bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-23 16:29:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: bryan:cf9b8b1951e998fe8b333a53404233a3c8954924
Branches Tags
bryan:master
..
compare: bryan:5be4bfc72165dcb403d62e6510943a3c1eb36e04
Branches Tags
bryan:master

20 commits
cf9b8b1951 ... 5be4bfc721

Author SHA1 Message Date
Bryan Ramos
5be4bfc721 fix module walker 2026-03-13 00:43:03 -04:00
Bryan Ramos
cfbfa3a8b0 clnrest ready 2026-03-13 00:40:46 -04:00
Bryan Ramos
bd9e418e52 clnrest pkg 2026-03-13 00:10:30 -04:00
Bryan Ramos
e74ae46d56 fix cln 2026-03-12 23:47:13 -04:00
Bryan Ramos
a799d82f66 cat 2026-03-12 23:41:04 -04:00
Bryan Ramos
b829043438 fix shit 2026-03-12 23:38:48 -04:00
Bryan Ramos
2423780bc2 fixed 2026-03-12 23:37:20 -04:00
Bryan Ramos
764fa71c44 tmpfiles 2026-03-12 23:28:14 -04:00
Bryan Ramos
824eb05f6b test 2026-03-12 23:22:15 -04:00
Bryan Ramos
8eecf9912f removed CLNRest 2026-03-12 23:16:27 -04:00
Bryan Ramos
11b42b84c7 enable 2026-03-12 23:04:58 -04:00
Bryan Ramos
ba8f95ce7d lightning 2026-03-12 23:02:24 -04:00
Bryan Ramos
6789937b80 again 2026-03-12 22:44:20 -04:00
Bryan Ramos
522edac846 sni-filter 2026-03-12 22:39:00 -04:00
Bryan Ramos
eaf84e155b fixed? 2026-03-12 22:25:08 -04:00
Bryan Ramos
a11e72949c fixed electrs 2026-03-12 22:22:14 -04:00
Bryan Ramos
3c33750722 electrs 2026-03-12 22:19:41 -04:00
Bryan Ramos
9cda3e5290 fix tor cookie 2026-03-12 22:07:58 -04:00
Bryan Ramos
cfbd0e03f9 bitcoin init 2026-03-12 22:03:27 -04:00
Bryan Ramos
7b22f399e0 minimal bitcoin config 2026-03-12 21:52:57 -04:00
10 changed files with 294 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/system/machines/server/system.nix
View file

@ -9,6 +9,11 @@
forgejo.enable = true; forgejo.enable = true;
frigate.enable = false; frigate.enable = false;
immich.enable = true; immich.enable = true;
bitcoin = {
enable = true;
electrum.enable = true;
clightning.enable = true;
};
backup = { backup = {
enable = true; enable = true;

11
src/system/modules/bitcoin/config/bitcoin.conf
View file

@ -1,14 +1,12 @@
server=1 server=1
mempoolfullrbf=1 rpccookiefile=/var/lib/bitcoin/.cookie
v2transport=1 rpccookieperms=group
rpcauth=
rpcbind=127.0.0.1 rpcbind=127.0.0.1
rpcallowip=127.0.0.1 rpcallowip=127.0.0.1
dnsseed=0 dnsseed=0
onlynet=onion
bind=127.0.0.1 bind=127.0.0.1
proxy=127.0.0.1:9050 proxy=127.0.0.1:9050
@ -16,4 +14,5 @@ proxy=127.0.0.1:9050
listen=1 listen=1
listenonion=1 listenonion=1
torcontrol=127.0.0.1:9051 torcontrol=127.0.0.1:9051
torenablecircuit=1
txindex=1

