From f55936312f7447b69d2019d83a0301e0ef470293 Mon Sep 17 00:00:00 2001 From: jeirmeister Date: Tue, 22 Jul 2025 00:50:22 -0700 Subject: [PATCH 1/2] About to make change to fixing the postgres nbxplorer configuration, have to take a pause to this to get back to helm project. --- btc-ssh-key.pub | 1 + flake.nix | 71 ++++++++++++++++++++++++++++++++++--------------- justfile | 26 +++++++++--------- pg_hba.conf | 4 +++ secrets.yaml | 2 ++ shell.nix | 16 ++++++++++- 6 files changed, 85 insertions(+), 35 deletions(-) create mode 100644 btc-ssh-key.pub create mode 100644 pg_hba.conf create mode 100644 secrets.yaml diff --git a/btc-ssh-key.pub b/btc-ssh-key.pub new file mode 100644 index 0000000..5e4654b --- /dev/null +++ b/btc-ssh-key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key diff --git a/flake.nix b/flake.nix index b4d7e68..13074c3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,72 +1,99 @@ { - description = "BTCPay Server NixOS module"; - + description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets"; + inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, nix-bitcoin, ... }: { - # Export a module for others to use + outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: { nixosModules.btcpay-server = { config, lib, pkgs, ... }: { - imports = [ nix-bitcoin.nixosModules.default ]; - + imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ]; + options.services.btcpay-full = { enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; }; - # Disable debugfs mount in LXC containers + config = lib.mkIf config.services.btcpay-full.enable { nix-bitcoin.generateSecrets = true; nix-bitcoin.operator = { enable = true; name = "btcpay"; }; - + + # sops secret for Postgres password + sops.secrets.nbxplorer-pg-password = { + sopsFile = ./secrets.yaml; + owner = "postgres"; + }; + + # Use tracked dotfile for Postgres auth rules + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + initialDatabases = [{ name = "nbxplorer"; }]; + ensureUsers = [{ + name = "nbxplorer"; + passwordFile = config.sops.secrets.nbxplorer-pg-password.path; + ensureDBOwnership = true; + }]; + authentication = builtins.readFile ./pg_hba.conf; + }; + services.bitcoind = { enable = true; prune = 100000; dbCache = 8000; rpc.port = 8332; }; - - # Enable BTCPay Server with network binding + services.btcpayserver = { enable = true; - # Configure BTCPay Server to listen on all interfaces address = "0.0.0.0"; port = 23000; + environment = { + NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${ + builtins.readFile config.sops.secrets.nbxplorer-pg-password.path + }"; + }; }; - networking.firewall.allowedTCPPorts = [ config.services.btcpayserver.port config.services.bitcoind.port + 5432 ]; + + # (SSH added below) }; }; - # System configuration for deployment - REMOVED duplicate nix-bitcoin import nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - ({ ... }: { - # Minimal system configuration for containers + ({ config, ... }: { boot.isContainer = true; system.stateVersion = "25.05"; - - # Enable our BTCPay service services.btcpay-full.enable = true; - - # Basic SSH access + + # SSH best practices: use a public key from secrets, fallback to password auth only if needed + sops.secrets.btcpay-ssh-pubkey = { + sopsFile = ./secrets.yaml; + owner = "root"; + }; + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path) + ]; + services.openssh = { enable = true; settings = { - PermitRootLogin = "yes"; - PasswordAuthentication = true; + PermitRootLogin = "prohibit-password"; # disables password logins + PasswordAuthentication = false; }; }; }) - # This module already imports nix-bitcoin.nixosModules.default self.nixosModules.btcpay-server ]; }; diff --git a/justfile b/justfile index 4928753..21d4563 100644 --- a/justfile +++ b/justfile @@ -1,20 +1,22 @@ -# Variables REMOTE_HOST := "root@10.1.1.163" -# Default command -default: - @echo "BTCPay Server deployment commands:" - @echo " just build - Build configuration" - @echo " just deploy - Deploy to remote server" - -# Build the configuration build: - NIX_CONFIG="experimental-features = nix-command flakes" nix build .