Reworked for simplified flake

btc-ssh-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key

flake.nix

@@ -1,74 +1,56 @@
 {
-  description = "BTCPay Server NixOS module";
+  description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
+    nixpkgs.follows = "nix-bitcoin/nixpkgs";
+    nixos-generators.url = "github:nix-community/nixos-generators";
+    flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, nix-bitcoin, ... }: {
-    # Export a module for others to use
-    nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
-      imports = [ nix-bitcoin.nixosModules.default ];
-      
-      options.services.btcpay-full = {
-        enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
-      };
-      # Disable debugfs mount in LXC containers
-      config = lib.mkIf config.services.btcpay-full.enable {
-        nix-bitcoin.generateSecrets = true;
-        nix-bitcoin.operator = {
-          enable = true;
-          name = "btcpay";
-        };
-        
-        services.bitcoind = {
-          enable = true;
-          prune = 100000;
-          dbCache = 8000;
-          rpc.port = 8332;
-        };
-        
-        # Enable BTCPay Server with network binding
-        services.btcpayserver = {
-          enable = true;
-          # Configure BTCPay Server to listen on all interfaces
-          address = "0.0.0.0";
-          port = 23000;
-        };
-
-        
-        networking.firewall.allowedTCPPorts = [
-          config.services.btcpayserver.port
-          config.services.bitcoind.port
+  outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        modules = [
+          nix-bitcoin.nixosModules.default
+          ./nix/modules/bitcoind
+          ./nix/modules/nbxplorer
+          ./nix/modules/btcpay
         ];
-      };
-    };
+      in {
+        devShells.default = pkgs.mkShell {
+          buildInputs = [
+            nixos-generators.packages.${system}.nixos-generate
+            pkgs.just
+          ];
+          shellHook = ''
+            echo "💚 Devshell ready: nixos-generate, just available."
+          '';
+        };
+        nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = modules ++ [
+            ({ config, ... }: {
+              boot.isContainer = true;
+              system.stateVersion = "25.05";
+              services.btcpay-full.enable = true;
 
-    # System configuration for deployment - REMOVED duplicate nix-bitcoin import
-    nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      modules = [
-        ({ ... }: {
-          # Minimal system configuration for containers
-          boot.isContainer = true;
-          system.stateVersion = "25.05";
+              users.users.root.openssh.authorizedKeys.keys = [
+                "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io"
+              ];
 
-          # Enable our BTCPay service
-          services.btcpay-full.enable = true;
-          
-          # Basic SSH access
-          services.openssh = {
-            enable = true;
-            settings = {
-              PermitRootLogin = "yes";
-              PasswordAuthentication = true;
-            };
-          };
-        })
-        # This module already imports nix-bitcoin.nixosModules.default
-        self.nixosModules.btcpay-server
-      ];
-    };
-  };
+              services.openssh = {
+                enable = true;
+                settings = {
+                  PermitRootLogin = "prohibit-password";
+                  PasswordAuthentication = false;
+                };
+              };
+            })
+            self.nixosModules.btcpay-server
+          ];
+        };
+      }
+    );
 }

flake.nix.old

@@ -0,0 +1,101 @@
+{
+  description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
+    sops-nix.url = "github:Mic92/sops-nix";
+  };
+
+  outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
+    nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
+      imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];
+
+      options.services.btcpay-full = {
+        enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
+      };
+
+      config = lib.mkIf config.services.btcpay-full.enable {
+        nix-bitcoin.generateSecrets = true;
+        nix-bitcoin.operator = {
+          enable = true;
+          name = "btcpay";
+        };
+
+        # sops secret for Postgres password
+        sops.secrets.nbxplorer-pg-password = {
+          sopsFile = ./secrets.yaml;
+          owner = "postgres";
+        };
+
+        # Use tracked dotfile for Postgres auth rules
+        services.postgresql = {
+          enable = true;
+          package = pkgs.postgresql_14;
+          initialDatabases = [{ name = "nbxplorer"; }];
+          ensureUsers = [{
+            name = "nbxplorer";
+            passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
+            ensureDBOwnership = true;
+          }];
+          authentication = builtins.readFile ./pg_hba.conf;
+        };
+
+        services.bitcoind = {
+          enable = true;
+          prune = 100000;
+          dbCache = 8000;
+          rpc.port = 8332;
+        };
+
+        services.btcpayserver = {
+          enable = true;
+          address = "0.0.0.0";
+          port = 23000;
+          environment = {
+            NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
+              builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
+            }";
+          };
+        };
+
+        networking.firewall.allowedTCPPorts = [
+          config.services.btcpayserver.port
+          config.services.bitcoind.port
+          5432
+        ];
+
+        # (SSH added below)
+      };
+    };
+
+    nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({ config, ... }: {
+          boot.isContainer = true;
+          system.stateVersion = "25.05";
+          services.btcpay-full.enable = true;
+
+          # SSH best practices: use a public key from secrets, fallback to password auth only if needed
+          sops.secrets.btcpay-ssh-pubkey = {
+            sopsFile = ./secrets.yaml;
+            owner = "root";
+          };
+          users.users.root.openssh.authorizedKeys.keys = [
+            (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
+          ];
+
+          services.openssh = {
+            enable = true;
+            settings = {
+              PermitRootLogin = "prohibit-password"; # disables password logins
+              PasswordAuthentication = false;
+            };
+          };
+        })
+        self.nixosModules.btcpay-server
+      ];
+    };
+  };
+}

justfile

@@ -1,20 +1,22 @@
-# Variables
 REMOTE_HOST := "root@10.1.1.163"
 
-# Default command
-default:
-    @echo "BTCPay Server deployment commands:"
-    @echo "  just build     - Build configuration"
-    @echo "  just deploy    - Deploy to remote server"
-
-# Build the configuration
 build:
-    NIX_CONFIG="experimental-features = nix-command flakes" nix build .#nixosConfigurations.btcpay.config.system.build.toplevel
+    nix build .#nixosConfigurations.btcpay.config.system.build.toplevel
 
-# Deploy to remote server
 deploy:
-    NIX_CONFIG="experimental-features = nix-command flakes" nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes"
+    nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes"
 
-# Check services status
 status:
     ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver"
+
+encrypt-secrets:
+    sops -e -i secrets.yaml
+
+edit-secrets:
+    sops secrets.yaml
+
+shell:
+    nix develop
+
+psql:
+    psql -h localhost -U nbxplorer -d nbxplorer

modules/bitcoind/default.nix

@@ -0,0 +1,34 @@
+{ config, specialConfig, lib, pkgs, ... }:
+{
+    #################################
+    # Bitcoin Core (bitcoind)
+    #################################
+    services.bitcoind = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 23002;
+      listen = true;
+      listenWhitelisted = true;
+      whitelistedPort = 8335;
+      # dataDir = "/var/lib/bitcoind";
+      rpc = {
+        address = "0.0.0.0";
+        port = 8332;
+        threads = 4;
+        allowip = [
+          "0.0.0.0"
+        ];
+      };
+      regtest = false;
+      # network = "regtest"; # or "mainnet"
+      dataDirReadableByGroup = false;
+      disablewallet = null;
+      dbCache = 4000;
+      prune = 10000;
+      txindex = true;
+      zmqpubrawblock = "tcp://0.0.0.0:28332";
+      zmqpubrawtx = "tcp://0.0.0.0:28333";
+      user = "bitcoind";
+      group = "bitcoind";
+    };
+}

modules/btcpay/default.nix

@@ -0,0 +1,18 @@
+{ config, specialConfig, lib, pkgs, ... }:
+{
+
+    nix-bitcoin.generateSecrets = true;
+    # nix-bitcoin.secretsDir = "/var/lib/secrets";
+    services.btcpayserver = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 23002;
+      # dataDir = "/var/lib/btcpayserver";
+      lbtc = true;
+      user = "btcpayserver";
+      group = "btcpayserver";
+      # If needed, direct BTCPay to same PostgreSQL:
+      # explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;";
+      # Set environment variables as needed for additional DB, etc.
+    };
+}

modules/nbxplorer/default.nix

@@ -0,0 +1,15 @@
+{ config, specialConfig, lib, pkgs, ... }:
+{
+    services.nbxplorer = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 24444;
+      # dataDir = "/var/lib/nbxplorer";
+      user = "nbxplorer";
+      group = "nbxplorer";
+      # Database connection string to external/local PostgreSQL:
+      # postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;";
+      # chains = [ "btc" "ltc" "lbtc" ];
+      # Additional NBXplorer server args/overrides can go here.
+    };
+}

modules/postgresql/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, specialConfig, ... }:
+{
+  # Disable local postgres (so NixOS won't start or manage it)
+  services = {
+      postgresql = {
+      enable = true;
+      ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ];
+      ensureUsers = [
+        { name = "nbxplorer"; ensureDBOwnership = true; }
+        { name = "btcpay"; ensureDBOwnership = true; }
+      ];
+      authentication = ''
+        local all        all                      trust
+        host  all        all     0.0.0.1/32     trust
+        host  all        all     ::1/128          trust
+      '';
+    };
+  };
+}

secrets.yaml

@@ -0,0 +1,2 @@
+nbxplorer-pg-password: >-
+  f%Rn^g!o*d0U3UjXNN&1dG&H

shell.nix

@@ -2,6 +2,20 @@
 
 pkgs.mkShell {
   buildInputs = with pkgs; [
-    just
+    just           # task runner
+    sops           # secrets management
+    postgresql     # includes psql client utility[6][9]
+    bitcoin        # Bitcoin Core CLI tools (bitcoind, bitcoin-cli)
+    curl           # For HTTP API testing
+    jq             # For manipulating test output
+    # dotnet-sdk   # IF you develop/plugins for NBXplorer, uncomment this
   ];
+
+  shellHook = ''
+    export SSH_CONFIG_FILE="$PWD/ssh-config-dev"
+    alias ssh="ssh -F $SSH_CONFIG_FILE"
+    alias scp="scp -F $SSH_CONFIG_FILE"
+    echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp."
+  '';
 }
+