sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

working implementation of bitcoind

This commit is contained in:
Sam 2024-10-04 17:53:32 +01:00
parent 4c857eded4
commit 37901f3937
6 changed files with 273 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
flake.lock
View File

@ -80,6 +80,31 @@
"type": "github" "type": "github"
} }
}, },
"extra-container": {
"inputs": {
"flake-utils": [
"nix-bitcoin",
"flake-utils"
],
"nixpkgs": [
"nix-bitcoin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722175938,
"narHash": "sha256-HKyB4HD+NdX3T233bY31hm76v3/tdQBNeLLvopKbZeY=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "37e7207ac9f857eedb58b208b9dc91cd6b24e651",
"type": "github"
},
"original": {
"owner": "erikarvstedt",
"repo": "extra-container",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -173,6 +198,24 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
@ -318,6 +361,30 @@
"type": "github" "type": "github"
} }
}, },
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1727247704,
"narHash": "sha256-Jl1CYXNIdJ4Ac0MK15e8+vflFOgPxZZNw24CKfLC6QY=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "a0d36d59248ac54f1b42a668326346a77640c7f5",
"type": "github"
},
"original": {
"owner": "fort-nix",
"ref": "nixos-24.05",
"repo": "nix-bitcoin",
"type": "github"
}
},
"nix-colors": { "nix-colors": {
"inputs": { "inputs": {
"base16-schemes": "base16-schemes", "base16-schemes": "base16-schemes",
@ -361,11 +428,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1726340825, "lastModified": 1728041293,
"narHash": "sha256-6gv36ea3aAjJH7osZVzVU0GRoJeVR+iwSP9bSaJC+MI=", "narHash": "sha256-ttKGrtU+naTxmlHf4M142MTM4rYc5WWhRzdY1wEO5gE=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "73d4d304a201f7db200ffb5955c8a2f521f635a7", "rev": "dc659e262931d48bc8499fbfee60d27e40cda9cd",
"revCount": 160, "revCount": 163,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -422,6 +489,22 @@
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": {
"lastModified": 1726871744,
"narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable_2": {
"locked": { "locked": {
"lastModified": 1724819573, "lastModified": 1724819573,
"narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
@ -502,10 +585,11 @@
"disko": "disko", "disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
"nix-bitcoin": "nix-bitcoin",
"nix-colors": "nix-colors", "nix-colors": "nix-colors",
"nix-secrets": "nix-secrets", "nix-secrets": "nix-secrets",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable_2",
"nixvim": "nixvim", "nixvim": "nixvim",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
@ -532,6 +616,21 @@
"type": "github" "type": "github"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

6
flake.nix
View File

@ -26,6 +26,12 @@
url = "github:hercules-ci/arion/236f9dd82d6ef6a2d9987c7a7df3e75f1bc8b318"; url = "github:hercules-ci/arion/236f9dd82d6ef6a2d9987c7a7df3e75f1bc8b318";
}; };
# nix-bitcoin
nix-bitcoin = {
url = "github:fort-nix/nix-bitcoin/nixos-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Nix colors # Nix colors
nix-colors.url = "github:misterio77/nix-colors"; nix-colors.url = "github:misterio77/nix-colors";

