pruned

2026-03-23 16:29:42 -04:00 · 2026-03-15 11:08:33 -04:00 · 2026-03-15 11:08:33 -04:00 · 072951659a
commit 072951659a
114 changed files with 6922 additions and 0 deletions
--- a/system/machines/server/modules/bitcoin/config/bitcoin.conf
+++ b/system/machines/server/modules/bitcoin/config/bitcoin.conf
@ -0,0 +1,20 @@
+server=1
+
+rpccookiefile=/var/lib/bitcoin/.cookie
+rpccookieperms=group
+rpcbind=127.0.0.1
+rpcallowip=127.0.0.1
+
+dnsseed=0
+onlynet=onion
+
+bind=127.0.0.1
+proxy=127.0.0.1:9050
+
+listen=1
+listenonion=1
+torcontrol=127.0.0.1:9051
+
+txindex=1
+
+dbcache=1024
--- a/system/machines/server/modules/bitcoin/default.nix
+++ b/system/machines/server/modules/bitcoin/default.nix
@ -0,0 +1,80 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.bitcoin;
+  nginx = config.modules.system.nginx;
+
+  home = "/var/lib/bitcoin";
+
+  bitcoinConf = pkgs.writeTextFile {
+    name = "bitcoin.conf";
+    text = builtins.readFile ./config/bitcoin.conf;
+  };
+
+in
+{ options.modules.system.bitcoin = { enable = mkEnableOption "Bitcoin Server"; };
+  config = mkIf cfg.enable {
+    modules.system.tor.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      bitcoind
+    ];
+
+    users = {
+      users = {
+        "btc" = {
+          inherit home;
+          description = "Bitcoin Core system user";
+          isSystemUser = true;
+          group = "bitcoin";
+          extraGroups = [ "tor" ];
+          createHome = true;
+        };
+        "nginx" = {
+          extraGroups = mkIf nginx.enable [
+            "bitcoin"
+          ];
+        };
+      };
+      groups = {
+        "bitcoin" = {
+          members = [
+            "btc"
+            config.user.name
+          ];
+        };
+      };
+    };
+
+    programs.bash.shellAliases = {
+      btc = "bitcoin-cli";
+    };
+
+    services.bitcoind = {
+      "mainnet" = {
+        enable = true;
+        user = "btc";
+        group = "bitcoin";
+        configFile = bitcoinConf;
+        dataDir = home;
+        pidFile = "${home}/bitcoind.pid";
+      };
+    };
+
+    # Make data dir group-accessible so electrs/clightning can read cookie
+    systemd.tmpfiles.rules = [
+      "d ${home} 0750 btc bitcoin -"
+    ];
+
+    systemd.services.bitcoind-mainnet = {
+      wants = [ "tor.service" ];
+      after = [ "tor.service" ];
+      serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/tor";
+    };
+
+    modules.system.backup.paths = [
+      "${home}/wallets"
+    ];
+  };
+}
--- a/system/machines/server/modules/bitcoin/modules/clightning/config/lightning.conf
+++ b/system/machines/server/modules/bitcoin/modules/clightning/config/lightning.conf
@ -0,0 +1,31 @@
+alias=OrdSux
+
+network=bitcoin
+bitcoin-datadir=/var/lib/bitcoin
+bitcoin-rpcconnect=127.0.0.1
+bitcoin-rpcport=8332
+
+lightning-dir=/var/lib/clightning
+plugin-dir=/var/lib/clightning/plugins
+
+log-file=/var/lib/clightning/lightningd.log
+log-level=info
+rpc-file-mode=0660
+
+# Bind RPC locally only
+bind-addr=127.0.0.1:9736
+
+# Auto-create Tor hidden service for peer connections
+addr=autotor:127.0.0.1:9051
+
+# Route outbound through Tor
+proxy=127.0.0.1:9050
+always-use-proxy=true
+
+large-channels
+fee-base=1000
+fee-per-satoshi=10
+min-capacity-sat=10000
+htlc-minimum-msat=0
+funding-confirms=3
+max-concurrent-htlcs=30
--- a/system/machines/server/modules/bitcoin/modules/clightning/default.nix
+++ b/system/machines/server/modules/bitcoin/modules/clightning/default.nix
@ -0,0 +1,115 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.bitcoin.clightning;
+  btc = config.modules.system.bitcoin;
+  nginx = config.modules.system.nginx;
+  home = "/var/lib/clightning";
+  domain = "ramos.codes";
+
+  clnrest = pkgs.callPackage ./plugins/clnrest.nix { };
+
+  clnConfig = pkgs.writeTextFile {
+    name = "lightning.conf";
+    text = ''