37
src/system/modules/bitcoin/default.nix
View file

@ -5,7 +5,7 @@ let
cfg = config.modules.system.bitcoin; cfg = config.modules.system.bitcoin;
nginx = config.modules.system.nginx; nginx = config.modules.system.nginx;
home = "/var/lib/bitcoind"; home = "/var/lib/bitcoin";
bitcoinConf = pkgs.writeTextFile { bitcoinConf = pkgs.writeTextFile {
name = "bitcoin.conf"; name = "bitcoin.conf";
@ -15,16 +15,10 @@ let
in in
{ options.modules.system.bitcoin = { enable = mkEnableOption "Bitcoin Server"; }; { options.modules.system.bitcoin = { enable = mkEnableOption "Bitcoin Server"; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
nixpkgs.overlays = [ modules.system.tor.enable = true;
(final: prev: {
bitcoind = prev.bitcoind.overrideAttrs (old: rec { environment.systemPackages = with pkgs; [
version = "28.0"; bitcoind
src = fetchTarball {
url = "https://github.com/bitcoin/bitcoin/archive/refs/tags/v${version}.tar.gz";
sha256 = "sha256-LLtw6pMyqIJ3IWHiK4P3XoifLojB9yMNMo+MGNFGuRY=";
};
});
})
]; ];
users = { users = {
@ -34,6 +28,7 @@ in
description = "Bitcoin Core system user"; description = "Bitcoin Core system user";
isSystemUser = true; isSystemUser = true;
group = "bitcoin"; group = "bitcoin";
extraGroups = [ "tor" ];
createHome = true; createHome = true;
}; };
"nginx" = { "nginx" = {
@ -46,17 +41,18 @@ in
"bitcoin" = { "bitcoin" = {
members = [ members = [
"btc" "btc"
config.user.name
]; ];
}; };
}; };
}; };
programs.bash.shellAliases = { programs.bash.shellAliases = {
btc = "bitcoind"; btc = "bitcoin-cli";
}; };
services.bitcoind = { services.bitcoind = {
"btc" = { "mainnet" = {
enable = true; enable = true;
user = "btc"; user = "btc";
group = "bitcoin"; group = "bitcoin";
@ -65,5 +61,20 @@ in
pidFile = "${home}/bitcoind.pid"; pidFile = "${home}/bitcoind.pid";
}; };
}; };
# Make data dir group-accessible so electrs/clightning can read cookie
systemd.tmpfiles.rules = [
"d ${home} 0750 btc bitcoin -"
];
systemd.services.bitcoind-mainnet = {
wants = [ "tor.service" ];
after = [ "tor.service" ];
serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/tor";
};
modules.system.backup.paths = [
"${home}/wallets"
];
}; };
} }

31
src/system/modules/bitcoin/modules/clightning/config/lightning.conf Normal file
View file

@ -0,0 +1,31 @@
alias=OrdSux
network=bitcoin
bitcoin-datadir=/var/lib/bitcoin
bitcoin-rpcconnect=127.0.0.1
bitcoin-rpcport=8332
lightning-dir=/var/lib/clightning
plugin-dir=/var/lib/clightning/plugins
log-file=/var/lib/clightning/lightningd.log
log-level=info
rpc-file-mode=0660
# Bind RPC locally only
bind-addr=127.0.0.1:9736
# Auto-create Tor hidden service for peer connections
addr=autotor:127.0.0.1:9051
# Route outbound through Tor
proxy=127.0.0.1:9050
always-use-proxy=true
large-channels
fee-base=1000
fee-per-satoshi=10
min-capacity-sat=10000
htlc-minimum-msat=0
funding-confirms=3
max-concurrent-htlcs=30

106
src/system/modules/bitcoin/modules/clightning/default.nix Normal file
View file

