commit 6febf289552413e96aa6568ec0db0e5f1b6a4fb9 Author: padreug Date: Sun Jan 11 23:49:02 2026 +0100 Initial commit: krops-lamassu deployment template NixOS deployment template for Lamassu Bitcoin ATM server using nix-bitcoin and krops. Features: - Lamassu server with PostgreSQL and auto-generated secrets - TLS certificates (self-signed) - Test VM for local development - Template structure for easy customization diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d6449b0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,21 @@ +# User config files (copy from .example files) +krops.nix +config/ + +# Secrets - do not commit +secrets/* +!secrets/.gitkeep + +# VM disk images +*.qcow2 + +# Nix build results +result +result-* + +# Editor files +*.swp +*.swo +*~ +.vscode/ +.idea/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..366ae76 --- /dev/null +++ b/README.md @@ -0,0 +1,116 @@ +# krops-lamassu + +NixOS deployment template for [Lamassu Bitcoin ATM server](https://github.com/lamassu/lamassu-server) using [nix-bitcoin](https://github.com/fort-nix/nix-bitcoin) and [krops](https://cgit.krebsco.de/krops/). + +## Features + +- **Lamassu Server** - Bitcoin ATM management system +- **PostgreSQL** - Database with auto-configured credentials +- **TLS Certificates** - Auto-generated self-signed certs +- **Secrets Management** - Automatic generation and secure storage +- **Test VM** - Local testing before production deployment + +## Quick Start + +1. Clone this repository +2. Copy the example files: + ```bash + cp example/krops.nix ./krops.nix + cp -r example/config ./config + ``` +3. Edit `krops.nix` to set your deployment target +4. Copy hardware config from target: `scp root@node:/etc/nixos/hardware-configuration.nix config/` +5. Edit `config/configuration.nix` to configure services +6. Deploy: `./deploy.sh` + +Your `krops.nix` and `config/` are gitignored, so you can pull upstream changes without conflicts. + +See [docs/install.md](docs/install.md) for detailed instructions. + +## Structure + +``` +. +├── deploy.sh # Deployment script +├── shell.nix # Development shell +├── docs/ +│ └── install.md # Installation guide +├── example/ # Template files (copy to get started) +│ ├── krops.nix # Krops configuration template +│ └── config/ +│ ├── configuration.nix # Main NixOS configuration +│ ├── boot.nix # Bootloader config +│ ├── hardware-configuration.nix +│ └── nix-bitcoin-release.nix +├── krops.nix # Your config (gitignored) +├── config/ # Your config (gitignored) +└── secrets/ # Secrets (auto-generated, gitignored) +``` + +## Usage + +```bash +# Deploy to target +./deploy.sh + +# Test build (no deploy) +./deploy.sh test + +# Run test VM with preconfigured settings +./deploy.sh vm +``` + +## Test VM + +Run a local VM to test your configuration before deploying to production: + +1. Edit the VM section in `krops.nix` and replace `127.0.0.1` with your host's IP (e.g., `192.168.1.50`) +2. Run the VM: + ```bash + ./deploy.sh vm + ``` + +The VM starts with: +- Lamassu server with auto-generated secrets +- PostgreSQL database configured +- Auto-login to root console + +Access the admin UI at `https://YOUR-HOST-IP:8443` + +Useful commands inside the VM: +```bash +# Watch build progress (first run takes several minutes) +journalctl -fu lamassu-build + +# Check service status +systemctl status lamassu-server lamassu-admin-server + +# View generated secrets +ls -la /secrets/ +``` + +To exit the VM, run `shutdown now` in the VM console. + +## Development Shell + +Enter the nix-bitcoin development shell: + +```bash +nix-shell +``` + +## Requirements + +- Nix installed on deployment machine +- SSH access to target as root +- NixOS on target machine + +## Documentation + +- [Installation Guide](docs/install.md) +- [nix-bitcoin docs](https://github.com/fort-nix/nix-bitcoin/tree/master/docs) +- [NixOS manual](https://nixos.org/manual/nixos/stable/) + +## License + +MIT diff --git a/deploy.sh b/deploy.sh new file mode 100755 index 0000000..9932030 --- /dev/null +++ b/deploy.