+      ${builtins.readFile ./config/lightning.conf}
+      bitcoin-cli=${pkgs.bitcoind}/bin/bitcoin-cli
+
+      # CLNRest configuration
+      clnrest-port=3010
+      clnrest-host=127.0.0.1
+      clnrest-protocol=https
+    '';
+  };
+
+in
+{ options.modules.system.bitcoin.clightning = { enable = mkEnableOption "Core Lightning Server"; };
+  config = mkIf (cfg.enable && btc.enable) {
+    environment.systemPackages = with pkgs; [
+      clightning
+    ];
+
+    users = {
+      users = {
+        "clightning" = {
+          inherit home;
+          description = "Core Lightning system user";
+          isSystemUser = true;
+          group = "bitcoin";
+          extraGroups = [ "tor" ];
+          createHome = true;
+        };
+      };
+      groups = {
+        "bitcoin" = {
+          members = mkAfter [
+            "clightning"
+          ];
+        };
+      };
+    };
+
+    programs.bash.shellAliases = {
+      cln = "lightning-cli";
+    };
+
+    systemd.services.lightningd = {
+      description = "Core Lightning Daemon";
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "bitcoind-mainnet.service" "tor.service" ];
+      after = [
+        "bitcoind-mainnet.service"
+        "tor.service"
+        "network.target"
+      ];
+
+      serviceConfig = {
+        ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin /var/lib/tor ${home} ${home}/bitcoin";
+        ExecStart = "${pkgs.clightning}/bin/lightningd --conf=${clnConfig}";
+        User = "clightning";
+        Group = "bitcoin";
+        WorkingDirectory = home;
+
+        Type = "simple";
+        KillMode = "process";
+        TimeoutSec = 60;
+        Restart = "always";
+        RestartSec = 60;
+      };
+    };
+
+    # Bind mount from /data
+    fileSystems.${home} = {
+      device = "/data/clightning";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+
+    # Ensure data directory exists with correct permissions
+    systemd.tmpfiles.rules = mkAfter [
+      "d /data/clightning 0750 clightning bitcoin -"
+      "d /data/clightning/bitcoin 0750 clightning bitcoin -"
+      "d /data/clightning/plugins 0750 clightning bitcoin -"
+      "L+ /home/${config.user.name}/.lightning - - - - ${home}"
+      "L+ ${home}/plugins/clnrest - - - - ${clnrest}/libexec/c-lightning/plugins/clnrest"
+    ];
+
+    modules.system.backup.paths = [
+      "${home}/bitcoin/hsm_secret"
+      "${home}/bitcoin/emergency.recover"
+    ];
+
+    services.nginx.virtualHosts."ln.${domain}" = mkIf nginx.enable {
+      useACMEHost = domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:3010";
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      };
+    };
+  };
+}
--- a/system/machines/server/modules/bitcoin/modules/clightning/plugins/clnrest.nix
+++ b/system/machines/server/modules/bitcoin/modules/clightning/plugins/clnrest.nix
@ -0,0 +1,54 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  pkg-config,
+  openssl,
+  protobuf,
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "clnrest";
+  version = "25.02.2";
+
+  src = fetchFromGitHub {
+    owner = "ElementsProject";
+    repo = "lightning";
+    rev = "v${version}";
+    hash = "sha256-SiPYB463l9279+zawsxmql1Ui/dTdah5KgJgmrWsR2A=";
+  };
+
+  cargoLock = {
+    lockFile = "${src}/Cargo.lock";
+  };
+
+  cargoBuildFlags = [
+    "-p"
+    "clnrest"
+  ];
+  cargoTestFlags = [
+    "-p"
+    "clnrest"
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+    protobuf
+  ];
+
+  buildInputs = [ openssl ];
+
+  postInstall = ''
+    mkdir -p $out/libexec/c-lightning/plugins
+    mv $out/bin/clnrest $out/libexec/c-lightning/plugins/
+    rmdir $out/bin
+  '';
+
+  meta = {
+    description = "Transforms RPC calls into REST APIs";
+    homepage = "https://docs.corelightning.org/docs/rest";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.linux;
+    mainProgram = "clnrest";