156
hosts/common/optional/nix-bitcoin.nix Normal file
View File

@ -0,0 +1,156 @@
{
inputs,
lib,
config,
pkgs,
...
}: let
bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path;
bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
pubKeys = lib.filesystem.listFilesRecursive ../users/keys;
in {
sops.secrets = {
"software/bitcoind/bitcoin-rpcpassword-privileged" = {};
"software/bitcoind/bitcoin-rpcpassword-public" = {};
"software/bitcoind/bitcoin-HMAC-privileged" = {};
"software/bitcoind/bitcoin-HMAC-public" = {};
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "eth0";
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [80 443 22];
networking.firewall.trustedInterfaces = ["ve-+" "ve-bitcoin-node"];
containers.bitcoin-node = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.0.21.1";
localAddress = "10.0.21.2";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = {
hostPath = "${bitcoin-rpcpassword-privileged}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = {
hostPath = "${bitcoin-rpcpassword-public}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = {
hostPath = "${bitcoin-HMAC-privileged}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = {
hostPath = "${bitcoin-HMAC-public}";
isReadOnly = false;
};
"/var/lib/nix-bitcoin" = {
hostPath = "/media/main-ssd/nix-bitcoin";
isReadOnly = false;
};
};
forwardPorts = [
{
containerPort = 80;
hostPort = 8080;
protocol = "tcp";
}
];
config = {
pkgs,
lib,
...
}: {
imports = [
inputs.nix-bitcoin.nixosModules.default
];
environment.systemPackages = with pkgs; [
vim
lsof
jq
];
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
22
config.containers.bitcoin-node.config.services.bitcoind.rpc.port
config.containers.bitcoin-node.config.services.mempool.frontend.port
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
nix-bitcoin.generateSecrets = true;
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
# node services here
services = {
tor = {
enable = true;
client.enable = true;
};
bitcoind = {
tor.proxy = true;
tor.enforce = true;
enable = true;
dataDir = "/var/lib/nix-bitcoin/bitcoind";
dbCache = 5000;
txindex = true;
rpc = {
address = "0.0.0.0";
threads = 6;
allowip = ["10.0.0.0/8"];
users = let
name = "bitcoin";
in {
privileged.name = name;
public.name = name;
};
};
extraConfig = ''
onlynet=onion
bind=127.0.0.1
'';
};
electrs = {
tor.enforce = true;
enable = true;
dataDir = "/var/lib/nix-bitcoin/electrs";
};
mempool = {
enable = true;
electrumServer = "electrs";
frontend = {
port = 4080;
address = "0.0.0.0";
};
};
};
nix-bitcoin.onionServices = {
bitcoind.enable = true;
electrs.enable = true;
mempool-frontend.enable = true;
};
system.stateVersion = "24.05";
};
};
}

1
hosts/common/users/keys/laptop@id_rsa.pub
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgPtDNQEN97mnrq/v9RPMUaSjLpIaF/ga/L41xETB9h0y5jdpPUMbZ6uTV6vW8Vm1YW2tzEs2l1lxb9yTrsK8hdVfz8/vWvDSbsUIJn3gOQSOTNQ+nNFFYlKqNhypK+3Mn8BD7EeJaLNK8Ahr/87PS0c/B5YN+TcntsEZpsXF7U2CCqMh559JXp1byie7DuwTYUdvjdDtCidYNphGoEljuzID+lJFBYsaa5SQFlmrr7HcQfaE/MwyxyPRryRnlO7E9k12BrL56UONYycyTf4dyK9MnhhO0wAkIoHyd46/sAdgvNrloY4I+WLjUOqKY6vys8kxG7xNcmN5XfeDJXrPMhW5N0Kz2dc/Yu8SOG8weCiz7uuDjcxYz9eK5cxKgg37A+drbgddoHTi7GCM5Q6wN2Jlig0++6Xo2CGOUKpNOmGBRGAjlIByXYWu1KFRBVclXZES/g38274gRihVk3WCbtLEUafS7wsl8ruMmecU7rhDL7fITd2hWvBkONpA7RxLlMTBfMAEXuq4hOystGZeZj7KusPG4purJDtT+3rCcl5LZ8cn4G5fvINTbXeix5pOz/TdSGNTSJW7ML2W0W6Q+2kVO0l2N/+6IA/rPa4j+AwTODBxWkWVHEBRncJ5hIh5iFz+dSnmllkwOi41tbDFmdGuDeyQ0dsq4wXrBzXGfxw== samual.shop@protonmail.com :: laptop

6
hosts/semita/default.nix
View File

@ -47,8 +47,14 @@ in {
../common/optional/nfs-mounts/homeshare.nix ../common/optional/nfs-mounts/homeshare.nix
../common/optional/printing.nix ../common/optional/printing.nix
../common/optional/docker ../common/optional/docker
../common/optional/nix-bitcoin.nix
]; ];
fileSystems."/media/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
boot = { boot = {
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"]; blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest; kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;

1
justfile
View File

@ -23,6 +23,7 @@ update-flake:
edit-sops: edit-sops:
echo "Editing {{SOPS_FILE}}" echo "Editing {{SOPS_FILE}}"
nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}" nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}"
cd $(dirname {{SOPS_FILE}}) && git add . && git commit -m "autocommit" && git push
# update keys in secrets.yaml and push to remote # update keys in secrets.yaml and push to remote
update-sops-secrets: update-sops-secrets: