Relaxing seccomp even more

2025-09-12 13:10:44 -07:00 · 2025-09-12 13:10:44 -07:00 · 80f18e67fb
commit 80f18e67fb
parent 7084d3db4c
1 changed files with 14 additions and 19 deletions
--- a/flake.nix
+++ b/flake.nix
@ -36,7 +36,7 @@
          # Enable core services
          services.bitcoind = {
            enable = true;
-            dataDir = "/var/lib/bitcoind"; # Explicitly set to your existing path (it's the default, but this confirms reuse)
+            dataDir = "/var/lib/bitcoind";
            address = "0.0.0.0";
            port = 23002;
            listen = true;
@ -46,14 +46,13 @@
              address = "0.0.0.0";
              port = 8332;
              threads = 16;
-              allowip = ["10.1.1.0/24"]; # Adjust if needed
+              allowip = ["10.1.1.0/24"];
            };
            regtest = false;
-            # Remove this line: network = "mainnet";  # nix-bitcoin sets it by default
            dataDirReadableByGroup = false;
            disablewallet = null;
            dbCache = 4000;
-            prune = 10000; # Matches your existing bitcoin.conf; set to 0 to disable pruning (needs more disk space)
+            prune = 10000;
            zmqpubrawblock = "tcp://0.0.0.0:28332";
            zmqpubrawtx = "tcp://0.0.0.0:28333";
            user = "bitcoind";
@ -72,16 +71,20 @@
            enable = true;
            address = "0.0.0.0";
            port = 23000;
-            lbtc = true; # If you want Liquid support
+            lbtc = true;
            user = "btcpayserver";
            group = "btcpayserver";
-            lightningBackend = "clightning"; # Or "lnd"
+            lightningBackend = "clightning";
          };

-          # PostgreSQL is handled automatically by nix-bitcoin's BTCPay module
-          # No need for custom postgresql module
+          # Relax seccomp and namespaces for BTCPayServer to avoid SIGSYS in LXC
+          systemd.services.btcpayserver.serviceConfig = {
+            SystemCallFilter = [];
+            PrivateMounts = false;
+            ProtectSystem = false;
+          };

-          # Container mode (if desired; test without first)
+          # Container mode (required for your Proxmox LXC)
          boot.isContainer = true;

          # Firewall: Open necessary ports
@ -89,7 +92,7 @@
            config.services.btcpayserver.port
            config.services.bitcoind.port
            config.services.nbxplorer.port
-            22 # SSH
+            22
          ];

          # SSH setup
@ -106,20 +109,12 @@
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
          ];

-          # Suppress unnecessary units (as in your original)
+          # Suppress unnecessary units
          systemd.suppressedSystemUnits = [
            "dev-mqueue.mount"
            "sys-kernel-debug.mount"
            "sys-fs-fuse-connections.mount"
          ];
-          # Relax seccomp for .NET services to avoid SIGSYS in LXC
-          systemd.services.btcpayserver.serviceConfig = {
-            SystemCallFilter = [];
-          };
-
-          systemd.services.nbxplorer.serviceConfig = {
-            SystemCallFilter = [];
-          };

          # State version
          system.stateVersion = "25.05";