +deploy host: + nixos-rebuild switch --fast --flake .#btc-pay-server --target-host {{host}} --build-host {{host}} --use-remote-sudo -status: - ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver" +# Check the status of bitcoind and btcpayserver services on the remote host +# Usage: just status root@10.1.1.163 +status host: + ssh {{host}} "systemctl status bitcoind btcpayserver" +# Encrypt the secrets.yaml file in place using sops encrypt-secrets: sops -e -i secrets.yaml +# Open the secrets.yaml file for editing with sops edit-secrets: sops secrets.yaml +# Open a developer shell with the nix flake's environment shell: nix develop +# Open a PostgreSQL client to the local nbxplorer database psql: psql -h localhost -U nbxplorer -d nbxplorer diff --git a/modules/bitcoind/default.nix b/modules/bitcoind/default.nix deleted file mode 100644 index cfb2578..0000000 --- a/modules/bitcoind/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - ################################# - # Bitcoin Core (bitcoind) - ################################# - services.bitcoind = { - enable = true; - address = "0.0.0.0"; - port = 23002; - listen = true; - listenWhitelisted = true; - whitelistedPort = 8335; - # dataDir = "/var/lib/bitcoind"; - rpc = { - address = "0.0.0.0"; - port = 8332; - threads = 4; - allowip = [ - "0.0.0.0" - ]; - }; - regtest = false; - # network = "regtest"; # or "mainnet" - dataDirReadableByGroup = false; - disablewallet = null; - dbCache = 4000; - prune = 10000; - # txindex = true; - zmqpubrawblock = "tcp://0.0.0.0:28332"; - zmqpubrawtx = "tcp://0.0.0.0:28333"; - user = "bitcoind"; - group = "bitcoind"; - }; -} diff --git a/modules/btcpay/default.nix b/modules/btcpay/default.nix deleted file mode 100644 index 5e55261..0000000 --- a/modules/btcpay/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - - nix-bitcoin.generateSecrets = true; - # nix-bitcoin.secretsDir = "/var/lib/secrets"; - services.btcpayserver = { - enable = true; - address = "0.0.0.0"; - port = 23000; - # dataDir = "/var/lib/btcpayserver"; - lbtc = true; - user = "btcpayserver"; - group = "btcpayserver"; - # If needed, direct BTCPay to same PostgreSQL: - # explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;"; - # Set environment variables as needed for additional DB, etc. - }; -} diff --git a/modules/nbxplorer/default.nix b/modules/nbxplorer/default.nix deleted file mode 100644 index 8e0d321..0000000 --- a/modules/nbxplorer/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - services.nbxplorer = { - enable = true; - address = "0.0.0.0"; - port = 24444; - # dataDir = "/var/lib/nbxplorer"; - user = "nbxplorer"; - group = "nbxplorer"; - # Database connection string to external/local PostgreSQL: - # postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;"; - # chains = [ "btc" "ltc" "lbtc" ]; - # Additional NBXplorer server args/overrides can go here. - }; -} diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix deleted file mode 100644 index ba094ed..0000000 --- a/modules/postgresql/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, specialConfig, ... }: -{ - # Disable local postgres (so NixOS won't start or manage it) - services = { - postgresql = { - enable = true; - ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ]; - ensureUsers = [ - { name = "nbxplorer"; ensureDBOwnership = true; } - { name = "btcpay"; ensureDBOwnership = true; } - ]; - authentication = '' - local all all trust - host all all 0.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; -} diff --git a/secrets.yaml b/secrets.yaml deleted file mode 100644 index 33f6670..0000000 --- a/secrets.yaml +++ /dev/null @@ -1,2 +0,0 @@ -nbxplorer-pg-password: >- - f%Rn^g!o*d0U3UjXNN&1dG&H \ No newline at end of file diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 99da474..0000000 --- a/shell.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs ? import {} }: - -pkgs.mkShell { - buildInputs = with pkgs; [ - just # task runner - sops # secrets management - postgresql # includes psql client utility[6][9] - bitcoin # Bitcoin Core CLI tools (bitcoind, bitcoin-cli) - curl # For HTTP API testing - jq # For manipulating test output - git - # dotnet-sdk # IF you develop/plugins for NBXplorer, uncomment this - ]; - - shellHook = '' - export SSH_CONFIG_FILE="$PWD/ssh-config-dev" - alias ssh="ssh -F $SSH_CONFIG_FILE" - alias scp="scp -F $SSH_CONFIG_FILE" - echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp." - ''; -} -