jeirmeister/btc-pay-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reducing modules to single flake to ensure nix-bitcoin inheritance

Browse source
This commit is contained in:
jeirmeister 2025-09-12 12:44:38 -07:00
parent ec55daaef6
commit 7de19b46ec
8 changed files with 140 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

133
flake.nix
View file

@ -2,54 +2,95 @@
description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image"; description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image";
inputs = { inputs = {
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release-0.0.85"; # Pin to a stable release
nixpkgs.follows = "nix-bitcoin/nixpkgs"; nixpkgs.follows = "nix-bitcoin/nixpkgs";
nixos-generators.url = "github:nix-community/nixos-generators"; nixos-generators.url = "github:nix-community/nixos-generators";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }: outputs = {
let self,
nixpkgs,
nix-bitcoin,
nixos-generators,
flake-utils,
...
}: let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs {inherit system;};
modules = [
nix-bitcoin.nixosModules.default
./modules/bitcoind
./modules/nbxplorer
./modules/btcpay
];
in { in {
nixosConfigurations.btc-pay-server = nixpkgs.lib.nixosSystem { nixosConfigurations.btc-pay-server = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; inherit system;
modules = modules ++ [ modules = [
({ config, ... }: { nix-bitcoin.nixosModules.default
({
config,
pkgs,
lib,
...
}: {
nixpkgs.overlays = [nix-bitcoin.overlays.default];
# Enable core services
services.bitcoind = {
enable = true;
dataDir = "/var/lib/bitcoind"; # Explicitly set to your existing path (it's the default, but this confirms reuse)
address = "0.0.0.0";
port = 23002;
listen = true;
listenWhitelisted = true;
whitelistedPort = 8335;
rpc = {
address = "0.0.0.0";
port = 8332;
threads = 4;
allowip = ["10.1.1.0/24"]; # Adjust if needed
};
regtest = false;
network = "mainnet";
dataDirReadableByGroup = false;
disablewallet = null;
dbCache = 4000;
prune = 10000; # Matches your existing bitcoin.conf; set to 0 to disable pruning (needs more disk space)
zmqpubrawblock = "tcp://0.0.0.0:28332";
zmqpubrawtx = "tcp://0.0.0.0:28333";
user = "bitcoind";
group = "bitcoind";
};
services.nbxplorer = {
enable = true;
address = "0.0.0.0";
port = 24444;
user = "nbxplorer";
group = "nbxplorer";
};
services.btcpayserver = {
enable = true;
address = "0.0.0.0";
port = 23000;
lbtc = true; # If you want Liquid support
user = "btcpayserver";
group = "btcpayserver";
lightningBackend = "clightning"; # Or "lnd"
};
# PostgreSQL is handled automatically by nix-bitcoin's BTCPay module
# No need for custom postgresql module
# Container mode (if desired; test without first)
boot.isContainer = true; boot.isContainer = true;
# boot.mountDebugFS = false;
system.stateVersion = "25.05"; # Firewall: Open necessary ports
# services.btcpay-full.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
];
# networking.firewall.allowedTCPPorts = [
# 23002
# 22
# 24444
# 8332
# 5432
# 28332
# 28333
# ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
config.services.btcpayserver.port config.services.btcpayserver.port
config.services.bitcoind.port config.services.bitcoind.port
config.services.nbxplorer.port
22 # SSH
]; ];
systemd.suppressedSystemUnits = [
"dev-mqueue.mount" # SSH setup
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
@ -57,13 +98,29 @@
PasswordAuthentication = false; PasswordAuthentication = false;
}; };
}; };
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
];
# Suppress unnecessary units (as in your original)
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
# State version
system.stateVersion = "25.05";
}) })
]; ];
}; };
devShells = flake-utils.lib.eachDefaultSystem (system: # Your devShell remains the same
let devShells = flake-utils.lib.eachDefaultSystem (
pkgs = import nixpkgs { inherit system; }; system: let
pkgs = import nixpkgs {inherit system;};
in { in {
default = pkgs.mkShell { default = pkgs.mkShell {
buildInputs = [ buildInputs = [