+  };
+}
--- a/system/machines/server/modules/bitcoin/modules/electrum/config/config.toml
+++ b/system/machines/server/modules/bitcoin/modules/electrum/config/config.toml
@ -0,0 +1,13 @@
+network = "bitcoin"
+
+electrum_rpc_addr = "127.0.0.1:50001"
+
+cookie_file = "/var/lib/bitcoin/.cookie"
+
+db_dir = "/var/lib/electrs"
+
+log_filters = "INFO"
+
+daemon_rpc_addr = "127.0.0.1:8332"
+daemon_p2p_addr = "127.0.0.1:8333"
+daemon_dir = "/var/lib/bitcoin"
--- a/system/machines/server/modules/bitcoin/modules/electrum/default.nix
+++ b/system/machines/server/modules/bitcoin/modules/electrum/default.nix
@ -0,0 +1,121 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.bitcoin.electrum;
+  nginx = config.modules.system.nginx;
+  home = "/var/lib/electrs";
+
+  btc = config.modules.system.bitcoin;
+  domain = "ramos.codes";
+
+  electrsConfig = pkgs.writeTextFile {
+    name = "config.toml";
+    text = builtins.readFile ./config/config.toml;
+  };
+
+in
+{ options.modules.system.bitcoin.electrum = { enable = mkEnableOption "Electrs Server"; };
+  config = mkIf (cfg.enable && btc.enable) {
+    #TODO: Fix the failing overlay due to `cargoHash/cargoSha256`
+    #nixpkgs.overlays = [
+    #  (final: prev: {
+    #    electrs = prev.electrs.overrideAttrs (old: rec {
+    #      pname = "electrs";
+    #      version = "0.10.8";
+    #      src = pkgs.fetchFromGitHub {
+    #        owner = "romanz";
+    #        repo = pname;
+    #        rev = "v${version}";
+    #        hash = "sha256-L26jzAn8vwnw9kFd6ciyYS/OLEFTbN8doNKy3P8qKRE=";
+    #      };
+    #      #cargoDeps = old.cargoDeps.overrideAttrs (const {
+    #      #  name = "electrs-${version}.tar.gz";
+    #      #  inherit src;
+    #      #  sha256 = "";
+    #      #});
+    #      cargoHash = "sha256-lBRcq73ri0HR3duo6Z8PdSjnC8okqmG5yWeHxH/LmcU=";
+    #    });
+    #  })
+    #];
+
+    environment.systemPackages = with pkgs; [
+      electrs
+    ];
+
+    users = {
+      users = {
+        "electrs" = {
+          inherit home;
+          description = "Electrs system user";
+          isSystemUser = true;
+          group = "bitcoin";
+          createHome = true;
+        };
+      };
+      groups = {
+        "bitcoin" = {
+          members = mkAfter [
+            "electrs"
+          ];
+        };
+      };
+    };
+
+
+    systemd.services.electrs = {
+      description = "Electrs Bitcoin Indexer";
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "bitcoind-mainnet.service" ];
+      after = [
+        "bitcoind-mainnet.service"
+        "network.target"
+      ];
+
+      serviceConfig = {
+        ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin";
+        ExecStart = "${pkgs.electrs}/bin/electrs --conf=${electrsConfig}";
+        User = "electrs";
+        Group = "bitcoin";
+        WorkingDirectory = home;
+
+        Type = "simple";
+        KillMode = "process";
+        TimeoutSec = 60;
+        Restart = "always";
+        RestartSec = 60;
+      };
+    };
+
+    # Bind mount from /data
+    fileSystems.${home} = {
+      device = "/data/electrs";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+
+    # Ensure db directory exists with correct permissions
+    systemd.tmpfiles.rules = [
+      "d /data/electrs 0750 electrs bitcoin -"
+    ];
+
+    # Nginx SSL proxy for Electrum protocol (TCP)
+    networking.firewall.allowedTCPPorts = mkIf nginx.enable [ 50002 ];
+
+    services.nginx.streamConfig = mkIf nginx.enable ''
+      map $ssl_server_name $electrs_backend {
+        electrum.${domain}  127.0.0.1:50001;
+        default             "";
+      }
+
+      server {
+        listen 50002 ssl;
+        proxy_pass $electrs_backend;
+
+        ssl_certificate /var/lib/acme/${domain}/fullchain.pem;
+        ssl_certificate_key /var/lib/acme/${domain}/key.pem;
+      }
+    '';
+  };
+}