@ -0,0 +1,106 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.modules.system.bitcoin.clightning;
btc = config.modules.system.bitcoin;
nginx = config.modules.system.nginx;
home = "/var/lib/clightning";
domain = "ramos.codes";
clnrest = pkgs.callPackage ./plugins/clnrest.nix { };
clnConfig = pkgs.writeTextFile {
name = "lightning.conf";
text = ''
${builtins.readFile ./config/lightning.conf}
bitcoin-cli=${pkgs.bitcoind}/bin/bitcoin-cli
# CLNRest configuration
clnrest-port=3010
clnrest-host=127.0.0.1
clnrest-protocol=https
'';
};
in
{ options.modules.system.bitcoin.clightning = { enable = mkEnableOption "Core Lightning Server"; };
config = mkIf (cfg.enable && btc.enable) {
environment.systemPackages = with pkgs; [
clightning
];
users = {
users = {
"clightning" = {
inherit home;
description = "Core Lightning system user";
isSystemUser = true;
group = "bitcoin";
extraGroups = [ "tor" ];
createHome = true;
};
};
groups = {
"bitcoin" = {
members = mkAfter [
"clightning"
];
};
};
};
programs.bash.shellAliases = {
cln = "lightning-cli";
};
systemd.services.lightningd = {
description = "Core Lightning Daemon";
wantedBy = [ "multi-user.target" ];
wants = [ "bitcoind-mainnet.service" "tor.service" ];
after = [
"bitcoind-mainnet.service"
"tor.service"
"network.target"
];
serviceConfig = {
ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin /var/lib/tor ${home} ${home}/bitcoin";
ExecStart = "${pkgs.clightning}/bin/lightningd --conf=${clnConfig}";
User = "clightning";
Group = "bitcoin";
WorkingDirectory = home;
Type = "simple";
KillMode = "process";
TimeoutSec = 60;
Restart = "always";
RestartSec = 60;
};
};
# Ensure data directory exists with correct permissions
systemd.tmpfiles.rules = mkAfter [
"d ${home} 0750 clightning bitcoin -"
"d ${home}/plugins 0750 clightning bitcoin -"
"L+ /home/${config.user.name}/.lightning - - - - ${home}"
"L+ ${home}/plugins/clnrest - - - - ${clnrest}/libexec/c-lightning/plugins/clnrest"
];
modules.system.backup.paths = [
"${home}/bitcoin/hsm_secret"
];
services.nginx.virtualHosts."ln.${domain}" = mkIf nginx.enable {
useACMEHost = domain;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:3010";
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
};
}

54
src/system/modules/bitcoin/modules/clightning/plugins/clnrest.nix Normal file
View file

@ -0,0 +1,54 @@
{
lib,
rustPlatform,
fetchFromGitHub,
pkg-config,
openssl,
protobuf,
}:
rustPlatform.buildRustPackage rec {
pname = "clnrest";
version = "25.02.2";
src = fetchFromGitHub {
owner = "ElementsProject";
repo = "lightning";
rev = "v${version}";
hash = "sha256-SiPYB463l9279+zawsxmql1Ui/dTdah5KgJgmrWsR2A=";
};
cargoLock = {
lockFile = "${src}/Cargo.lock";
};
cargoBuildFlags = [
"-p"
"clnrest"
];
cargoTestFlags = [
"-p"
"clnrest"
];
nativeBuildInputs = [
pkg-config
protobuf
];
buildInputs = [ openssl ];
postInstall = ''
mkdir -p $out/libexec/c-lightning/plugins
mv $out/bin/clnrest $out/libexec/c-lightning/plugins/
rmdir $out/bin
'';
meta = {
description = "Transforms RPC calls into REST APIs";
homepage = "https://docs.corelightning.org/docs/rest";
license = lib.licenses.mit;
platforms = lib.platforms.linux;
mainProgram = "clnrest";
};
}

9
src/system/modules/bitcoin/modules/electrum/config/config.toml
View file

@ -2,13 +2,12 @@ network = "bitcoin"
electrum_rpc_addr = "127.0.0.1:50001" electrum_rpc_addr = "127.0.0.1:50001"
cookie-file = "/var/lib/bitcoind/.cookie" cookie_file = "/var/lib/bitcoin/.cookie"
db_dir = "/var/lib/electrs" db_dir = "/var/lib/electrs"
log_filters = "INFO" log_filters = "INFO"
timestamp = true
daemon-rpc-addr = "127.0.0.1:8332" daemon_rpc_addr = "127.0.0.1:8332"
daemon-p2p-addr = "127.0.0.1:8333" daemon_p2p_addr = "127.0.0.1:8333"
daemon-dir = "/var/lib/bitcoind" daemon_dir = "/var/lib/bitcoin"

