Reworked for simplified flake

2025-08-01 11:14:53 -07:00 · 2025-08-01 11:14:53 -07:00 · d3eddb7445
commit d3eddb7445
parent f55936312f
7 changed files with 234 additions and 96 deletions
--- a/flake.nix.old
+++ b/flake.nix.old
@ -0,0 +1,101 @@
+{
+  description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
+    sops-nix.url = "github:Mic92/sops-nix";
+  };
+
+  outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
+    nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
+      imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
+
+      options.services.btcpay-full = {
+        enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
+      };
+
+      config = lib.mkIf config.services.btcpay-full.enable {
+        nix-bitcoin.generateSecrets = true;
+        nix-bitcoin.operator = {
+          enable = true;
+          name = "btcpay";
+        };
+
+        # sops secret for Postgres password
+        sops.secrets.nbxplorer-pg-password = {
+          sopsFile = ./secrets.yaml;
+          owner = "postgres";
+        };
+
+        # Use tracked dotfile for Postgres auth rules
+        services.postgresql = {
+          enable = true;
+          package = pkgs.postgresql_14;
+          initialDatabases = [{ name = "nbxplorer"; }];
+          ensureUsers = [{
+            name = "nbxplorer";
+            passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
+            ensureDBOwnership = true;
+          }];
+          authentication = builtins.readFile ./pg_hba.conf;
+        };
+
+        services.bitcoind = {
+          enable = true;
+          prune = 100000;
+          dbCache = 8000;
+          rpc.port = 8332;
+        };
+
+        services.btcpayserver = {
+          enable = true;
+          address = "0.0.0.0";
+          port = 23000;
+          environment = {
+            NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
+              builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
+            }";
+          };
+        };
+
+        networking.firewall.allowedTCPPorts = [
+          config.services.btcpayserver.port
+          config.services.bitcoind.port
+          5432
+        ];
+
+        # (SSH added below)
+      };
+    };
+
+    nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({ config, ... }: {
+          boot.isContainer = true;
+          system.stateVersion = "25.05";
+          services.btcpay-full.enable = true;
+
+          # SSH best practices: use a public key from secrets, fallback to password auth only if needed
+          sops.secrets.btcpay-ssh-pubkey = {
+            sopsFile = ./secrets.yaml;
+            owner = "root";
+          };
+          users.users.root.openssh.authorizedKeys.keys = [
+            (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
+          ];
+
+          services.openssh = {
+            enable = true;
+            settings = {
+              PermitRootLogin = "prohibit-password"; # disables password logins
+              PasswordAuthentication = false;
+            };
+          };
+        })
+        self.nixosModules.btcpay-server
+      ];
+    };
+  };
+}