About to make change to fixing the postgres nbxplorer configuration, have to take a pause to this to get back to helm project.

btc-ssh-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key

flake.nix

@@ -1,20 +1,20 @@
 {
-  description = "BTCPay Server NixOS module";
+  description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
+    sops-nix.url = "github:Mic92/sops-nix";
   };
 
-  outputs = { self, nixpkgs, nix-bitcoin, ... }: {
+  outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
-    # Export a module for others to use
     nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
-      imports = [ nix-bitcoin.nixosModules.default ];
+      imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
 
       options.services.btcpay-full = {
         enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
       };
-      # Disable debugfs mount in LXC containers
+
       config = lib.mkIf config.services.btcpay-full.enable {
         nix-bitcoin.generateSecrets = true;
         nix-bitcoin.operator = {
@@ -22,6 +22,25 @@
           name = "btcpay";
         };
 
+        # sops secret for Postgres password
+        sops.secrets.nbxplorer-pg-password = {
+          sopsFile = ./secrets.yaml;
+          owner = "postgres";
+        };
+
+        # Use tracked dotfile for Postgres auth rules
+        services.postgresql = {
+          enable = true;
+          package = pkgs.postgresql_14;
+          initialDatabases = [{ name = "nbxplorer"; }];
+          ensureUsers = [{
+            name = "nbxplorer";
+            passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
+            ensureDBOwnership = true;
+          }];
+          authentication = builtins.readFile ./pg_hba.conf;
+        };
+
         services.bitcoind = {
           enable = true;
           prune = 100000;
@@ -29,44 +48,52 @@
           rpc.port = 8332;
         };
 
-        # Enable BTCPay Server with network binding
         services.btcpayserver = {
           enable = true;
-          # Configure BTCPay Server to listen on all interfaces
           address = "0.0.0.0";
           port = 23000;
+          environment = {
+            NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
+              builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
+            }";
+          };
         };
-
 
         networking.firewall.allowedTCPPorts = [
           config.services.btcpayserver.port
           config.services.bitcoind.port
+          5432
         ];
+
+        # (SSH added below)
       };
     };
 
-    # System configuration for deployment - REMOVED duplicate nix-bitcoin import
     nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
-        ({ ... }: {
+        ({ config, ... }: {
-          # Minimal system configuration for containers
           boot.isContainer = true;
           system.stateVersion = "25.05";
-          
-          # Enable our BTCPay service
           services.btcpay-full.enable = true;
 
-          # Basic SSH access
+          # SSH best practices: use a public key from secrets, fallback to password auth only if needed
+          sops.secrets.btcpay-ssh-pubkey = {
+            sopsFile = ./secrets.yaml;
+            owner = "root";
+          };
+          users.users.root.openssh.authorizedKeys.keys = [
+            (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
+          ];
+
           services.openssh = {
             enable = true;
             settings = {
-              PermitRootLogin = "yes";
+              PermitRootLogin = "prohibit-password"; # disables password logins
-              PasswordAuthentication = true;
+              PasswordAuthentication = false;
             };
           };
         })
-        # This module already imports nix-bitcoin.nixosModules.default
         self.nixosModules.btcpay-server
       ];
     };

justfile

@@ -1,20 +1,22 @@
-# Variables
 REMOTE_HOST := "root@10.1.1.163"
 
-# Default command
-default:
-    @echo "BTCPay Server deployment commands:"
-    @echo "  just build     - Build configuration"
-    @echo "  just deploy    - Deploy to remote server"
-
-# Build the configuration
 build:
-    NIX_CONFIG="experimental-features = nix-command flakes" nix build .#nixosConfigurations.btcpay.config.system.build.toplevel
+    nix build .#nixosConfigurations.btcpay.config.system.build.toplevel
 
-# Deploy to remote server
 deploy:
-    NIX_CONFIG="experimental-features = nix-command flakes" nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes"
+    nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes"
 
-# Check services status
 status:
     ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver"
+
+encrypt-secrets:
+    sops -e -i secrets.yaml
+
+edit-secrets:
+    sops secrets.yaml
+
+shell:
+    nix develop
+
+psql:
+    psql -h localhost -U nbxplorer -d nbxplorer

pg_hba.conf

@@ -0,0 +1,4 @@
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+local   all             all                                     md5
+host    all             all             127.0.0.1/32            md5
+host    all             all             ::1/128                 md5

secrets.yaml

@@ -0,0 +1,2 @@
+nbxplorer-pg-password: >-
+  f%Rn^g!o*d0U3UjXNN&1dG&H

shell.nix

@@ -2,6 +2,20 @@
 
 pkgs.mkShell {
   buildInputs = with pkgs; [
-    just
+    just           # task runner
+    sops           # secrets management
+    postgresql     # includes psql client utility[6][9]
+    bitcoin        # Bitcoin Core CLI tools (bitcoind, bitcoin-cli)
+    curl           # For HTTP API testing
+    jq             # For manipulating test output
+    # dotnet-sdk   # IF you develop/plugins for NBXplorer, uncomment this
   ];
+
+  shellHook = ''
+    export SSH_CONFIG_FILE="$PWD/ssh-config-dev"
+    alias ssh="ssh -F $SSH_CONFIG_FILE"
+    alias scp="scp -F $SSH_CONFIG_FILE"
+    echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp."
+  '';
 }
+