{
  description = "BTCPayServer NixOS flake with dotfile-based pg_hba.conf and sops-nix secrets";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
    nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
    sops-nix.url = "github:Mic92/sops-nix";
  };

  outputs = { self, nixpkgs, nix-bitcoin, sops-nix, ... }: {
    nixosModules.btcpay-server = { config, lib, pkgs, ... }: {
      imports = [ nix-bitcoin.nixosModules.default sops-nix.nixosModules.sops ];

      options.services.btcpay-full = {
        enable = lib.mkEnableOption "BTCPay Server with Bitcoin node";
      };

      config = lib.mkIf config.services.btcpay-full.enable {
        nix-bitcoin.generateSecrets = true;
        nix-bitcoin.operator = {
          enable = true;
          name = "btcpay";
        };

        # sops secret for Postgres password
        sops.secrets.nbxplorer-pg-password = {
          sopsFile = ./secrets.yaml;
          owner = "postgres";
        };

        # Use tracked dotfile for Postgres auth rules
        services.postgresql = {
          enable = true;
          package = pkgs.postgresql_14;
          initialDatabases = [{ name = "nbxplorer"; }];
          ensureUsers = [{
            name = "nbxplorer";
            passwordFile = config.sops.secrets.nbxplorer-pg-password.path;
            ensureDBOwnership = true;
          }];
          authentication = builtins.readFile ./pg_hba.conf;
        };

        services.bitcoind = {
          enable = true;
          prune = 100000;
          dbCache = 8000;
          rpc.port = 8332;
        };

        services.btcpayserver = {
          enable = true;
          address = "0.0.0.0";
          port = 23000;
          environment = {
            NBXPLORER_CHAINS__BTC__POSTGRES = "User ID=nbxplorer;Host=localhost;Port=5432;Database=nbxplorer;Password=${
              builtins.readFile config.sops.secrets.nbxplorer-pg-password.path
            }";
          };
        };

        networking.firewall.allowedTCPPorts = [
          config.services.btcpayserver.port
          config.services.bitcoind.port
          5432
        ];

        # (SSH added below)
      };
    };

    nixosConfigurations.btcpay = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ({ config, ... }: {
          boot.isContainer = true;
          system.stateVersion = "25.05";
          services.btcpay-full.enable = true;

          # SSH best practices: use a public key from secrets, fallback to password auth only if needed
          sops.secrets.btcpay-ssh-pubkey = {
            sopsFile = ./secrets.yaml;
            owner = "root";
          };
          users.users.root.openssh.authorizedKeys.keys = [
            (builtins.readFile config.sops.secrets.btcpay-ssh-pubkey.path)
          ];

          services.openssh = {
            enable = true;
            settings = {
              PermitRootLogin = "prohibit-password"; # disables password logins
              PasswordAuthentication = false;
            };
          };
        })
        self.nixosModules.btcpay-server
      ];
    };
  };
}