diff --git a/btc-ssh-key.pub b/btc-ssh-key.pub deleted file mode 100644 index 5e4654b..0000000 --- a/btc-ssh-key.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOIWWGUGM+5GjypoSNe0nKMLnu+5/McFHQhY7HXtpbS btcpay-server key diff --git a/flake.nix b/flake.nix index b2389d6..b4d7e68 100644 --- a/flake.nix +++ b/flake.nix @@ -1,56 +1,74 @@ { - description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image"; - + description = "BTCPay Server NixOS module"; + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; - nixpkgs.follows = "nix-bitcoin/nixpkgs"; - nixos-generators.url = "github:nix-community/nixos-generators"; - flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem (system: - let - pkgs = import nixpkgs { inherit system; }; - modules = [ - nix-bitcoin.nixosModules.default - ./nix/modules/bitcoind - ./nix/modules/nbxplorer - ./nix/modules/btcpay + outputs = { self, nixpkgs, nix-bitcoin, ... }: { + # Export a module for others to use + nixosModules.btcpay-server = { config, lib, pkgs, ... }: { + imports = [ nix-bitcoin.nixosModules.default ]; + + options.services.btcpay-full = { + enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; + }; + # Disable debugfs mount in LXC containers + config = lib.mkIf config.services.btcpay-full.enable { + nix-bitcoin.generateSecrets = true; + nix-bitcoin.operator = { + enable = true; + name = "btcpay"; + }; + + services.bitcoind = { + enable = true; + prune = 100000; + dbCache = 8000; + rpc.port = 8332; + }; + + # Enable BTCPay Server with network binding + services.btcpayserver = { + enable = true; + # Configure BTCPay Server to listen on all interfaces + address = "0.0.0.0"; + port = 23000; + }; + + + networking.firewall.allowedTCPPorts = [ + config.services.btcpayserver.port + config.services.bitcoind.port ]; - in { - devShells.default = pkgs.mkShell { - buildInputs = [ - nixos-generators.packages.${system}.nixos-generate - pkgs.just - ]; - shellHook = '' - echo "💚 Devshell ready: nixos-generate, just available." - ''; - }; - nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = modules ++ [ - ({ config, ... }: { - boot.isContainer = true; - system.stateVersion = "25.05"; - services.btcpay-full.enable = true; + }; + }; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" - ]; - - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - }; - }; - }) - self.nixosModules.btcpay-server - ]; - }; - } - ); -} \ No newline at end of file + # System configuration for deployment - REMOVED duplicate nix-bitcoin import + nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ({ ... }: { + # Minimal system configuration for containers + boot.isContainer = true; + system.stateVersion = "25.05"; + + # Enable our BTCPay service + services.btcpay-full.enable = true; + + # Basic SSH access + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = true; + }; + }; + }) + # This module already imports nix-bitcoin.nixosModules.default + self.nixosModules.btcpay-server + ]; + }; + }; +} diff --git a/flake.nix.old b/flake.nix.old deleted file mode 100644 index 13074c3..0000000 --- a/flake.nix.old +++ /dev/null @@ -1,101 +0,0 @@ -{ - description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; - nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; - sops-nix.url = "github:Mic92/sops-nix"; - }; - - outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: { - nixosModules.btcpay-server = { config, lib, pkgs, ... }: { - imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ]; - - options.services.btcpay-full = { - enable = lib.mkEnableOption "BTCPay Server with Bitcoin node"; - }; - - config = lib.mkIf config.services.btcpay-full.enable { - nix-bitcoin.generateSecrets = true; - nix-bitcoin.operator = { - enable = true; - name = "btcpay"; - }; - - # sops secret for Postgres password - sops.secrets.nbxplorer-pg-password = { - sopsFile = ./secrets.yaml; - owner = "postgres"; - }; - - # Use tracked dotfile for Postgres auth rules - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - initialDatabases = [{ name = "nbxplorer"; }]; - ensureUsers = [{ - name = "nbxplorer"; - passwordFile = config.sops.secrets.nbxplorer-pg-password.path; - ensureDBOwnership = true; - }]; - authentication = builtins.readFile ./pg_hba.conf; - }; - - services.bitcoind = { - enable = true; - prune = 100000; - dbCache = 8000; - rpc.port = 8332; - }; - - services.btcpayserver = { - enable = true; - address = "0.0.0.0"; - port = 23000; - environment = { - NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${ - builtins.readFile config.sops.secrets.nbxplorer-pg-password.path - }"; - }; - }; - - networking.firewall.allowedTCPPorts = [ - config.services.btcpayserver.port - config.services.bitcoind.port - 5432 - ]; - - # (SSH added below) - }; - }; - - nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ({ config, ... }: { - boot.isContainer = true; - system.stateVersion = "25.05"; - services.btcpay-full.enable = true; - - # SSH best practices: use a public key from secrets, fallback to password auth only if needed - sops.secrets.btcpay-ssh-pubkey = { - sopsFile = ./secrets.yaml; - owner = "root"; - }; - users.users.root.openssh.authorizedKeys.keys = [ - (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path) - ]; - - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "prohibit-password"; # disables password logins - PasswordAuthentication = false; - }; - }; - }) - self.nixosModules.btcpay-server - ]; - }; - }; -} diff --git a/justfile b/justfile index 21d4563..4928753 100644 --- a/justfile +++ b/justfile @@ -1,22 +1,20 @@ +# Variables REMOTE_HOST := "root@10.1.1.163" +# Default command +default: + @echo "BTCPay Server deployment commands:" + @echo " just build - Build configuration" + @echo " just deploy - Deploy to remote server" + +# Build the configuration build: - nix build .