nixos/hosts/common/optional/nixos-containers/nix-bitcoin.nix

{
  inputs,
  lib,
  config,
  pkgs,
  ...
}: let
  bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path;
  bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
  bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
  bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
  container_name = "bitcoin-node";
  container_ip = "10.0.10.5";
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
  sops.secrets = {
    "software/bitcoind/bitcoin-rpcpassword-privileged" = {};
    "software/bitcoind/bitcoin-rpcpassword-public" = {};
    "software/bitcoind/bitcoin-HMAC-privileged" = {};
    "software/bitcoind/bitcoin-HMAC-public" = {};
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${container_name}"
    ];
  };

  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";

  containers.${container_name} = {
    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
    nixpkgs = pkgs.path;
    bindMounts = {
      "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = {
        hostPath = "${bitcoin-rpcpassword-privileged}";
        isReadOnly = false;
      };
      "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = {
        hostPath = "${bitcoin-rpcpassword-public}";
        isReadOnly = false;
      };
      "/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = {
        hostPath = "${bitcoin-HMAC-privileged}";
        isReadOnly = false;
      };
      "/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = {
        hostPath = "${bitcoin-HMAC-public}";
        isReadOnly = false;
      };
      "/var/lib/bitcoind" = {
        hostPath = "/media/main-ssd/nix-bitcoin/bitcoind";
        isReadOnly = false;
      };
      "/var/lib/electrs" = {
        hostPath = "/media/main-ssd/nix-bitcoin/electrs";
        isReadOnly = false;
      };
      "/var/lib/mysql" = {
        hostPath = "/media/main-ssd/nix-bitcoin/mysql";
        isReadOnly = false;
      };
      "/var/lib/tor" = {
        hostPath = "/media/main-ssd/nix-bitcoin/tor";
        isReadOnly = false;
      };
    };

    config = {
      pkgs,
      lib,
      ...
    }: {
      imports = [
        inputs.nix-bitcoin.nixosModules.default
      ];
      environment.systemPackages = with pkgs; [
        vim
        lsof
        jq
      ];
      networking = {
        defaultGateway = "10.0.10.1";
        interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
            80
            443
            22
            config.containers.bitcoin-node.config.services.bitcoind.rpc.port
            config.containers.bitcoin-node.config.services.mempool.frontend.port
            config.containers.bitcoin-node.config.services.electrs.port
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      services.resolved.enable = true;

      # node services here
      nix-bitcoin.generateSecrets = true;
      services = {
        tor = {
          enable = true;
          client.enable = true;
        };
        bitcoind = {
          tor.proxy = true;
          tor.enforce = true;
          enable = true;
          dataDir = "/var/lib/bitcoind";
          dbCache = 5000;
          txindex = true;
          rpc = {
            address = "0.0.0.0";
            threads = 6;
            allowip = ["10.0.0.0/8"];
            users = let
              name = "bitcoin";
            in {
              privileged.name = name;
              public.name = name;
            };
          };
          extraConfig = ''
            onlynet=onion
            bind=127.0.0.1
          '';
        };
        electrs = {
          tor.enforce = true;
          enable = true;
          dataDir = "/var/lib/electrs";
          address = "0.0.0.0";
        };
        mempool = {
          enable = true;
          electrumServer = "electrs";
          frontend = {
            port = 4080;
            address = "0.0.0.0";
          };
        };
      };
      nix-bitcoin.onionServices = {
        bitcoind.enable = true;
        electrs.enable = true;
        mempool-frontend.enable = true;
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users.root = {
        openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
      };

      system.stateVersion = "24.05";
    };
  };
}
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`{`
			`inputs,`
			`lib,`
			`config,`
			`pkgs,`
			`...`
			`}: let`
			`bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path;`
			`bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;`
			`bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;`
			`bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;`
add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00			`container_name = "bitcoin-node";`
			`container_ip = "10.0.10.5";`
			`pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`in {`
			`sops.secrets = {`
			`"software/bitcoind/bitcoin-rpcpassword-privileged" = {};`
			`"software/bitcoind/bitcoin-rpcpassword-public" = {};`
			`"software/bitcoind/bitcoin-HMAC-privileged" = {};`
			`"software/bitcoind/bitcoin-HMAC-public" = {};`
			`};`

add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00			`environment.persistence."/persist" = {`
			`hideMounts = true;`
			`directories = [`
			`"/var/lib/nixos-containers/${container_name}"`
			`];`
			`};`

