lightning

src/system/modules/bitcoin/modules/clightning/config/lightning.conf

@@ -0,0 +1,35 @@
+alias=OrdSux
+
+network=bitcoin
+bitcoin-datadir=/var/lib/bitcoin
+bitcoin-rpcconnect=127.0.0.1
+bitcoin-rpcport=8332
+
+lightning-dir=/var/lib/clightning
+plugin-dir=/var/lib/clightning/plugins
+
+log-file=/var/lib/clightning/lightningd.log
+log-level=info
+
+# Bind RPC locally only
+bind-addr=127.0.0.1:9736
+
+# Auto-create Tor hidden service for peer connections
+addr=autotor:127.0.0.1:9051
+
+# Route outbound through Tor
+proxy=127.0.0.1:9050
+always-use-proxy=true
+
+large-channels
+fee-base=1000
+fee-per-satoshi=10
+min-capacity-sat=10000
+htlc-minimum-msat=0
+funding-confirms=3
+max-concurrent-htlcs=30
+
+# CLNRest - REST API for wallets (Zeus, RTL, etc.)
+clnrest-port=3010
+clnrest-host=127.0.0.1
+clnrest-protocol=https

src/system/modules/bitcoin/modules/clightning/default.nix

@@ -0,0 +1,94 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.bitcoin.clightning;
+  btc = config.modules.system.bitcoin;
+  nginx = config.modules.system.nginx;
+  home = "/var/lib/clightning";
+  domain = "ramos.codes";
+
+  clnConfig = pkgs.writeTextFile {
+    name = "lightning.conf";
+    text = builtins.readFile ./config/lightning.conf;
+  };
+
+in
+{ options.modules.system.bitcoin.clightning = { enable = mkEnableOption "Core Lightning Server"; };
+  config = mkIf (cfg.enable && btc.enable) {
+    environment.systemPackages = with pkgs; [
+      clightning
+    ];
+
+    users = {
+      users = {
+        "clightning" = {
+          inherit home;
+          description = "Core Lightning system user";
+          isSystemUser = true;
+          group = "bitcoin";
+          extraGroups = [ "tor" ];
+          createHome = true;
+        };
+      };
+      groups = {
+        "bitcoin" = {
+          members = mkAfter [
+            "clightning"
+          ];
+        };
+      };
+    };
+
+    programs.bash.shellAliases = {
+      cln = "lightning-cli";
+    };
+
+    systemd.services.lightningd = {
+      description = "Core Lightning Daemon";
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "bitcoind-mainnet.service" "tor.service" ];
+      after = [
+        "bitcoind-mainnet.service"
+        "tor.service"
+        "network.target"
+      ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.clightning}/bin/lightningd --conf=${clnConfig}";
+        User = "clightning";
+        Group = "bitcoin";
+        WorkingDirectory = home;
+
+        Type = "simple";
+        KillMode = "process";
+        TimeoutSec = 60;
+        Restart = "always";
+        RestartSec = 60;
+      };
+    };
+
+    # Ensure data directory exists with correct permissions
+    systemd.tmpfiles.rules = [
+      "d ${home} 0750 clightning bitcoin -"
+      "d ${home}/plugins 0750 clightning bitcoin -"
+    ];
+
+    modules.system.backup.paths = [
+      "${home}/bitcoin/hsm_secret"
+    ];
+
+    # Nginx reverse proxy for CLNRest API (Zeus, RTL, etc.)
+    services.nginx.virtualHosts."ln.${domain}" = mkIf nginx.enable {
+      useACMEHost = domain;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:3010";
+        extraConfig = ''
+          proxy_ssl_verify off;
+        '';
+      };
+    };
+  };
+}