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# Deploy nix-bitcoin node +# +# Usage: +# ./deploy.sh # Build and deploy to target +# ./deploy.sh test # Test build only (no deploy) +# ./deploy.sh vm # Build and run test VM + +set -euo pipefail + +cd "$(dirname "$0")" + +case "${1:-deploy}" in +test) + echo "Testing build..." + nix-build krops.nix -A test --no-out-link + echo "Test build complete. Check /tmp/krops-test" + ;; +vm) + echo "Building test VM..." + result=$(nix-build krops.nix -A vm --no-out-link) + echo "Starting VM..." + echo "Access admin UI at: https://localhost:8443" + "$result"/bin/run-*-vm + ;; +deploy | *) + echo "Building deployment..." + result=$(nix-build krops.nix -A deploy --no-out-link) + echo "Deploying..." + "$result" + echo "Done!" + ;; +esac diff --git a/docs/install.md b/docs/install.md new file mode 100644 index 0000000..8cf28b6 --- /dev/null +++ b/docs/install.md @@ -0,0 +1,313 @@ +# Installation Guide + +This guide walks you through deploying a [Lamassu Bitcoin ATM server](https://github.com/lamassu/lamassu-server) using [nix-bitcoin](https://github.com/fort-nix/nix-bitcoin) with [krops](https://cgit.krebsco.de/krops/) deployment. + +The deployment is managed from your local machine and pushed to the target server. + +## Prerequisites + +- A target machine with NixOS installed (or ready for installation) +- SSH access to the target machine as root +- Nix installed on your local deployment machine + +## 0. Preparation + +### Hardware Requirements + +Any modern computer will work. Recommended minimum specs: +- 2+ CPU cores +- 4GB+ RAM (8GB+ recommended for full node with electrs) +- 1TB+ SSD for full blockchain (or use pruning for less) + +### Security Considerations (Optional) + +For enhanced security, consider: +- Disabling SMT (Simultaneous Multi-Threading) in BIOS to mitigate speculative execution attacks +- Using full disk encryption +- Enabling the hardened kernel preset (see `configuration.nix`) + +## 1. Install NixOS on Target Machine + +If NixOS is not already installed on your target machine: + +1. Download the NixOS minimal ISO from https://nixos.org/download/ +2. Write it to a USB drive: + ```bash + sudo dd if=nixos-minimal-*.iso of=/dev/sdX bs=4M status=progress + ``` +3. Boot the target machine from the USB drive +4. Partition and format your drives + +### Partitioning (UEFI) + +```bash +# Create GPT partition table +parted /dev/sda -- mklabel gpt + +# Create EFI boot partition (512MB) +parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB +parted /dev/sda -- set 1 esp on + +# Create root partition (rest of disk) +parted /dev/sda -- mkpart primary 512MiB 100% + +# Format partitions +mkfs.fat -F 32 -n boot /dev/sda1 +mkfs.ext4 -L nixos /dev/sda2 + +# Mount partitions +mount /dev/disk/by-label/nixos /mnt +mkdir -p /mnt/boot +mount /dev/disk/by-label/boot /mnt/boot +``` + +### Partitioning (Legacy BIOS/MBR) + +```bash +# Create MBR partition table +parted /dev/sda -- mklabel msdos + +# Create root partition +parted /dev/sda -- mkpart primary 1MiB 100% +parted /dev/sda -- set 1 boot on + +# Format partition +mkfs.ext4 -L nixos /dev/sda1 + +# Mount partition +mount /dev/disk/by-label/nixos /mnt +``` + +### Generate Initial Configuration + +```bash +nixos-generate-config --root /mnt +``` + +### Enable SSH Access + +Edit `/mnt/etc/nixos/configuration.nix` to add: + +```nix +services.openssh.enable = true; +users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAA... your-key-here" +]; +``` + +### Install NixOS + +```bash +nixos-install +reboot +``` + +## 2. Install Nix on Your Deployment Machine + +If Nix is not already installed on your local machine: + +```bash +# Install Nix (multi-user installation recommended) +sh <(curl -L https://nixos.org/nix/install) --daemon +``` + +After installation, restart your shell or run: +```bash +. /etc/profile.d/nix.sh +``` + +## 3. Clone This Repository + +```bash +git clone https://github.com/YOUR-USERNAME/krops-lamassu.git +cd krops-lamassu +``` + +## 4. Copy Example Files + +Copy the template files to create your local configuration: + +```bash +cp example/krops.nix ./krops.nix +cp -r example/config ./config +``` + +Your `krops.nix` and `config/` are gitignored, so you can pull upstream changes without conflicts. + +## 5. Configure Your Deployment + +### Set Target Host + +Edit `krops.nix` and set your target: + +```nix +target = "root@your-node-ip-or-hostname"; +``` + +### Configure Hardware + +Copy the hardware configuration from your target machine: + +```bash +scp root@your-node:/etc/nixos/hardware-configuration.nix config/ +``` + +Or generate it remotely: + +```bash +ssh root@your-node nixos-generate-config --show-hardware-config > config/hardware-configuration.nix +``` + +### Configure Boot Loader + +Edit `config/boot.nix`: + +- **UEFI systems**: Keep the default systemd-boot configuration +- **Legacy BIOS**: Comment out systemd-boot and enable GRUB + +### Configure Services + +Edit `config/configuration.nix`: + +1. Set your hostname: + ```nix + networking.hostName = "my-bitcoin-node"; + ``` + +2. Set your timezone: + ```nix + time.timeZone = "UTC"; + ``` + +3. Add your SSH public key: + ```nix + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAA... your-key" + ]; + ``` + +4. Enable desired services by uncommenting them (e.g., `services.lnd.enable`, `services.electrs.enable`) + +## 6. Test Your Configuration + +Before deploying, test that your configuration builds successfully: + +```bash +./deploy.sh test +``` + +This builds the configuration locally without deploying. + +## 7. Run a Test VM (Optional) + +You can test your setup in a VM before deploying to real hardware: + +```bash +./deploy.sh vm +``` + +This starts a QEMU VM with: +- Lamassu server with auto-generated secrets +- PostgreSQL database configured +- Auto-login to root console +- Port forwarding to host + +Access the services from your host: +- **Admin UI**: https://localhost:8443 +- **Server API**: https://localhost:3000 + +From other machines on your LAN, use your host's IP (e.g., `https://192.168.1.50:8443`). + +Note: You'll see a certificate warning (self-signed cert) - accept it to proceed. + +Useful commands inside the VM: +```bash +# Watch build progress (first run takes several minutes) +journalctl -fu lamassu-build + +# Check service status +systemctl status lamassu-server lamassu-admin-server + +# View generated secrets +ls -la /secrets/ +``` + +To exit the VM, run `shutdown now` in the VM console. + +## 8. Deploy to Target + +When ready, deploy to your target machine: + +```bash +./deploy.sh +``` + +Or equivalently: +```bash +nix-shell --run 'nix-build krops.nix -A deploy --no-out-link && ./result' +``` + +The first deployment will take longer as it downloads and builds all packages. + +## 9. Verify Deployment + +SSH into your server and check service status: + +```bash +ssh root@your-server + +# Check Lamassu services +systemctl status lamassu-server lamassu-admin-server + +# Watch build progress (first run takes several minutes) +journalctl -fu lamassu-build + +# View generated secrets +ls -la /secrets/ +``` + +Access the admin UI at `https://YOUR-SERVER-IP` (you'll see a certificate warning for the self-signed cert). + +## Updating Your Node + +To update nix-bitcoin to a new release: + +1. Edit `config/nix-bitcoin-release.nix` with the new version +2. Run `./deploy.sh` + +Find releases at: https://github.com/fort-nix/nix-bitcoin/releases + +## Troubleshooting + +### Build Failures + +If the build fails, try: +```bash +# Clean Nix store garbage +nix-collect-garbage -d + +# Rebuild with more verbose output +nix-build krops.nix -A test --show-trace +``` + +### SSH Connection Issues + +Ensure: +- Target machine is reachable: `ping your-node` +- SSH key is correct: `ssh -v root@your-node` +- Firewall allows SSH (port 22) + +### Service Issues + +Check logs on the target: +```bash +journalctl -u lamassu-server -f +journalctl -u lamassu-admin-server -f +journalctl -u lamassu-build -f +``` + +## Further Reading + +- [nix-bitcoin documentation](https://github.com/fort-nix/nix-bitcoin/tree/master/docs) +- [NixOS manual](https://nixos.org/manual/nixos/stable/) +- [krops documentation](https://cgit.krebsco.de/krops/) diff --git a/example/config/boot.nix b/example/config/boot.nix new file mode 100644 index 0000000..a3cf1ef --- /dev/null +++ b/example/config/boot.nix @@ -0,0 +1,17 @@ +# Bootloader configuration +# +# FIXME: Uncomment the appropriate bootloader for your system + +{ + # For UEFI systems (most modern hardware) + # boot.loader.systemd-boot.enable = true; + # boot.loader.efi.canTouchEfiVariables = true; + + # For Legacy BIOS/MBR systems (e.g., Lunanode VPS with /dev/vda) + # boot.loader.grub.enable = true; + # boot.loader.grub.device = "/dev/vda"; + + # For Legacy BIOS/MBR systems (e.g., bare metal with /dev/sda) + # boot.loader.grub.enable = true; + # boot.loader.grub.device = "/dev/sda"; +} diff --git a/example/config/configuration.nix b/example/config/configuration.nix new file mode 100644 index 0000000..3597ee3 --- /dev/null +++ b/example/config/configuration.nix @@ -0,0 +1,385 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running 'nixos-help'). + +{ config, pkgs, lib, ... }: { + imports = [ + + + # FIXME: The secure-node preset is an opinionated config to enhance security + # and privacy. + # Among other settings, it routes traffic of all nix-bitcoin services through Tor. + # Turn it off when not needed. + # + + # FIXME: The hardened kernel profile improves security but + # decreases performance by ~50%. + # Turn it off when not needed. + # + # + # You can enable the hardened-extended preset instead to further improve security + # at the cost of functionality and performance. + # See the comments at the top of `hardened-extended.nix` for further details. + # + + # FIXME: Uncomment the next line to import your hardware configuration. If so, + # add the hardware configuration file to the same directory as this file. + # ./hardware-configuration.nix + ./boot.nix + ]; + + # FIXME: Enable modules by uncommenting their respective line. Disable + # modules by commenting out their respective line. + + ### BITCOIND + # Bitcoind is enabled by default via secure-node.nix. + # services.bitcoind.enable = true; + # + # Set to use knots instead of bitcoin core + # services.bitcoind.package = config.nix-bitcoin.pkgs.bitcoind-knots; + # + # Set this option to enable pruning with a specified MiB value. + # clightning is compatible with pruning. See + # https://github.com/ElementsProject/lightning/#pruning for more information. + # LND and electrs are not compatible with pruning. + # services.bitcoind.prune = 100000; + # + # Set this to announce the onion service address to peers. + # The onion service allows accepting incoming connections via Tor. + # nix-bitcoin.onionServices.bitcoind.public = true; + # + # You can add options that are not defined in modules/bitcoind.nix as follows + # services.bitcoind.extraConfig = '' + # maxorphantx=110 + # ''; + + ### CLIGHTNING + # Enable clightning, a Lightning Network implementation in C. + # services.clightning.enable = true; + # + # Set this to create an onion service by which clightning can accept incoming connections + # via Tor. + # The onion service is automatically announced to peers. + # nix-bitcoin.onionServices.clightning.public = true; + # + # == Plugins + # See ../README.md (Features → clightning) for the list of available plugins. + # services.clightning.plugins.clboss.enable = true; + # + # == REST server + # Set this to create a clightning REST onion service. + # This also adds binary `lnconnect-clnrest` to the system environment. + # This binary creates QR codes or URLs for connecting applications to clightning + # via the REST onion service. + # You can also connect via WireGuard instead of Tor. + # See ../docs/services.md for details. + # + # services.clightning.plugins.clnrest = { + # enable = true; + # lnconnect = { + # enable = true; + # onion = true; + # }; + # }; + + ### LND + # Set this to enable lnd, a lightning implementation written in Go. + # services.lnd.enable = true; + # + # NOTE: In order to avoid collisions with clightning you must disable clightning or + # change the services.clightning.port or services.lnd.port to a port other than + # 9735. + # + # Set this to create an onion service by which lnd can accept incoming connections + # via Tor. + # The onion service is automatically announced to peers. + # nix-bitcoin.onionServices.lnd.public = true; + # + # Set this to create a lnd REST onion service. + # This also adds binary `lndconnect` to the system environment. + # This binary generates QR codes or URLs for connecting applications to lnd via the + # REST onion service. + # You can also connect via WireGuard instead of Tor. + # See ../docs/services.md for details. + # + # services.lnd.lndconnect = { + # enable = true; + # onion = true; + # }; + # + ## WARNING + # If you use lnd, you should manually backup your wallet mnemonic + # seed. This will allow you to recover on-chain funds. You can run the + # following commands after the lnd service starts: + # mkdir -p ./backups/lnd/ + # scp bitcoin-node:/var/lib/lnd/lnd-seed-mnemonic ./backups/lnd/ + # + # You should also backup your channel state after opening new channels. + # This will allow you to recover off-chain funds, by force-closing channels. + # scp bitcoin-node:/var/lib/lnd/chain/bitcoin/mainnet/channel.backup ./backups/lnd/ + # + # Alternatively, you can have these files backed up by services.backups below. + + ### RIDE THE LIGHTNING + # Set this to enable RTL, a web interface for lnd and clightning. + # NOTE: lamassu-server uses port 3000 + # i've updated the rtl module to default to: + # services.rtl = { + # enable = true; + # address = "0.0.0.0"; + # # port = 3001; # default + # }; + # + # Set this to add a clightning node interface. + # Automatically enables clightning. + # services.rtl.nodes.clightning.enable = true; + # + # Set this to add a lnd node interface. + # Automatically enables lnd. + # services.rtl.nodes.lnd.enable = true; + # + # You can enable both nodes simultaneously. + # + # Set this option to enable swaps with lightning-loop. + # Automatically enables lightning-loop. + # services.rtl.nodes.lnd.loop = true; + + ### MEMPOOL + # Set this to enable mempool, a fully featured Bitcoin visualizer, explorer, + # and API service. + # + # NOTE: default frontend port is 60845 + # + # services.mempool = { + # enable = true; + # # frontend = { + # # address = "0.0.0.0"; + # # }; + # }; + # + # Possible options for the Electrum backend server: + # + # - electrs (enabled by default): + # Small database size, slow when querying new addresses. + # + # - fulcrum: + # Large database size, quickly serves arbitrary address queries. + # Enable with: + # services.mempool.electrumServer = "fulcrum"; + # + # Set this to create an onion service to make the mempool web interface + # available via Tor: + # nix-bitcoin.onionServices.mempool-frontend.enable = true; + + ### ELECTRS + # Set this to enable electrs, an Electrum server implemented in Rust. + # services.electrs = { + # enable = true; + # + # # listen to connections on all interfaces + # # address = "0.0.0.0"; + # + # # Disable tor enforcement if desired (e.g., local sparrow connection) + # # tor.enforce = false; + # }; + + ### FULCRUM + # Set this to enable fulcrum, an Electrum server implemented in C++. + # + # Compared to electrs, fulcrum has higher storage demands but + # can serve arbitrary address queries instantly. + # + # Before enabling fulcrum, and for more info on storage demands, + # see the description of option `enable` in ../modules/fulcrum.nix + # + # services.fulcrum.enable = true; + + ### BTCPayServer + # Set this to enable BTCPayServer, a self-hosted, open-source + # cryptocurrency payment processor. + # services.btcpayserver.enable = true; + # + # Privacy Warning: BTCPayServer currently looks up