{
inputs,
lib,
config,
configVars,
pkgs,
...
}: let
containerName = "bitcoin-node";
containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
services.restic.backups = {
daily = {
paths = [
bitcoinNodeContainerData
];
exclude = [
"${bitcoindData}"
"${bitcoinNodeContainerData}/electrs"
];
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.${containerName} = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/" = {
hostPath = bitcoinNodeContainerData;
isReadOnly = false;
};
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
imports = [
inputs.nix-bitcoin.nixosModules.default
inputs.lnbits.nixosModules.default
];
environment.systemPackages = with pkgs; [
vim
lsof
jq
];
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
80
443
22
config.containers.bitcoin-node.config.services.bitcoind.rpc.port
config.containers.bitcoin-node.config.services.mempool.frontend.port
config.containers.bitcoin-node.config.services.electrs.port
config.containers.bitcoin-node.config.services.rtl.port
config.containers.bitcoin-node.config.services.lnd.port
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# node services here
nix-bitcoin.generateSecrets = true;
nix-bitcoin.nodeinfo.enable = true;
services = {
backups = {
enable = true;
frequency = "daily";
};
tor = {
enable = true;
client.enable = true;
};
bitcoind = {
tor.proxy = true;
tor.enforce = true;
enable = true;
dataDir = "/var/lib/bitcoind";
dbCache = 5000;
txindex = true;
rpc = {
address = "0.0.0.0";
allowip = allowip;
users = let
name = "bitcoin";
in {
privileged.name = name;
public.name = name;
};
};
extraConfig = ''
onlynet=onion
bind=127.0.0.1
'';
};
electrs = {
tor.enforce = true;
enable = true;
dataDir = "/var/lib/electrs";
address = "0.0.0.0";
};
mempool = {
enable = true;
electrumServer = "electrs";
frontend = {
port = mempoolPort;
address = "0.0.0.0";
};
};
lnd = {
enable = true;
lndconnect = {
enable = true;
onion = true;
};
extraConfig = ''
alias=bitlab21
tor.active=true
tor.skip-proxy-for-clearnet-targets=1
'';
};
rtl = {
enable = true;
nodes.lnd.enable = true;
address = "0.0.0.0";
};
lnbits = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 8231;
env = {
LNBITS_ADMIN_UI = "true";
LNBITS_BACKEND_WALLET_CLASS = "LndRestWallet";
LND_REST_ENDPOINT = "https://127.0.0.1:8080";
LND_REST_CERT = "/etc/nix-bitcoin-secrets/lnd-cert";
LND_REST_MACAROON = "/var/lib/lnbits/admin.macaroon";
AUTH_ALLOWED_METHODS = "user-id-only, username-password";
};
};
};
# Add custom systemd overrides for above services
systemd.services.lnbits.after = ["lnd.service"];
nix-bitcoin.onionServices = {
bitcoind.enable = true;
electrs.enable = true;
mempool-frontend.enable = true;
lnd.public = true;
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}