#nixosConfigurations.btcpay.config.system.build.toplevel + NIX_CONFIG="experimental-features = nix-command flakes" nix build .#nixosConfigurations.btcpay.config.system.build.toplevel +# Deploy to remote server deploy: - nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" + NIX_CONFIG="experimental-features = nix-command flakes" nixos-rebuild switch --flake .#btcpay --target-host {{REMOTE_HOST}} --option experimental-features "nix-command flakes" +# Check services status status: ssh {{REMOTE_HOST}} "systemctl status bitcoind btcpayserver" - -encrypt-secrets: - sops -e -i secrets.yaml - -edit-secrets: - sops secrets.yaml - -shell: - nix develop - -psql: - psql -h localhost -U nbxplorer -d nbxplorer diff --git a/modules/bitcoind/default.nix b/modules/bitcoind/default.nix deleted file mode 100644 index c9ff27b..0000000 --- a/modules/bitcoind/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - ################################# - # Bitcoin Core (bitcoind) - ################################# - services.bitcoind = { - enable = true; - address = "0.0.0.0"; - port = 23002; - listen = true; - listenWhitelisted = true; - whitelistedPort = 8335; - # dataDir = "/var/lib/bitcoind"; - rpc = { - address = "0.0.0.0"; - port = 8332; - threads = 4; - allowip = [ - "0.0.0.0" - ]; - }; - regtest = false; - # network = "regtest"; # or "mainnet" - dataDirReadableByGroup = false; - disablewallet = null; - dbCache = 4000; - prune = 10000; - txindex = true; - zmqpubrawblock = "tcp://0.0.0.0:28332"; - zmqpubrawtx = "tcp://0.0.0.0:28333"; - user = "bitcoind"; - group = "bitcoind"; - }; -} diff --git a/modules/btcpay/default.nix b/modules/btcpay/default.nix deleted file mode 100644 index 555d69b..0000000 --- a/modules/btcpay/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - - nix-bitcoin.generateSecrets = true; - # nix-bitcoin.secretsDir = "/var/lib/secrets"; - services.btcpayserver = { - enable = true; - address = "0.0.0.0"; - port = 23002; - # dataDir = "/var/lib/btcpayserver"; - lbtc = true; - user = "btcpayserver"; - group = "btcpayserver"; - # If needed, direct BTCPay to same PostgreSQL: - # explorerpostgres = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorermainnet;"; - # Set environment variables as needed for additional DB, etc. - }; -} diff --git a/modules/nbxplorer/default.nix b/modules/nbxplorer/default.nix deleted file mode 100644 index 8e0d321..0000000 --- a/modules/nbxplorer/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, specialConfig, lib, pkgs, ... }: -{ - services.nbxplorer = { - enable = true; - address = "0.0.0.0"; - port = 24444; - # dataDir = "/var/lib/nbxplorer"; - user = "nbxplorer"; - group = "nbxplorer"; - # Database connection string to external/local PostgreSQL: - # postgres = "User ID=nbxplorer;Host=0.0.0.0;Port=5432;Database=nbxplorermainnet;"; - # chains = [ "btc" "ltc" "lbtc" ]; - # Additional NBXplorer server args/overrides can go here. - }; -} diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix deleted file mode 100644 index ba094ed..0000000 --- a/modules/postgresql/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, specialConfig, ... }: -{ - # Disable local postgres (so NixOS won't start or manage it) - services = { - postgresql = { - enable = true; - ensureDatabases = [ "nbxplorermainnet" "btcpaydb" ]; - ensureUsers = [ - { name = "nbxplorer"; ensureDBOwnership = true; } - { name = "btcpay"; ensureDBOwnership = true; } - ]; - authentication = '' - local all all trust - host all all 0.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; -} diff --git a/secrets.yaml b/secrets.yaml deleted file mode 100644 index 33f6670..0000000 --- a/secrets.yaml +++ /dev/null @@ -1,2 +0,0 @@ -nbxplorer-pg-password: >- - f%Rn^g!o*d0U3UjXNN&1dG&H \ No newline at end of file diff --git a/shell.nix b/shell.nix index 1f784b5..1f60faf 100644 --- a/shell.nix +++ b/shell.nix @@ -2,20 +2,6 @@ pkgs.mkShell { buildInputs = with pkgs; [ - just # task runner - sops # secrets management - postgresql # includes psql client utility[6][9] - bitcoin # Bitcoin Core CLI tools (bitcoind, bitcoin-cli) - curl # For HTTP API testing - jq # For manipulating test output - # dotnet-sdk # IF you develop/plugins for NBXplorer, uncomment this + just ]; - - shellHook = '' - export SSH_CONFIG_FILE="$PWD/ssh-config-dev" - alias ssh="ssh -F $SSH_CONFIG_FILE" - alias scp="scp -F $SSH_CONFIG_FILE" - echo "Repo-local SSH config active: using $SSH_CONFIG_FILE for ssh/scp." - ''; } -