{ inputs, lib, config, configVars, pkgs, ... }: let containerName = "bitcoin-node"; containerIp = configVars.networking.addresses.bitcoin-node.ip; mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port; bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData; bitcoindData = configVars.locations.bitcoindData; gatewayIp = configVars.networking.addresses.gateway.ip; allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; in { services.restic.backups = { daily = { paths = [ bitcoinNodeContainerData ]; exclude = [ "${bitcoindData}" "${bitcoinNodeContainerData}/electrs" ]; }; }; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/var/lib/" = { hostPath = bitcoinNodeContainerData; isReadOnly = false; }; "/var/lib/bitcoind" = { hostPath = bitcoindData; isReadOnly = false; }; }; config = { pkgs, lib, ... }: { imports = [ inputs.nix-bitcoin.nixosModules.default inputs.lnbits.nixosModules.default ]; environment.systemPackages = with pkgs; [ vim lsof jq ]; networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 80 443 22 config.containers.bitcoin-node.config.services.bitcoind.rpc.port config.containers.bitcoin-node.config.services.mempool.frontend.port config.containers.bitcoin-node.config.services.electrs.port config.containers.bitcoin-node.config.services.rtl.port config.containers.bitcoin-node.config.services.lnd.port ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; # node services here nix-bitcoin.generateSecrets = true; nix-bitcoin.nodeinfo.enable = true; services = { backups = { enable = true; frequency = "daily"; }; tor = { enable = true; client.enable = true; }; bitcoind = { tor.proxy = true; tor.enforce = true; enable = true; dataDir = "/var/lib/bitcoind"; dbCache = 5000; txindex = true; rpc = { address = "0.0.0.0"; allowip = allowip; users = let name = "bitcoin"; in { privileged.name = name; public.name = name; }; }; extraConfig = '' onlynet=onion bind=127.0.0.1 ''; }; electrs = { tor.enforce = true; enable = true; dataDir = "/var/lib/electrs"; address = "0.0.0.0"; }; mempool = { enable = true; electrumServer = "electrs"; frontend = { port = mempoolPort; address = "0.0.0.0"; }; }; lnd = { enable = true; lndconnect = { enable = true; onion = true; }; extraConfig = '' alias=bitlab21 tor.active=true tor.skip-proxy-for-clearnet-targets=1 ''; }; rtl = { enable = true; nodes.lnd.enable = true; address = "0.0.0.0"; }; lnbits = { enable = true; openFirewall = true; host = "0.0.0.0"; port = 8231; env = { LNBITS_ADMIN_UI = "true"; LNBITS_BACKEND_WALLET_CLASS = "LndRestWallet"; LND_REST_ENDPOINT = "https://127.0.0.1:8080"; LND_REST_CERT = "/etc/nix-bitcoin-secrets/lnd-cert"; LND_REST_MACAROON = "/var/lib/lnbits/admin.macaroon"; AUTH_ALLOWED_METHODS = "user-id-only, username-password"; }; }; }; # Add custom systemd overrides for above services systemd.services.lnbits.after = ["lnd.service"]; nix-bitcoin.onionServices = { bitcoind.enable = true; electrs.enable = true; mempool-frontend.enable = true; lnd.public = true; }; services.prometheus = { exporters = { node = { enable = true; enabledCollectors = ["systemd"]; openFirewall = true; }; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; system.stateVersion = "24.05"; }; }; }