price rates without + # proxying them through Tor. This means an outside observer can correlate + # your BTCPayServer usage, like invoice creation times, with your IP address. + # + # Enable this option to connect BTCPayServer to clightning. + # services.btcpayserver.lightningBackend = "clightning"; + # + # Enable this option to connect BTCPayServer to lnd. + # services.btcpayserver.lightningBackend = "lnd"; + # + # The lightning backend service is automatically enabled. + # Afterwards you need to go into Store > General Settings > Lightning Nodes + # and select "the internal lightning node of this BTCPay Server". + # + # Set this to create an onion service to make the btcpayserver web interface + # accessible via Tor. + # Security WARNING: Create a btcpayserver administrator account before allowing + # public access to the web interface. + # nix-bitcoin.onionServices.btcpayserver.enable = true; + + ### LIQUIDD + # Enable this module to use Liquid, a sidechain for an inter-exchange + # settlement network linking together cryptocurrency exchanges and + # institutions around the world. + # services.liquidd.enable = true; + # + # Liquid can be controlled with command 'elements-cli'. + + ### Hardware wallets + # Enable the following to allow using hardware wallets. + # See https://github.com/bitcoin-core/HWI for more information. + # + # Ledger must be initialized through the official ledger live app and the Bitcoin app must + # be installed and running on the device. + # services.hardware-wallets.ledger = true; + # + # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in + # `../docs/services.md`. + # services.hardware-wallets.trezor = true; + + ### lightning-loop + # Set this to enable lightninglab's non-custodial off/on chain bridge. + # services.lightning-loop.enable = true; + # + # loopd (lightning-loop daemon) will be started automatically. Users can + # interact with off/on chain bridge using `loop in` and `loop out`. + # Automatically enables lnd. + + ### lightning-pool + # Set this to enable Lightning Lab's non-custodial batched uniform + # clearing-price auction for Lightning Channel Leases. + # services.lightning-pool.enable = true; + # + # Use the `pool` command to interact with the lightning-pool service. + # Automatically enables lnd. + # + # lightning-pool requires that lnd has a publicly reachable address. + # Set this to create a public onion service for lnd. + # nix-bitcoin.onionServices.lnd.public = true; + + ### charge-lnd + # Set this to enable charge-lnd, a simple policy based fee manager for + # LND. With this tool you can set fees to autobalance, recover channel open + # costs, use on-chain fees as reference, or just use static fees. You decide. + # services.charge-lnd.enable = true; + # + # Define policies as outlined in the project documentation. + # services.charge-lnd.policies = '' + # ''; + + ### JOINMARKET + # Set this to enable the JoinMarket service, including its command-line scripts. + # These scripts have prefix 'jm-', like 'jm-tumbler'. + # Note: JoinMarket has full access to bitcoind, including its wallet functionality. + # services.joinmarket.enable = true; + # + # Set this to enable the JoinMarket Yield Generator Bot. You will be able to + # earn sats by providing CoinJoin liquidity. This makes it impossible to use other + # scripts that access your wallet. + # services.joinmarket.yieldgenerator.enable = true; + # + # Set this to enable the JoinMarket order book watcher. + # services.joinmarket-ob-watcher.enable = true; + + ### Lamassu server + # Set this to enable lamassu-server, a Bitcoin ATM management system. + # services.lamassu-server = { + # enable = true; + # source.ref = "main"; + # mode = "production"; + # + # # IMPORTANT: Set both to the same IP address. + # # - hostname: embedded in pairing QR code, tells ATMs where to connect + # # - certificate.extraIPs: makes the TLS cert valid for that IP + # hostname = "192.168.1.100"; + # certificate.extraIPs = [ "192.168.1.100" ]; + # + # # Optional