{ inputs, lib, config, configVars, pkgs, ... }: let bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path; bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; containerName = "bitcoin-node"; containerIp = configVars.networking.addresses.bitcoin-node.ip; gatewayIp = configVars.networking.addresses.gateway.ip; allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; in { sops.secrets = { "software/bitcoind/bitcoin-rpcpassword-privileged" = {}; "software/bitcoind/bitcoin-rpcpassword-public" = {}; "software/bitcoind/bitcoin-HMAC-privileged" = {}; "software/bitcoind/bitcoin-HMAC-public" = {}; }; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = { hostPath = "${bitcoin-rpcpassword-privileged}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = { hostPath = "${bitcoin-rpcpassword-public}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = { hostPath = "${bitcoin-HMAC-privileged}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = { hostPath = "${bitcoin-HMAC-public}"; isReadOnly = false; }; "/var/lib/bitcoind" = { hostPath = "/media/main-ssd/nix-bitcoin/bitcoind"; isReadOnly = false; }; "/var/lib/electrs" = { hostPath = "/media/main-ssd/nix-bitcoin/electrs"; isReadOnly = false; }; "/var/lib/mysql" = { hostPath = "/media/main-ssd/nix-bitcoin/mysql"; isReadOnly = false; }; "/var/lib/tor" = { hostPath = "/media/main-ssd/nix-bitcoin/tor"; isReadOnly = false; }; }; config = { pkgs, lib, ... }: { imports = [ inputs.nix-bitcoin.nixosModules.default ]; environment.systemPackages = with pkgs; [ vim lsof jq ]; networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 80 443 22 config.containers.bitcoin-node.config.services.bitcoind.rpc.port config.containers.bitcoin-node.config.services.mempool.frontend.port config.containers.bitcoin-node.config.services.electrs.port ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; # node services here nix-bitcoin.generateSecrets = true; services = { tor = { enable = true; client.enable = true; }; bitcoind = { tor.proxy = true; tor.enforce = true; enable = true; dataDir = "/var/lib/bitcoind"; dbCache = 5000; txindex = true; rpc = { address = "0.0.0.0"; threads = 6; allowip = allowip; users = let name = "bitcoin"; in { privileged.name = name; public.name = name; }; }; extraConfig = '' onlynet=onion bind=127.0.0.1 ''; }; electrs = { tor.enforce = true; enable = true; dataDir = "/var/lib/electrs"; address = "0.0.0.0"; }; mempool = { enable = true; electrumServer = "electrs"; frontend = { port = 4080; address = "0.0.0.0"; }; }; }; nix-bitcoin.onionServices = { bitcoind.enable = true; electrs.enable = true; mempool-frontend.enable = true; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; system.stateVersion = "24.05"; }; }; }