From a3f3078e353a96d6b9492ab594a8e3c8bafc994a Mon Sep 17 00:00:00 2001
From: jeirmeister <jeir@jeirslab.xyz>
Date: Fri, 1 Aug 2025 12:07:12 -0700
Subject: [PATCH] added firewall configuration

---
 .repo-to-text-settings.yaml |  23 ++++++++
 btc-ssh-key.pub             |   1 -
 flake.nix                   |   9 ++++
 flake.nix.old               | 101 ------------------------------------
 4 files changed, 32 insertions(+), 102 deletions(-)
 create mode 100644 .repo-to-text-settings.yaml
 delete mode 100644 btc-ssh-key.pub
 delete mode 100644 flake.nix.old

diff --git a/.repo-to-text-settings.yaml b/.repo-to-text-settings.yaml
new file mode 100644
index 0000000..e13e0ba
--- /dev/null
+++ b/.repo-to-text-settings.yaml
@@ -0,0 +1,23 @@
+# Details: https://github.com/kirill-markin/repo-to-text
+# Syntax: gitignore rules
+
+# Ignore files and directories for all sections from gitignore file
+# Default: True
+gitignore-import-and-ignore: True
+
+# Ignore files and directories for tree
+# and contents sections (<content full_path="...">...</content>)
+ignore-tree-and-content:
+  - ".repo-to-text-settings.yaml"
+
+# Ignore files and directories for contents sections
+ignore-content:
+  - "README.md"
+  - "LICENSE"
+  - "package-lock.json"
+  - "flake.lock"
+
+# Optional: Maximum number of words per output file before splitting.
+# If not specified or null, no splitting based on word count will occur.
+# Must be a positive integer if set.
+# maximum_word_count_per_file: 10000
diff --git a/btc-ssh-key.pub b/btc-ssh-key.pub
deleted file mode 100644
index 5e4654b..0000000
--- a/btc-ssh-key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key
diff --git a/flake.nix b/flake.nix
index b082930..698a831 100644
--- a/flake.nix
+++ b/flake.nix
@@ -30,6 +30,15 @@
             users.users.root.openssh.authorizedKeys.keys = [
               "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
             ];
+            networking.firewall.allowedTCPPorts = [ 
+              23002 
+              22
+              # 24444 
+              # 8332 
+              # 5432 
+              # 28332 
+              # 28333 
+              ];
             services.openssh = {
               enable = true;
               settings = {
diff --git a/flake.nix.old b/flake.nix.old
deleted file mode 100644
index 13074c3..0000000
--- a/flake.nix.old
+++ /dev/null
@@ -1,101 +0,0 @@
-{
-  description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
-
-  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
-    nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
-    sops-nix.url = "github:Mic92/sops-nix";
-  };
-
-  outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
-    nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
-      imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
-
-      options.services.btcpay-full = {
-        enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
-      };
-
-      config = lib.mkIf config.services.btcpay-full.enable {
-        nix-bitcoin.generateSecrets = true;
-        nix-bitcoin.operator = {
-          enable = true;
-          name = "btcpay";
-        };
-
-        # sops secret for Postgres password
-        sops.secrets.nbxplorer-pg-password = {
-          sopsFile = ./secrets.yaml;
-          owner = "postgres";
-        };
-
-        # Use tracked dotfile for Postgres auth rules
-        services.postgresql = {
-          enable = true;
-          package = pkgs.postgresql_14;
-          initialDatabases = [{ name = "nbxplorer"; }];
-          ensureUsers = [{
-            name = "nbxplorer";
-            passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
-            ensureDBOwnership = true;
-          }];
-          authentication = builtins.readFile ./pg_hba.conf;
-        };
-
-        services.bitcoind = {
-          enable = true;
-          prune = 100000;
-          dbCache = 8000;
-          rpc.port = 8332;
-        };
-
-        services.btcpayserver = {
-          enable = true;
-          address = "0.0.0.0";
-          port = 23000;
-          environment = {
-            NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
-              builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
-            }";
-          };
-        };
-
-        networking.firewall.allowedTCPPorts = [
-          config.services.btcpayserver.port
-          config.services.bitcoind.port
-          5432
-        ];
-
-        # (SSH added below)
-      };
-    };
-
-    nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ({ config, ... }: {
-          boot.isContainer = true;
-          system.stateVersion = "25.05";
-          services.btcpay-full.enable = true;
-
-          # SSH best practices: use a public key from secrets, fallback to password auth only if needed
-          sops.secrets.btcpay-ssh-pubkey = {
-            sopsFile = ./secrets.yaml;
-            owner = "root";
-          };
-          users.users.root.openssh.authorizedKeys.keys = [
-            (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
-          ];
-
-          services.openssh = {
-            enable = true;
-            settings = {
-              PermitRootLogin = "prohibit-password"; # disables password logins
-              PasswordAuthentication = false;
-            };
-          };
-        })
-        self.nixosModules.btcpay-server
-      ];
-    };
-  };
-}