24
justfile
View file

@ -1,25 +1,37 @@
REMOTE_HOST := "root@10.1.1.163" # Default command: lists all available just commands
default:
just --list
# Rebuild the local NixOS system using a flake configuration
rebuild: rebuild:
nixos-rebuild switch --flake .#btc-pay-server --extra-experimental-features 'nix-command flakes' nixos-rebuild switch --flake .#btc-pay-server
# Build the NixOS system configuration without switching
build: build:
nix build .#nixosConfigurations.btc-pay-server.config.system.build.toplevel nix build .#nixosConfigurations.btc-pay-server.config.system.build.toplevel
deploy: # Deploy (rebuild) the NixOS system on the remote host
nixos-rebuild switch --flake .#btc-pay-server --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" # Usage: just deploy root@10.1.1.163
deploy host:
nixos-rebuild switch --fast --flake .#btc-pay-server --target-host {{host}} --build-host {{host}} --use-remote-sudo
status: # Check the status of bitcoind and btcpayserver services on the remote host
ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver" # Usage: just status root@10.1.1.163
status host:
ssh {{host}} "systemctl status bitcoind btcpayserver"
# Encrypt the secrets.yaml file in place using sops
encrypt-secrets: encrypt-secrets:
sops -e -i secrets.yaml sops -e -i secrets.yaml
# Open the secrets.yaml file for editing with sops
edit-secrets: edit-secrets:
sops secrets.yaml sops secrets.yaml
# Open a developer shell with the nix flake's environment
shell: shell:
nix develop nix develop
# Open a PostgreSQL client to the local nbxplorer database
psql: psql:
psql -h localhost -U nbxplorer -d nbxplorer psql -h localhost -U nbxplorer -d nbxplorer

34
modules/bitcoind/default.nix
View file

@ -1,34 +0,0 @@
{ config, specialConfig, lib, pkgs, ... }:
{
#################################
# Bitcoin Core (bitcoind)
#################################
services.bitcoind = {
enable = true;
address = "0.0.0.0";
port = 23002;
listen = true;
listenWhitelisted = true;
whitelistedPort = 8335;
# dataDir = "/var/lib/bitcoind";
rpc = {
address = "0.0.0.0";
port = 8332;
threads = 4;
allowip = [
"0.0.0.0"
];
};
regtest = false;
# network = "regtest"; # or "mainnet"
dataDirReadableByGroup = false;
disablewallet = null;
dbCache = 4000;
prune = 10000;
# txindex = true;
zmqpubrawblock = "tcp://0.0.0.0:28332";
zmqpubrawtx = "tcp://0.0.0.0:28333";
user = "bitcoind";
group = "bitcoind";
};
}

18
modules/btcpay/default.nix
View file

@ -1,18 +0,0 @@
{ config, specialConfig, lib, pkgs, ... }:
{
nix-bitcoin.generateSecrets = true;
# nix-bitcoin.secretsDir = "/var/lib/secrets";
services.btcpayserver = {
enable = true;
address = "0.0.0.0";
port = 23000;
# dataDir = "/var/lib/btcpayserver";
lbtc = true;
user = "btcpayserver";
group = "btcpayserver";
# If needed, direct BTCPay to same PostgreSQL:
# explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;";
# Set environment variables as needed for additional DB, etc.
};
}

15
modules/nbxplorer/default.nix
View file

@ -1,15 +0,0 @@
{ config, specialConfig, lib, pkgs, ... }:
{
services.nbxplorer = {
enable = true;
address = "0.0.0.0";
port = 24444;
# dataDir = "/var/lib/nbxplorer";
user = "nbxplorer";
group = "nbxplorer";
# Database connection string to external/local PostgreSQL:
# postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;";
# chains = [ "btc" "ltc" "lbtc" ];
# Additional NBXplorer server args/overrides can go here.
};
}

19
modules/postgresql/default.nix
View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, specialConfig, ... }:
{
# Disable local postgres (so NixOS won't start or manage it)
services = {
postgresql = {
enable = true;
ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ];
ensureUsers = [
{ name = "nbxplorer"; ensureDBOwnership = true; }
{ name = "btcpay"; ensureDBOwnership = true; }
];
authentication = ''
local all all trust
host all all 0.0.0.1/32 trust
host all all ::1/128 trust
'';
};
};
}

2
secrets.yaml
View file

@ -1,2 +0,0 @@
nbxplorer-pg-password: >-
f%Rn^g!o*d0U3UjXNN&1dG&H

22
shell.nix
View file

@ -1,22 +0,0 @@
{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
buildInputs = with pkgs; [
just # task runner
sops # secrets management
postgresql # includes psql client utility[6][9]
bitcoin # Bitcoin Core CLI tools (bitcoind, bitcoin-cli)
curl # For HTTP API testing
jq # For manipulating test output
git
# dotnet-sdk # IF you develop/plugins for NBXplorer, uncomment this
];
shellHook = ''
export SSH_CONFIG_FILE="$PWD/ssh-config-dev"
alias ssh="ssh -F $SSH_CONFIG_FILE"
alias scp="scp -F $SSH_CONFIG_FILE"
echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp."
'';
}