bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-24 00:29:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: bryan:5be4bfc72165dcb403d62e6510943a3c1eb36e04
Branches Tags
bryan:master
..
compare: bryan:cf9b8b1951e998fe8b333a53404233a3c8954924
Branches Tags
bryan:master

No commits in common. "5be4bfc72165dcb403d62e6510943a3c1eb36e04" and "cf9b8b1951e998fe8b333a53404233a3c8954924" have entirely different histories.
5be4bfc721 ... cf9b8b1951

10 changed files with 35 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/system/machines/server/system.nix
View file

@ -9,11 +9,6 @@
forgejo.enable = true; forgejo.enable = true;
frigate.enable = false; frigate.enable = false;
immich.enable = true; immich.enable = true;
bitcoin = {
enable = true;
electrum.enable = true;
clightning.enable = true;
};
backup = { backup = {
enable = true; enable = true;

11
src/system/modules/bitcoin/config/bitcoin.conf
View file

@ -1,12 +1,14 @@
server=1 server=1
rpccookiefile=/var/lib/bitcoin/.cookie mempoolfullrbf=1
rpccookieperms=group v2transport=1
rpcauth=
rpcbind=127.0.0.1 rpcbind=127.0.0.1
rpcallowip=127.0.0.1 rpcallowip=127.0.0.1
dnsseed=0 dnsseed=0
onlynet=onion
bind=127.0.0.1 bind=127.0.0.1
proxy=127.0.0.1:9050 proxy=127.0.0.1:9050
@ -14,5 +16,4 @@ proxy=127.0.0.1:9050
listen=1 listen=1
listenonion=1 listenonion=1
torcontrol=127.0.0.1:9051 torcontrol=127.0.0.1:9051
torenablecircuit=1
txindex=1

37
src/system/modules/bitcoin/default.nix
View file

@ -5,7 +5,7 @@ let
cfg = config.modules.system.bitcoin; cfg = config.modules.system.bitcoin;
nginx = config.modules.system.nginx; nginx = config.modules.system.nginx;
home = "/var/lib/bitcoin"; home = "/var/lib/bitcoind";
bitcoinConf = pkgs.writeTextFile { bitcoinConf = pkgs.writeTextFile {
name = "bitcoin.conf"; name = "bitcoin.conf";
@ -15,10 +15,16 @@ let
in in
{ options.modules.system.bitcoin = { enable = mkEnableOption "Bitcoin Server"; }; { options.modules.system.bitcoin = { enable = mkEnableOption "Bitcoin Server"; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
modules.system.tor.enable = true; nixpkgs.overlays = [
(final: prev: {
environment.systemPackages = with pkgs; [ bitcoind = prev.bitcoind.overrideAttrs (old: rec {
bitcoind version = "28.0";
src = fetchTarball {
url = "https://github.com/bitcoin/bitcoin/archive/refs/tags/v${version}.tar.gz";
sha256 = "sha256-LLtw6pMyqIJ3IWHiK4P3XoifLojB9yMNMo+MGNFGuRY=";
};
});
})
]; ];
users = { users = {
@ -28,7 +34,6 @@ in
description = "Bitcoin Core system user"; description = "Bitcoin Core system user";
isSystemUser = true; isSystemUser = true;
group = "bitcoin"; group = "bitcoin";
extraGroups = [ "tor" ];
createHome = true; createHome = true;
}; };
"nginx" = { "nginx" = {
@ -41,18 +46,17 @@ in
"bitcoin" = { "bitcoin" = {
members = [ members = [
"btc" "btc"
config.user.name
]; ];
}; };
}; };
}; };
programs.bash.shellAliases = { programs.bash.shellAliases = {
btc = "bitcoin-cli"; btc = "bitcoind";
}; };
services.bitcoind = { services.bitcoind = {
"mainnet" = { "btc" = {
enable = true; enable = true;
user = "btc"; user = "btc";
group = "bitcoin"; group = "bitcoin";
@ -61,20 +65,5 @@ in
pidFile = "${home}/bitcoind.pid"; pidFile = "${home}/bitcoind.pid";
}; };
}; };
# Make data dir group-accessible so electrs/clightning can read cookie
systemd.tmpfiles.rules = [
"d ${home} 0750 btc bitcoin -"
];
systemd.services.bitcoind-mainnet = {
wants = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/tor";
};
modules.system.backup.paths = [
"${home}/wallets"
];
}; };
} }