settings (showing defaults): + # # serverPort = 3000; # Machine API port + # # logLevel = "info"; # error, warn, info, verbose, debug, silly + # # skip2FA = true; # Skip 2FA for initial setup + # # database.name = "lamassu-server"; + # # database.user = "lamassu-server"; + # # The database password is auto-generated and stored in /etc/nix-bitcoin-secrets/lamassu-db-password. + # }; + + ### Nodeinfo + # Set this to add command `nodeinfo` to the system environment. + # It shows info about running services like onion addresses and local addresses. + # It is enabled by default when importing `secure-node.nix`. + # nix-bitcoin.nodeinfo.enable = true; + + ### Backups + # Set this to enable nix-bitcoin's own backup service. By default, it + # uses duplicity to incrementally back up all important files in /var/lib to + # /var/lib/localBackups once a day. + # services.backups.enable = true; + # + # You can pull the localBackups folder with + # `scp -r bitcoin-node:/var/lib/localBackups /my-backup-path/` + # Alternatively, you can also set a remote target url, for example + # services.backups.destination = "sftp://user@host[:port]/[relative|/absolute]_path"; + # Supply the sftp password by appending the FTP_PASSWORD environment variable + # to secrets/backup-encryption-env like so + # `echo "FTP_PASSWORD=" >> secrets/backup-encryption-env` + # You may also need to set a ssh host and publickey with + # programs.ssh.knownHosts."host" = { + # hostNames = [ "host" ]; + # publicKey = ""; + # }; + # If you also want to backup bulk data like the Bitcoin & Liquid blockchains + # and electrs data directory, enable + # services.backups.with-bulk-data = true; + + ### netns-isolation (EXPERIMENTAL) + # Enable this module to use Network Namespace Isolation. This feature places + # every service in its own network namespace and only allows truly necessary + # connections between network namespaces, making sure services are isolated on + # a network-level as much as possible. + # nix-bitcoin.netns-isolation.enable = true; + + # FIXME: Define your hostname. + networking.hostName = "nix-bitcoin"; + time.timeZone = "UTC"; + + # Example opening ports for services + # networking.firewall.allowedTCPPorts = [ config.services.electrs.port config.services.mempool.frontend.port config.services.rtl.port ]; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + users.users.root = { + openssh.authorizedKeys.keys = [ + # FIXME: Replace this with your SSH pubkey + # "ssh-ed25519 AAAAC3..." + ]; + }; + + # FIXME: Uncomment this to allow the operator user to run + # commands as root with `sudo` or `doas` + # users.users.operator.extraGroups = [ "wheel" ]; + + # FIXME: add packages you need in your system + environment.systemPackages = with pkgs; [ + vim + ]; + + # FIXME: Add custom options (like boot options, output of + # nixos-generate-config, etc.): + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.11"; # Did you read the comment? + + # The nix-bitcoin release version that your config is compatible with. + # When upgrading to a backwards-incompatible release, nix-bitcoin will display an + # an error and provide instructions for migrating your config to the new release. + nix-bitcoin.configVersion = "0.0.24"; +} diff --git a/example/config/hardware-configuration.nix b/example/config/hardware-configuration.nix new file mode 100644 index 0000000..9201b20 --- /dev/null +++ b/example/config/hardware-configuration.nix @@ -0,0 +1,45 @@ +# Hardware configuration +# +# FIXME: Replace this file with the output of 'nixos-generate-config --show-hardware-config' +# run on your target machine. +# +# This is a placeholder that should work for most x86_64 systems. + +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + # FIXME: Adjust kernel modules for your hardware + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # FIXME: Set your filesystem configuration + # Use 'blkid' or 'lsblk -f' to find UUIDs + fileSystems."