jeirmeister/btc-pay-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Relaxing seccomp even more

Browse source
This commit is contained in:
jeirmeister 2025-09-12 13:10:44 -07:00
parent 7084d3db4c
commit 80f18e67fb
1 changed files with 14 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

33
flake.nix
View file

@ -36,7 +36,7 @@
# Enable core services # Enable core services
services.bitcoind = { services.bitcoind = {
enable = true; enable = true;
dataDir = "/var/lib/bitcoind"; # Explicitly set to your existing path (it's the default, but this confirms reuse) dataDir = "/var/lib/bitcoind";
address = "0.0.0.0"; address = "0.0.0.0";
port = 23002; port = 23002;
listen = true; listen = true;
@ -46,14 +46,13 @@
address = "0.0.0.0"; address = "0.0.0.0";
port = 8332; port = 8332;
threads = 16; threads = 16;
allowip = ["10.1.1.0/24"]; # Adjust if needed allowip = ["10.1.1.0/24"];
}; };
regtest = false; regtest = false;
# Remove this line: network = "mainnet"; # nix-bitcoin sets it by default
dataDirReadableByGroup = false; dataDirReadableByGroup = false;
disablewallet = null; disablewallet = null;
dbCache = 4000; dbCache = 4000;
prune = 10000; # Matches your existing bitcoin.conf; set to 0 to disable pruning (needs more disk space) prune = 10000;
zmqpubrawblock = "tcp://0.0.0.0:28332"; zmqpubrawblock = "tcp://0.0.0.0:28332";
zmqpubrawtx = "tcp://0.0.0.0:28333"; zmqpubrawtx = "tcp://0.0.0.0:28333";
user = "bitcoind"; user = "bitcoind";
@ -72,16 +71,20 @@
enable = true; enable = true;
address = "0.0.0.0"; address = "0.0.0.0";
port = 23000; port = 23000;
lbtc = true; # If you want Liquid support lbtc = true;
user = "btcpayserver"; user = "btcpayserver";
group = "btcpayserver"; group = "btcpayserver";
lightningBackend = "clightning"; # Or "lnd" lightningBackend = "clightning";
}; };
# PostgreSQL is handled automatically by nix-bitcoin's BTCPay module # Relax seccomp and namespaces for BTCPayServer to avoid SIGSYS in LXC
# No need for custom postgresql module systemd.services.btcpayserver.serviceConfig = {
SystemCallFilter = [];
PrivateMounts = false;
ProtectSystem = false;
};
# Container mode (if desired; test without first) # Container mode (required for your Proxmox LXC)
boot.isContainer = true; boot.isContainer = true;
# Firewall: Open necessary ports # Firewall: Open necessary ports
@ -89,7 +92,7 @@
config.services.btcpayserver.port config.services.btcpayserver.port
config.services.bitcoind.port config.services.bitcoind.port
config.services.nbxplorer.port config.services.nbxplorer.port
22 # SSH 22
]; ];
# SSH setup # SSH setup
@ -106,20 +109,12 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
]; ];
# Suppress unnecessary units (as in your original) # Suppress unnecessary units
systemd.suppressedSystemUnits = [ systemd.suppressedSystemUnits = [
"dev-mqueue.mount" "dev-mqueue.mount"
"sys-kernel-debug.mount" "sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount" "sys-fs-fuse-connections.mount"
]; ];
# Relax seccomp for .NET services to avoid SIGSYS in LXC
systemd.services.btcpayserver.serviceConfig = {
SystemCallFilter = [];
};
systemd.services.nbxplorer.serviceConfig = {
SystemCallFilter = [];
};
# State version # State version
system.stateVersion = "25.05"; system.stateVersion = "25.05";