added firewall configuration
This commit is contained in:
parent
52ddb3cbaa
commit
a3f3078e35
4 changed files with 32 additions and 102 deletions
23
.repo-to-text-settings.yaml
Normal file
23
.repo-to-text-settings.yaml
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Details: https://github.com/kirill-markin/repo-to-text
|
||||||
|
# Syntax: gitignore rules
|
||||||
|
|
||||||
|
# Ignore files and directories for all sections from gitignore file
|
||||||
|
# Default: True
|
||||||
|
gitignore-import-and-ignore: True
|
||||||
|
|
||||||
|
# Ignore files and directories for tree
|
||||||
|
# and contents sections (<content full_path="...">...</content>)
|
||||||
|
ignore-tree-and-content:
|
||||||
|
- ".repo-to-text-settings.yaml"
|
||||||
|
|
||||||
|
# Ignore files and directories for contents sections
|
||||||
|
ignore-content:
|
||||||
|
- "README.md"
|
||||||
|
- "LICENSE"
|
||||||
|
- "package-lock.json"
|
||||||
|
- "flake.lock"
|
||||||
|
|
||||||
|
# Optional: Maximum number of words per output file before splitting.
|
||||||
|
# If not specified or null, no splitting based on word count will occur.
|
||||||
|
# Must be a positive integer if set.
|
||||||
|
# maximum_word_count_per_file: 10000
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key
|
|
||||||
|
|
@ -30,6 +30,15 @@
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
|
||||||
];
|
];
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
23002
|
||||||
|
22
|
||||||
|
# 24444
|
||||||
|
# 8332
|
||||||
|
# 5432
|
||||||
|
# 28332
|
||||||
|
# 28333
|
||||||
|
];
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
|
|
||||||
101
flake.nix.old
101
flake.nix.old
|
|
@ -1,101 +0,0 @@
|
||||||
{
|
|
||||||
description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
|
|
||||||
|
|
||||||
inputs = {
|
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
|
|
||||||
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
|
|
||||||
sops-nix.url = "github:Mic92/sops-nix";
|
|
||||||
};
|
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
|
|
||||||
nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
|
|
||||||
imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
|
|
||||||
|
|
||||||
options.services.btcpay-full = {
|
|
||||||
enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.services.btcpay-full.enable {
|
|
||||||
nix-bitcoin.generateSecrets = true;
|
|
||||||
nix-bitcoin.operator = {
|
|
||||||
enable = true;
|
|
||||||
name = "btcpay";
|
|
||||||
};
|
|
||||||
|
|
||||||
# sops secret for Postgres password
|
|
||||||
sops.secrets.nbxplorer-pg-password = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
owner = "postgres";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Use tracked dotfile for Postgres auth rules
|
|
||||||
services.postgresql = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.postgresql_14;
|
|
||||||
initialDatabases = [{ name = "nbxplorer"; }];
|
|
||||||
ensureUsers = [{
|
|
||||||
name = "nbxplorer";
|
|
||||||
passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
|
|
||||||
ensureDBOwnership = true;
|
|
||||||
}];
|
|
||||||
authentication = builtins.readFile ./pg_hba.conf;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.bitcoind = {
|
|
||||||
enable = true;
|
|
||||||
prune = 100000;
|
|
||||||
dbCache = 8000;
|
|
||||||
rpc.port = 8332;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.btcpayserver = {
|
|
||||||
enable = true;
|
|
||||||
address = "0.0.0.0";
|
|
||||||
port = 23000;
|
|
||||||
environment = {
|
|
||||||
NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
|
|
||||||
builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
|
|
||||||
}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
config.services.btcpayserver.port
|
|
||||||
config.services.bitcoind.port
|
|
||||||
5432
|
|
||||||
];
|
|
||||||
|
|
||||||
# (SSH added below)
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
modules = [
|
|
||||||
({ config, ... }: {
|
|
||||||
boot.isContainer = true;
|
|
||||||
system.stateVersion = "25.05";
|
|
||||||
services.btcpay-full.enable = true;
|
|
||||||
|
|
||||||
# SSH best practices: use a public key from secrets, fallback to password auth only if needed
|
|
||||||
sops.secrets.btcpay-ssh-pubkey = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
owner = "root";
|
|
||||||
};
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
|
||||||
(builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
|
|
||||||
];
|
|
||||||
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
PermitRootLogin = "prohibit-password"; # disables password logins
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
})
|
|
||||||
self.nixosModules.btcpay-server
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue