{ inputs, lib, config, pkgs, ... }: let bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path; bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; pubKeys = lib.filesystem.listFilesRecursive ../users/keys; in { sops.secrets = { "software/bitcoind/bitcoin-rpcpassword-privileged" = {}; "software/bitcoind/bitcoin-rpcpassword-public" = {}; "software/bitcoind/bitcoin-HMAC-privileged" = {}; "software/bitcoind/bitcoin-HMAC-public" = {}; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "eth0"; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [80 443 22]; networking.firewall.trustedInterfaces = ["ve-+" "ve-bitcoin-node"]; containers.bitcoin-node = { autoStart = true; privateNetwork = true; hostAddress = "10.0.21.1"; localAddress = "10.0.21.2"; nixpkgs = pkgs.path; bindMounts = { "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = { hostPath = "${bitcoin-rpcpassword-privileged}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = { hostPath = "${bitcoin-rpcpassword-public}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = { hostPath = "${bitcoin-HMAC-privileged}"; isReadOnly = false; }; "/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = { hostPath = "${bitcoin-HMAC-public}"; isReadOnly = false; }; "/var/lib/nix-bitcoin" = { hostPath = "/media/main-ssd/nix-bitcoin"; isReadOnly = false; }; }; forwardPorts = [ { containerPort = 80; hostPort = 8080; protocol = "tcp"; } ]; config = { pkgs, lib, ... }: { imports = [ inputs.nix-bitcoin.nixosModules.default ]; environment.systemPackages = with pkgs; [ vim lsof jq ]; networking = { firewall = { enable = true; allowedTCPPorts = [ 80 443 22 config.containers.bitcoin-node.config.services.bitcoind.rpc.port config.containers.bitcoin-node.config.services.mempool.frontend.port ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; nix-bitcoin.generateSecrets = true; users.users.root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; # node services here services = { tor = { enable = true; client.enable = true; }; bitcoind = { tor.proxy = true; tor.enforce = true; enable = true; dataDir = "/var/lib/nix-bitcoin/bitcoind"; dbCache = 5000; txindex = true; rpc = { address = "0.0.0.0"; threads = 6; allowip = ["10.0.0.0/8"]; users = let name = "bitcoin"; in { privileged.name = name; public.name = name; }; }; extraConfig = '' onlynet=onion bind=127.0.0.1 ''; }; electrs = { tor.enforce = true; enable = true; dataDir = "/var/lib/nix-bitcoin/electrs"; }; mempool = { enable = true; electrumServer = "electrs"; frontend = { port = 4080; address = "0.0.0.0"; }; }; }; nix-bitcoin.onionServices = { bitcoind.enable = true; electrs.enable = true; mempool-frontend.enable = true; }; system.stateVersion = "24.05"; }; }; }