41
src/system/modules/bitcoin/modules/electrum/default.nix
View file

@ -3,9 +3,11 @@
with lib; with lib;
let let
cfg = config.modules.system.bitcoin.electrum; cfg = config.modules.system.bitcoin.electrum;
nginx = config.modules.system.nginx;
home = "/var/lib/electrs"; home = "/var/lib/electrs";
btc = config.modules.system.bitcoin; btc = config.modules.system.bitcoin;
domain = "ramos.codes";
electrsConfig = pkgs.writeTextFile { electrsConfig = pkgs.writeTextFile {
name = "config.toml"; name = "config.toml";
@ -63,18 +65,20 @@ in
systemd.services.electrs = { systemd.services.electrs = {
description = "Electrs Bitcoin Indexer"; description = "Electrs Bitcoin Indexer";
wantedBy = [ "multi-user.target" ];
script = "${pkgs.electrs}/bin/electrs"; wants = [ "bitcoind-mainnet.service" ];
scriptArgs = "--conf=${electrsConfig}";
after = [ after = [
"bitcoind-btc.service" "bitcoind-mainnet.service"
"network.target"
]; ];
serviceConfig = { serviceConfig = {
ExecStartPre = "+${pkgs.coreutils}/bin/chmod 750 /var/lib/bitcoin";
ExecStart = "${pkgs.electrs}/bin/electrs --conf=${electrsConfig}";
User = "electrs"; User = "electrs";
Group = "bitcoin"; Group = "bitcoin";
WorkingDirectory = home;
Type = "simple"; Type = "simple";
KillMode = "process"; KillMode = "process";
@ -82,10 +86,29 @@ in
Restart = "always"; Restart = "always";
RestartSec = 60; RestartSec = 60;
}; };
requisite = [
"bitcoind-btc.service"
"network.target"
];
}; };
# Ensure db directory exists with correct permissions
systemd.tmpfiles.rules = [
"d ${home} 0750 electrs bitcoin -"
];
# Nginx SSL proxy for Electrum protocol (TCP)
networking.firewall.allowedTCPPorts = mkIf nginx.enable [ 50002 ];
services.nginx.streamConfig = mkIf nginx.enable ''
map $ssl_server_name $electrs_backend {
electrum.${domain} 127.0.0.1:50001;
default "";
}
server {
listen 50002 ssl;
proxy_pass $electrs_backend;
ssl_certificate /var/lib/acme/${domain}/fullchain.pem;
ssl_certificate_key /var/lib/acme/${domain}/key.pem;
}
'';
}; };
} }

3
src/system/modules/default.nix
View file

@ -7,7 +7,8 @@ let
isModuleDir = path: isModuleDir = path:
builtins.pathExists path && builtins.pathExists path &&
builtins.readFileType path == "directory" && builtins.readFileType path == "directory" &&
builtins.baseNameOf path != "config"; builtins.baseNameOf path != "config" &&
builtins.baseNameOf path != "plugins";
isModule = file: file == "default.nix"; isModule = file: file == "default.nix";
isNix = file: builtins.match ".*\\.nix" file != null && file != "default.nix"; isNix = file: builtins.match ".*\\.nix" file != null && file != "default.nix";

30
src/system/modules/tor/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.modules.system.tor;
in
{
options.modules.system.tor = {
enable = mkEnableOption "Tor";
};
config = mkIf cfg.enable {
services.tor = {
enable = true;
client = {
enable = true;
# SOCKS proxy on 127.0.0.1:9050
};
settings = {
ControlPort = 9051;
CookieAuthentication = true;
CookieAuthFileGroupReadable = true;
DataDirectoryGroupReadable = true;
};
};
};
}