31
src/system/modules/bitcoin/modules/clightning/config/lightning.conf
View file

@ -1,31 +0,0 @@
alias=OrdSux
network=bitcoin
bitcoin-datadir=/var/lib/bitcoin
bitcoin-rpcconnect=127.0.0.1
bitcoin-rpcport=8332
lightning-dir=/var/lib/clightning
plugin-dir=/var/lib/clightning/plugins
log-file=/var/lib/clightning/lightningd.log
log-level=info
rpc-file-mode=0660
# Bind RPC locally only
bind-addr=127.0.0.1:9736
# Auto-create Tor hidden service for peer connections
addr=autotor:127.0.0.1:9051
# Route outbound through Tor
proxy=127.0.0.1:9050
always-use-proxy=true
large-channels
fee-base=1000
fee-per-satoshi=10
min-capacity-sat=10000
htlc-minimum-msat=0
funding-confirms=3
max-concurrent-htlcs=30

106
src/system/modules/bitcoin/modules/clightning/default.nix
View file

@ -1,106 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.modules.system.bitcoin.clightning;
btc = config.modules.system.bitcoin;
nginx = config.modules.system.nginx;
home = "/var/lib/clightning";
domain = "ramos.codes";
clnrest = pkgs.callPackage ./plugins/clnrest.nix { };
clnConfig = pkgs.writeTextFile {
name = "lightning.conf";
text = ''
${builtins.readFile ./config/lightning.conf}
bitcoin-cli=${pkgs.bitcoind}/bin/bitcoin-cli
# CLNRest configuration
clnrest-port=3010
clnrest-host=127.0.0.1
clnrest-protocol=https
'';
};
in
{ options.modules.system.bitcoin.clightning = { enable = mkEnableOption "Core Lightning Server"; };
config = mkIf (cfg.enable && btc.enable) {
environment.systemPackages = with pkgs; [
clightning
];
users = {
users = {
"clightning" = {
inherit home;
description = "Core Lightning system user";
isSystemUser = true;
group = "bitcoin";
extraGroups = [ "tor" ];
createHome = true;
};
};
groups = {
"bitcoin" = {
members = mkAfter [
"clightning"
];
};
};
};
programs.bash.shellAliases = {
cln = "lightning-cli";
};
systemd.services.lightningd = {
description = "Core Lightning Daemon";
wantedBy = [ "multi-user.target" ];
wants = [ "bitcoind-mainnet.service" "tor.service" ];
after = [
"bitcoind-mainnet.service"
"tor.service"
"network.target"
];
serviceConfig = {
ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin /var/lib/tor ${home} ${home}/bitcoin";
ExecStart = "${pkgs.clightning}/bin/lightningd --conf=${clnConfig}";
User = "clightning";
Group = "bitcoin";
WorkingDirectory = home;
Type = "simple";
KillMode = "process";
TimeoutSec = 60;
Restart = "always";
RestartSec = 60;
};
};
# Ensure data directory exists with correct permissions
systemd.tmpfiles.rules = mkAfter [
"d ${home} 0750 clightning bitcoin -"
"d ${home}/plugins 0750 clightning bitcoin -"
"L+ /home/${config.user.name}/.lightning - - - - ${home}"
"L+ ${home}/plugins/clnrest - - - - ${clnrest}/libexec/c-lightning/plugins/clnrest"
];
modules.system.backup.paths = [
"${home}/bitcoin/hsm_secret"
];
services.nginx.virtualHosts."ln.${domain}" = mkIf nginx.enable {
useACMEHost = domain;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:3010";
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
};
}

54
src/system/modules/bitcoin/modules/clightning/plugins/clnrest.nix
View file

@ -1,54 +0,0 @@
{
lib,
rustPlatform,
fetchFromGitHub,
pkg-config,
openssl,
protobuf,
}:
rustPlatform.buildRustPackage rec {
pname = "clnrest";
version = "25.02.2";
src = fetchFromGitHub {
owner = "ElementsProject";
repo = "lightning";
rev = "v${version}";
hash = "sha256-SiPYB463l9279+zawsxmql1Ui/dTdah5KgJgmrWsR2A=";
};
cargoLock = {
lockFile = "${src}/Cargo.lock";
};
cargoBuildFlags = [
"-p"
"clnrest"
];
cargoTestFlags = [
"-p"
"clnrest"
];
nativeBuildInputs = [
pkg-config
protobuf
];
buildInputs = [ openssl ];
postInstall = ''
mkdir -p $out/libexec/c-lightning/plugins
mv $out/bin/clnrest $out/libexec/c-lightning/plugins/
rmdir $out/bin
'';
meta = {
description = "Transforms RPC calls into REST APIs";
homepage = "https://docs.corelightning.org/docs/rest";
license = lib.licenses.mit;
platforms = lib.platforms.linux;
mainProgram = "clnrest";
};
}

9
src/system/modules/bitcoin/modules/electrum/config/config.toml
View file

@ -2,12 +2,13 @@ network = "bitcoin"
electrum_rpc_addr = "127.0.0.1:50001" electrum_rpc_addr = "127.0.0.1:50001"
cookie_file = "/var/lib/bitcoin/.cookie" cookie-file = "/var/lib/bitcoind/.cookie"
db_dir = "/var/lib/electrs" db_dir = "/var/lib/electrs"
log_filters = "INFO" log_filters = "INFO"
timestamp = true
daemon_rpc_addr = "127.0.0.1:8332" daemon-rpc-addr = "127.0.0.1:8332"
daemon_p2p_addr = "127.0.0.1:8333" daemon-p2p-addr = "127.0.0.1:8333"
daemon_dir = "/var/lib/bitcoin" daemon-dir = "/var/lib/bitcoind"

41
src/system/modules/bitcoin/modules/electrum/default.nix
View file

@ -3,11 +3,9 @@
with lib; with lib;
let let
cfg = config.modules.system.bitcoin.electrum; cfg = config.modules.system.bitcoin.electrum;
nginx = config.modules.system.nginx;
home = "/var/lib/electrs"; home = "/var/lib/electrs";
btc = config.modules.system.bitcoin; btc = config.modules.system.bitcoin;
domain = "ramos.codes";
electrsConfig = pkgs.writeTextFile { electrsConfig = pkgs.writeTextFile {
name = "config.toml"; name = "config.toml";
@ -65,20 +63,18 @@ in
systemd.services.electrs = { systemd.services.electrs = {
description = "Electrs Bitcoin Indexer"; description = "Electrs Bitcoin Indexer";
wantedBy = [ "multi-user.target" ];
wants = [ "bitcoind-mainnet.service" ]; script = "${pkgs.electrs}/bin/electrs";
scriptArgs = "--conf=${electrsConfig}";
after = [ after = [
"bitcoind-mainnet.service" "bitcoind-btc.service"
"network.target"
]; ];
serviceConfig = { serviceConfig = {
ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin";
ExecStart = "${pkgs.electrs}/bin/electrs --conf=${electrsConfig}";
User = "electrs"; User = "electrs";
Group = "bitcoin"; Group = "bitcoin";
WorkingDirectory = home;
Type = "simple"; Type = "simple";
KillMode = "process"; KillMode = "process";
@ -86,29 +82,10 @@ in
Restart = "always"; Restart = "always";
RestartSec = 60; RestartSec = 60;
}; };
}; requisite = [
"bitcoind-btc.service"
# Ensure db directory exists with correct permissions "network.target"
systemd.tmpfiles.rules = [
"d ${home} 0750 electrs bitcoin -"
]; ];
};
# Nginx SSL proxy for Electrum protocol (TCP)
networking.firewall.allowedTCPPorts = mkIf nginx.enable [ 50002 ];
services.nginx.streamConfig = mkIf nginx.enable ''
map $ssl_server_name $electrs_backend {
electrum.${domain} 127.0.0.1:50001;
default "";
}
server {
listen 50002 ssl;
proxy_pass $electrs_backend;
ssl_certificate /var/lib/acme/${domain}/fullchain.pem;
ssl_certificate_key /var/lib/acme/${domain}/key.pem;
}
'';
}; };
} }

3
src/system/modules/default.nix
View file

@ -7,8 +7,7 @@ let
isModuleDir = path: isModuleDir = path:
builtins.pathExists path && builtins.pathExists path &&
builtins.readFileType path == "directory" && builtins.readFileType path == "directory" &&
builtins.baseNameOf path != "config" && builtins.baseNameOf path != "config";
builtins.baseNameOf path != "plugins";
isModule = file: file == "default.nix"; isModule = file: file == "default.nix";
isNix = file: builtins.match ".*\\.nix" file != null && file != "default.nix"; isNix = file: builtins.match ".*\\.nix" file != null && file != "default.nix";

30
src/system/modules/tor/default.nix
View file

@ -1,30 +0,0 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.modules.system.tor;
in
{
options.modules.system.tor = {
enable = mkEnableOption "Tor";
};
config = mkIf cfg.enable {
services.tor = {
enable = true;
client = {
enable = true;
# SOCKS proxy on 127.0.0.1:9050
};
settings = {
ControlPort = 9051;
CookieAuthentication = true;
CookieAuthFileGroupReadable = true;
DataDirectoryGroupReadable = true;
};
};
};
}