jeirmeister/btc-pay-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reworked for simplified flake

Browse source
This commit is contained in:
jeirmeister 2025-08-01 11:14:53 -07:00
parent f55936312f
commit d3eddb7445
7 changed files with 234 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

139
flake.nix
View file

@ -1,101 +1,56 @@
{ {
description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets"; description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
sops-nix.url = "github:Mic92/sops-nix"; nixpkgs.follows = "nix-bitcoin/nixpkgs";
nixos-generators.url = "github:nix-community/nixos-generators";
flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: { outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }:
nixosModules.btcpay-server = { config, lib, pkgs, ... }: { flake-utils.lib.eachDefaultSystem (system:
imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ]; let
pkgs = import nixpkgs { inherit system; };
options.services.btcpay-full = { modules = [
enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; nix-bitcoin.nixosModules.default
}; ./nix/modules/bitcoind
./nix/modules/nbxplorer
config = lib.mkIf config.services.btcpay-full.enable { ./nix/modules/btcpay
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator = {
enable = true;
name = "btcpay";
};
# sops secret for Postgres password
sops.secrets.nbxplorer-pg-password = {
sopsFile = ./secrets.yaml;
owner = "postgres";
};
# Use tracked dotfile for Postgres auth rules
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
initialDatabases = [{ name = "nbxplorer"; }];
ensureUsers = [{
name = "nbxplorer";
passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
ensureDBOwnership = true;
}];
authentication = builtins.readFile ./pg_hba.conf;
};
services.bitcoind = {
enable = true;
prune = 100000;
dbCache = 8000;
rpc.port = 8332;
};
services.btcpayserver = {
enable = true;
address = "0.0.0.0";
port = 23000;
environment = {
NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
}";
};
};
networking.firewall.allowedTCPPorts = [
config.services.btcpayserver.port
config.services.bitcoind.port
5432
]; ];
in {
# (SSH added below) devShells.default = pkgs.mkShell {
}; buildInputs = [
}; nixos-generators.packages.${system}.nixos-generate
pkgs.just
nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ config, ... }: {
boot.isContainer = true;
system.stateVersion = "25.05";
services.btcpay-full.enable = true;
# SSH best practices: use a public key from secrets, fallback to password auth only if needed
sops.secrets.btcpay-ssh-pubkey = {
sopsFile = ./secrets.yaml;
owner = "root";
};
users.users.root.openssh.authorizedKeys.keys = [
(builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
]; ];
shellHook = ''
echo "💚 Devshell ready: nixos-generate, just available."
'';
};
nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = modules ++ [
({ config, ... }: {
boot.isContainer = true;
system.stateVersion = "25.05";
services.btcpay-full.enable = true;
services.openssh = { users.users.root.openssh.authorizedKeys.keys = [
enable = true; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
settings = { ];
PermitRootLogin = "prohibit-password"; # disables password logins
PasswordAuthentication = false; services.openssh = {
}; enable = true;
}; settings = {
}) PermitRootLogin = "prohibit-password";
self.nixosModules.btcpay-server PasswordAuthentication = false;
]; };
}; };
}; })
} self.nixosModules.btcpay-server
];
};
}
);
}

101
flake.nix.old Normal file
View file

@ -0,0 +1,101 @@
{
description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
sops-nix.url = "github:Mic92/sops-nix";
};
outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
options.services.btcpay-full = {
enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
};
config = lib.mkIf config.services.btcpay-full.enable {
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator = {
enable = true;
name = "btcpay";
};
# sops secret for Postgres password
sops.secrets.nbxplorer-pg-password = {
sopsFile = ./secrets.yaml;
owner = "postgres";
};
# Use tracked dotfile for Postgres auth rules
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
initialDatabases = [{ name = "nbxplorer"; }];
ensureUsers = [{
name = "nbxplorer";
passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
ensureDBOwnership = true;
}];
authentication = builtins.readFile ./pg_hba.conf;
};
services.bitcoind = {
enable = true;
prune = 100000;
dbCache = 8000;
rpc.port = 8332;
};
services.btcpayserver = {
enable = true;
address = "0.0.0.0";
port = 23000;
environment = {
NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
}";
};
};
networking.firewall.allowedTCPPorts = [
config.services.btcpayserver.port
config.services.bitcoind.port
5432
];
# (SSH added below)
};
};
nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ config, ... }: {
boot.isContainer = true;
system.stateVersion = "25.05";
services.btcpay-full.enable = true;
# SSH best practices: use a public key from secrets, fallback to password auth only if needed
sops.secrets.btcpay-ssh-pubkey = {
sopsFile = ./secrets.yaml;
owner = "root";
};
users.users.root.openssh.authorizedKeys.keys = [
(builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password"; # disables password logins
PasswordAuthentication = false;
};
};
})
self.nixosModules.btcpay-server
];
};
};
}

34
modules/bitcoind/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, specialConfig, lib, pkgs, ... }:
{
#################################
# Bitcoin Core (bitcoind)
#################################
services.bitcoind = {
enable = true;
address = "0.0.0.0";
port = 23002;
listen = true;
listenWhitelisted = true;
whitelistedPort = 8335;
# dataDir = "/var/lib/bitcoind";
rpc = {
address = "0.0.0.0";
port = 8332;
threads = 4;
allowip = [
"0.0.0.0"
];
};
regtest = false;
# network = "regtest"; # or "mainnet"
dataDirReadableByGroup = false;
disablewallet = null;
dbCache = 4000;
prune = 10000;
txindex = true;
zmqpubrawblock = "tcp://0.0.0.0:28332";
zmqpubrawtx = "tcp://0.0.0.0:28333";
user = "bitcoind";
group = "bitcoind";
};
}

18
modules/btcpay/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, specialConfig, lib, pkgs, ... }:
{
nix-bitcoin.generateSecrets = true;
# nix-bitcoin.secretsDir = "/var/lib/secrets";
services.btcpayserver = {
enable = true;
address = "0.0.0.0";
port = 23002;
# dataDir = "/var/lib/btcpayserver";
lbtc = true;
user = "btcpayserver";
group = "btcpayserver";
# If needed, direct BTCPay to same PostgreSQL:
# explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;";
# Set environment variables as needed for additional DB, etc.
};
}

15
modules/nbxplorer/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, specialConfig, lib, pkgs, ... }:
{
services.nbxplorer = {
enable = true;
address = "0.0.0.0";
port = 24444;
# dataDir = "/var/lib/nbxplorer";
user = "nbxplorer";
group = "nbxplorer";
# Database connection string to external/local PostgreSQL:
# postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;";
# chains = [ "btc" "ltc" "lbtc" ];
# Additional NBXplorer server args/overrides can go here.
};
}

19
modules/postgresql/default.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, specialConfig, ... }:
{
# Disable local postgres (so NixOS won't start or manage it)
services = {
postgresql = {
enable = true;
ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ];
ensureUsers = [
{ name = "nbxplorer"; ensureDBOwnership = true; }
{ name = "btcpay"; ensureDBOwnership = true; }
];
authentication = ''
local all all trust
host all all 0.0.0.1/32 trust
host all all ::1/128 trust
'';
};
};
}

4
pg_hba.conf
View file

@ -1,4 +0,0 @@
# TYPE DATABASE USER ADDRESS METHOD
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5