{ description = "BTCPay server, NBXplorer, Bitcoin Core, etc. as a NixOS system/container image"; inputs = { nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; nixpkgs.follows = "nix-bitcoin/nixpkgs"; nixos-generators.url = "github:nix-community/nixos-generators"; flake-utils.url = "github:numtide/flake-utils"; }; outputs = { self, nixpkgs, nix-bitcoin, nixos-generators, flake-utils, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs {inherit system;}; in { nixosConfigurations.btc-pay-server = nixpkgs.lib.nixosSystem { inherit system; modules = [ nix-bitcoin.nixosModules.default ({ config, pkgs, lib, ... }: { nixpkgs.overlays = [nix-bitcoin.overlays.default]; nix-bitcoin.generateSecrets = true; # Enable core services services.bitcoind = { enable = true; dataDir = "/var/lib/bitcoind"; # Explicitly set to your existing path (it's the default, but this confirms reuse) address = "0.0.0.0"; port = 23002; listen = true; listenWhitelisted = true; whitelistedPort = 8335; rpc = { address = "0.0.0.0"; port = 8332; threads = 16; allowip = ["10.1.1.0/24"]; # Adjust if needed }; regtest = false; # Remove this line: network = "mainnet"; # nix-bitcoin sets it by default dataDirReadableByGroup = false; disablewallet = null; dbCache = 4000; prune = 10000; # Matches your existing bitcoin.conf; set to 0 to disable pruning (needs more disk space) zmqpubrawblock = "tcp://0.0.0.0:28332"; zmqpubrawtx = "tcp://0.0.0.0:28333"; user = "bitcoind"; group = "bitcoind"; }; services.nbxplorer = { enable = true; address = "0.0.0.0"; port = 24444; user = "nbxplorer"; group = "nbxplorer"; }; services.btcpayserver = { enable = true; address = "0.0.0.0"; port = 23000; lbtc = true; # If you want Liquid support user = "btcpayserver"; group = "btcpayserver"; lightningBackend = "clightning"; # Or "lnd" }; # PostgreSQL is handled automatically by nix-bitcoin's BTCPay module # No need for custom postgresql module # Container mode (if desired; test without first) boot.isContainer = true; # Firewall: Open necessary ports networking.firewall.allowedTCPPorts = [ config.services.btcpayserver.port config.services.bitcoind.port config.services.nbxplorer.port 22 # SSH ]; # SSH setup services.openssh = { enable = true; settings = { PermitRootLogin = "prohibit-password"; PasswordAuthentication = false; }; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs/pdZLlCbv0vgtFA4hHGuWz1EeSn2kKhBJthlZ5lww devnix" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw6ilma4321EdQvguZKA7ijn9xF9QlfMfkES4bGCLTp jeirmeister@devnix-t470" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAaV7JtUWkWrjo5FfCcpTCCEY/OJ+T1mJOLbe4avg0XH sysadmin@skrybit.io" ]; # Suppress unnecessary units (as in your original) systemd.suppressedSystemUnits = [ "dev-mqueue.mount" "sys-kernel-debug.mount" "sys-fs-fuse-connections.mount" ]; # Relax seccomp for .NET services to avoid SIGSYS in LXC systemd.services.btcpayserver.serviceConfig = { SystemCallFilter = []; }; systemd.services.nbxplorer.serviceConfig = { SystemCallFilter = []; }; # State version system.stateVersion = "25.05"; }) ]; }; # Your devShell remains the same devShells = flake-utils.lib.eachDefaultSystem ( system: let pkgs = import nixpkgs {inherit system;}; in { default = pkgs.mkShell { buildInputs = [ nixos-generators.packages.${system}.nixos-generate pkgs.just ]; shellHook = '' echo "💚 Devshell ready: nixos-generate, just available." ''; }; } ); }; }