#nixosConfigurations.btcpay.config.system.build.toplevel + nix build .#nixosConfigurations.btcpay.config.system.build.toplevel -# Deploy to remote server deploy: - NIX_CONFIG="experimental-features = nix-command flakes" nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" + nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" -# Check services status status: ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver" + +encrypt-secrets: + sops -e -i secrets.yaml + +edit-secrets: + sops secrets.yaml + +shell: + nix develop + +psql: + psql -h localhost -U nbxplorer -d nbxplorer diff --git a/pg_hba.conf b/pg_hba.conf new file mode 100644 index 0000000..b70a5d2 --- /dev/null +++ b/pg_hba.conf @@ -0,0 +1,4 @@ +# TYPE DATABASE USER ADDRESS METHOD +local all all md5 +host all all 127.0.0.1/32 md5 +host all all ::1/128 md5 diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..33f6670 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,2 @@ +nbxplorer-pg-password: >- + f%Rn^g!o*d0U3UjXNN&1dG&H \ No newline at end of file diff --git a/shell.nix b/shell.nix index 1f60faf..1f784b5 100644 --- a/shell.nix +++ b/shell.nix @@ -2,6 +2,20 @@ pkgs.mkShell { buildInputs = with pkgs; [ - just + just # task runner + sops # secrets management + postgresql # includes psql client utility[6][9] + bitcoin # Bitcoin Core CLI tools (bitcoind, bitcoin-cli) + curl # For HTTP API testing + jq # For manipulating test output + # dotnet-sdk # IF you develop/plugins for NBXplorer, uncomment this ]; + + shellHook = '' + export SSH_CONFIG_FILE="$PWD/ssh-config-dev" + alias ssh="ssh -F $SSH_CONFIG_FILE" + alias scp="scp -F $SSH_CONFIG_FILE" + echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp." + ''; } + From d3eddb744587405a4399010668b957f8101d5d21 Mon Sep 17 00:00:00 2001 From: jeirmeister Date: Fri, 1 Aug 2025 11:14:53 -0700 Subject: [PATCH 2/2] Reworked for simplified flake --- flake.nix | 139 +++++++++++---------------------- flake.nix.old | 101 ++++++++++++++++++++++++ modules/bitcoind/default.nix | 34 ++++++++ modules/btcpay/default.nix | 18 +++++ modules/nbxplorer/default.nix | 15 ++++ modules/postgresql/default.nix | 19 +++++ pg_hba.conf | 4 - 7 files changed, 234 insertions(+), 96 deletions(-) create mode 100644 flake.nix.old create mode 100644 modules/bitcoind/default.nix create mode 100644 modules/btcpay/default.nix create mode 100644 modules/nbxplorer/default.nix create mode 100644 modules/postgresql/default.nix delete mode 100644 pg_hba.conf diff --git a/flake.nix b/flake.nix index 13074c3..b2389d6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,101 +1,56 @@ { - description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets"; + description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; - sops-nix.url = "github:Mic92/sops-nix"; + nixpkgs.follows = "nix-bitcoin/nixpkgs"; + nixos-generators.url = "github:nix-community/nixos-generators"; + flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: { - nixosModules.btcpay-server = { config, lib, pkgs, ... }: { - imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ]; - - options.services.btcpay-full = { - enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; - }; - - config = lib.mkIf config.services.btcpay-full.enable { - nix-bitcoin.generateSecrets = true; - nix-bitcoin.operator = { - enable = true; - name = "btcpay"; - }; - - # sops secret for Postgres password - sops.secrets.nbxplorer-pg-password = { - sopsFile = ./secrets.yaml; - owner = "postgres"; - }; - - # Use tracked dotfile for Postgres auth rules - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - initialDatabases = [{ name = "nbxplorer"; }]; - ensureUsers = [{ - name = "nbxplorer"; - passwordFile = config.sops.secrets.nbxplorer-pg-password.path; - ensureDBOwnership = true; - }]; - authentication = builtins.readFile ./pg_hba.conf; - }; - - services.bitcoind = { - enable = true; - prune = 100000; - dbCache = 8000; - rpc.port = 8332; - }; - - services.btcpayserver = { - enable = true; - address = "0.0.0.0"; - port = 23000; - environment = { - NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${ - builtins.readFile config.sops.secrets.nbxplorer-pg-password.path - }"; - }; - }; - - networking.firewall.allowedTCPPorts = [ - config.services.btcpayserver.port - config.services.bitcoind.port - 5432 + outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }: + flake-utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + modules = [ + nix-bitcoin.nixosModules.default + ./nix/modules/bitcoind + ./nix/modules/nbxplorer + ./nix/modules/btcpay ]; - - # (SSH added below) - }; - }; - - nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ({ config, ... }: { - boot.isContainer = true; - system.stateVersion = "25.05"; - services.btcpay-full.enable = true; - - # SSH best practices: use a public key from secrets, fallback to password auth only if needed - sops.secrets.btcpay-ssh-pubkey = { - sopsFile = ./secrets.yaml; - owner = "root"; - }; - users.users.root.openssh.authorizedKeys.keys = [ - (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path) + in { + devShells.default = pkgs.mkShell { + buildInputs = [ + nixos-generators.packages.${system}.nixos-generate + pkgs.just ]; + shellHook = '' + echo "💚 Devshell ready: nixos-generate, just available." + ''; + }; + nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = modules ++ [ + ({ config, ... }: { + boot.isContainer = true; + system.stateVersion = "25.05"; + services.btcpay-full.enable = true; - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "prohibit-password"; # disables password logins - PasswordAuthentication = false; - }; - }; - }) - self.nixosModules.btcpay-server - ]; - }; - }; -} + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" + ]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + }) + self.nixosModules.btcpay-server + ]; + }; + } + ); +} \ No newline at end of file diff --git a/flake.nix.old b/flake.nix.old new file mode 100644 index 0000000..13074c3 --- /dev/null +++ b/flake.nix.old @@ -0,0 +1,101 @@ +{ + description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; + sops-nix.url = "github:Mic92/sops-nix"; + }; + + outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: { + nixosModules.btcpay-server = { config, lib, pkgs, ... }: { + imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ]; + + options.services.btcpay-full = { + enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; + }; + + config = lib.mkIf config.services.btcpay-full.enable { + nix-bitcoin.generateSecrets = true; + nix-bitcoin.operator = { + enable = true; + name = "btcpay"; + }; + + # sops secret for Postgres password + sops.secrets.nbxplorer-pg-password = { + sopsFile = ./secrets.yaml; + owner = "postgres"; + }; + + # Use tracked dotfile for Postgres auth rules + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + initialDatabases = [{ name = "nbxplorer"; }]; + ensureUsers = [{ + name = "nbxplorer"; + passwordFile = config.sops.secrets.nbxplorer-pg-password.path; + ensureDBOwnership = true; + }]; + authentication = builtins.readFile ./pg_hba.conf; + }; + + services.bitcoind = { + enable = true; + prune = 100000; + dbCache = 8000; + rpc.port = 8332; + }; + + services.btcpayserver = { + enable = true; + address = "0.0.0.0"; + port = 23000; + environment = { + NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${ + builtins.readFile config.sops.secrets.nbxplorer-pg-password.path + }"; + }; + }; + + networking.firewall.allowedTCPPorts = [ + config.services.btcpayserver.port + config.services.bitcoind.port + 5432 + ]; + + # (SSH added below) + }; + }; + + nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ({ config, ... }: { + boot.isContainer = true; + system.stateVersion = "25.05"; + services.btcpay-full.enable = true; + + # SSH best practices: use a public key from secrets, fallback to password auth only if needed + sops.secrets.btcpay-ssh-pubkey = { + sopsFile = ./secrets.yaml; + owner = "root"; + }; + users.users.root.openssh.authorizedKeys.keys = [ + (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path) + ]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; # disables password logins + PasswordAuthentication = false; + }; + }; + }) + self.nixosModules.btcpay-server + ]; + }; + }; +} diff --git a/modules/bitcoind/default.nix b/modules/bitcoind/default.nix new file mode 100644 index 0000000..c9ff27b --- /dev/null +++ b/modules/bitcoind/default.nix @@ -0,0 +1,34 @@ +{ config, specialConfig, lib, pkgs, ... }: +{ + ################################# + # Bitcoin Core (bitcoind) + ################################# + services.bitcoind = { + enable = true; + address = "0.0.0.0"; + port = 23002; + listen = true; + listenWhitelisted = true; + whitelistedPort = 8335; + # dataDir = "/var/lib/bitcoind"; + rpc = { + address = "0.0.0.0"; + port = 8332; + threads = 4; + allowip = [ + "0.0.0.0" + ]; + }; + regtest = false; + # network = "regtest"; # or "mainnet" + dataDirReadableByGroup = false; + disablewallet = null; + dbCache = 4000; + prune = 10000; + txindex = true; + zmqpubrawblock = "tcp://0.0.0.0:28332"; + zmqpubrawtx = "tcp://0.0.0.0:28333"; + user = "bitcoind"; + group = "bitcoind"; + }; +} diff --git a/modules/btcpay/default.nix b/modules/btcpay/default.nix new file mode 100644 index 0000000..555d69b --- /dev/null +++ b/modules/btcpay/default.nix @@ -0,0 +1,18 @@ +{ config, specialConfig, lib, pkgs, ... }: +{ + + nix-bitcoin.generateSecrets = true; + # nix-bitcoin.secretsDir = "/var/lib/secrets"; + services.btcpayserver = { + enable = true; + address = "0.0.0.0"; + port = 23002; + # dataDir = "/var/lib/btcpayserver"; + lbtc = true; + user = "btcpayserver"; + group = "btcpayserver"; + # If needed, direct BTCPay to same PostgreSQL: + # explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;"; + # Set environment variables as needed for additional DB, etc. + }; +} diff --git a/modules/nbxplorer/default.nix b/modules/nbxplorer/default.nix new file mode 100644 index 0000000..8e0d321 --- /dev/null +++ b/modules/nbxplorer/default.nix @@ -0,0 +1,15 @@ +{ config, specialConfig, lib, pkgs, ... }: +{ + services.nbxplorer = { + enable = true; + address = "0.0.0.0"; + port = 24444; + # dataDir = "/var/lib/nbxplorer"; + user = "nbxplorer"; + group = "nbxplorer"; + # Database connection string to external/local PostgreSQL: + # postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;"; + # chains = [ "btc" "ltc" "lbtc" ]; + # Additional NBXplorer server args/overrides can go here. + }; +} diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix new file mode 100644 index 0000000..ba094ed --- /dev/null +++ b/modules/postgresql/default.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, specialConfig, ... }: +{ + # Disable local postgres (so NixOS won't start or manage it) + services = { + postgresql = { + enable = true; + ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ]; + ensureUsers = [ + { name = "nbxplorer"; ensureDBOwnership = true; } + { name = "btcpay"; ensureDBOwnership = true; } + ]; + authentication = '' + local all all trust + host all all 0.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; +} diff --git a/pg_hba.conf b/pg_hba.conf deleted file mode 100644 index b70a5d2..0000000 --- a/pg_hba.conf +++ /dev/null @@ -1,4 +0,0 @@ -# TYPE DATABASE USER ADDRESS METHOD -local all all md5 -host all all 127.0.0.1/32 md5 -host all all ::1/128 md5