working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`networking.nat.enable = true;`
			`networking.nat.internalInterfaces = ["ve-+"];`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`networking.nat.externalInterface = "br0";`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00
add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00			`containers.${container_name} = {`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`autoStart = true;`
			`privateNetwork = true;`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`hostBridge = "br0";`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`nixpkgs = pkgs.path;`
			`bindMounts = {`
			`"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = {`
			`hostPath = "${bitcoin-rpcpassword-privileged}";`
			`isReadOnly = false;`
			`};`
			`"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = {`
			`hostPath = "${bitcoin-rpcpassword-public}";`
			`isReadOnly = false;`
			`};`
			`"/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = {`
			`hostPath = "${bitcoin-HMAC-privileged}";`
			`isReadOnly = false;`
			`};`
			`"/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = {`
			`hostPath = "${bitcoin-HMAC-public}";`
			`isReadOnly = false;`
			`};`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`"/var/lib/bitcoind" = {`
			`hostPath = "/media/main-ssd/nix-bitcoin/bitcoind";`
			`isReadOnly = false;`
			`};`
			`"/var/lib/electrs" = {`
			`hostPath = "/media/main-ssd/nix-bitcoin/electrs";`
			`isReadOnly = false;`
			`};`
			`"/var/lib/mysql" = {`
			`hostPath = "/media/main-ssd/nix-bitcoin/mysql";`
			`isReadOnly = false;`
			`};`
			`"/var/lib/tor" = {`
			`hostPath = "/media/main-ssd/nix-bitcoin/tor";`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`isReadOnly = false;`
			`};`
			`};`

			`config = {`
			`pkgs,`
			`lib,`
			`...`
			`}: {`
			`imports = [`
			`inputs.nix-bitcoin.nixosModules.default`
			`];`
			`environment.systemPackages = with pkgs; [`
			`vim`
			`lsof`
			`jq`
			`];`
			`networking = {`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`defaultGateway = "10.0.10.1";`
add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00			`interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`firewall = {`
			`enable = true;`
			`allowedTCPPorts = [`
			`80`
			`443`
			`22`
			`config.containers.bitcoin-node.config.services.bitcoind.rpc.port`
			`config.containers.bitcoin-node.config.services.mempool.frontend.port`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`config.containers.bitcoin-node.config.services.electrs.port`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`];`
			`};`
			`useHostResolvConf = lib.mkForce false;`
			`};`

			`services.resolved.enable = true;`

			`# node services here`
add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00			`nix-bitcoin.generateSecrets = true;`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`services = {`
			`tor = {`
			`enable = true;`
			`client.enable = true;`
			`};`
			`bitcoind = {`
			`tor.proxy = true;`
			`tor.enforce = true;`
			`enable = true;`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`dataDir = "/var/lib/bitcoind";`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`dbCache = 5000;`
			`txindex = true;`
			`rpc = {`
			`address = "0.0.0.0";`
			`threads = 6;`
			`allowip = ["10.0.0.0/8"];`
			`users = let`
			`name = "bitcoin";`
			`in {`
			`privileged.name = name;`
			`public.name = name;`
			`};`
			`};`
			`extraConfig = ''`
			`onlynet=onion`
			`bind=127.0.0.1`
			`'';`
			`};`
			`electrs = {`
			`tor.enforce = true;`
			`enable = true;`
update nix-bitcoin and use network bridge for semita 2024-10-05 16:42:16 +01:00			`dataDir = "/var/lib/electrs";`
			`address = "0.0.0.0";`
working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`};`
			`mempool = {`
			`enable = true;`
			`electrumServer = "electrs";`
			`frontend = {`
			`port = 4080;`
			`address = "0.0.0.0";`
			`};`
			`};`
			`};`
			`nix-bitcoin.onionServices = {`
			`bitcoind.enable = true;`
			`electrs.enable = true;`
			`mempool-frontend.enable = true;`
			`};`
add postgres and jellyfin nixos-containers 2024-10-06 17:25:27 +01:00
			`services.openssh = {`
			`enable = true;`
			`settings.PasswordAuthentication = false;`
			`};`

			`users.users.root = {`
			`openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);`
			`};`

working implementation of bitcoind 2024-10-04 17:53:32 +01:00			`system.stateVersion = "24.05";`
			`};`
			`};`
			`}`