/" = { + device = "/dev/disk/by-uuid/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/XXXX-XXXX"; + fsType = "vfat"; + }; + + # FIXME: Set swap device if needed + # swapDevices = [ + # { device = "/dev/disk/by-uuid/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; } + # ]; + + # FIXME: Set your platform (x86_64-linux, aarch64-linux, etc.) + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + # For Intel CPUs: + # hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # For AMD CPUs: + # hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/example/config/nix-bitcoin-release.nix b/example/config/nix-bitcoin-release.nix new file mode 100644 index 0000000..a1bfa15 --- /dev/null +++ b/example/config/nix-bitcoin-release.nix @@ -0,0 +1,4 @@ +builtins.fetchTarball { + url = "https://git.atitlan.io/aiolabs/nix-bitcoin/archive/v0.0.24.tar.gz"; + sha256 = "1bms1r4a85fw7zl351q8ri965y5465hzszryz6mhxxdzdj9bqvva"; +} diff --git a/example/krops.nix b/example/krops.nix new file mode 100644 index 0000000..512acf3 --- /dev/null +++ b/example/krops.nix @@ -0,0 +1,137 @@ +# Krops deployment for nix-bitcoin +# +# Usage: +# Deploy to target: nix-build krops.nix -A deploy --no-out-link && ./result +# Test build only: nix-build krops.nix -A test --no-out-link +# Run test VM: nix-build krops.nix -A vm --no-out-link && ./result/bin/run-*-vm +# +# For more info: https://cgit.krebsco.de/krops/ + +let + # FIXME: Set your deployment target (user@hostname or user@ip) + target = "root@bitcoin-node"; + + # Import nix-bitcoin release + nix-bitcoin = import ./config/nix-bitcoin-release.nix; + krops = (import nix-bitcoin {}).krops; + + # Additional source files to deploy + # FIXME: Add any extra config files you create here + extraSources = { + # "my-custom-config.nix".file = toString ./config/my-custom-config.nix; + }; + + source = krops.lib.evalSource [({ + nixos-config.file = builtins.toFile "nixos-config" '' + { + imports = [ + ./configuration.nix + + ]; + } + ''; + + "configuration.nix".file = toString ./config/configuration.nix; + + nixpkgs.file = { + path = toString ; + useChecksum = true; + filters = [ + { + type = "exclude"; + pattern = "/pkgs/development/libraries/readline/update-patch-set.sh"; + } + ]; + }; + + nix-bitcoin.file = { + path = toString nix-bitcoin; + useChecksum = true; + filters = [{ + type = "exclude"; + pattern = ".git"; + }]; + }; + + # lamassu-server source is cloned directly on target by lamassu-build service + + secrets.file = toString ./secrets; + } // extraSources)]; + +in { + # Deploy to target machine + deploy = krops.pkgs.krops.writeDeploy "deploy-nix-bitcoin" { + inherit source target; + force = true; + }; + + # Test build locally (writes to /tmp/krops-test) + test = krops.pkgs.krops.writeTest "test-nix-bitcoin" { + inherit source; + target = "/tmp/krops-test"; + }; + + # Build a test VM with preconfigured settings + # Run with: nix-build krops.nix -A vm --no-out-link && ./result/bin/run-*-vm + # + # The VM starts with: + # - Lamassu server with auto-generated secrets + # - Auto-login to root console + # - Services accessible via localhost + # + # Useful for testing configuration changes before deploying to production. + vm = (import { + configuration = { config, lib, pkgs, modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/qemu-vm.nix") + "${nix-bitcoin}/modules/modules.nix" + ]; + + # VM-specific settings + virtualisation = { + graphics = false; + memorySize = 2048; + cores = 2; + diskSize = 4096; # 4GB disk (default is too small) + # Forward ports to host (0.0.0.0 = accessible from LAN) + forwardPorts = [ + { from = "host"; host.address = "0.0.0.0"; host.port = 8443; guest.port = 443; } + { from = "host"; host.address = "0.0.0.0"; host.port = 3000; guest.port = 3000; } + ]; + }; + + # Auto-login for easy access + services.getty.autologinUser = "root"; + + # Generate secrets automatically in VM + nix-bitcoin.secretsDir = "/secrets"; + nix-bitcoin.generateSecrets = true; + nix-bitcoin.setupSecrets = true; + + # Enable operator user (required by nix-bitcoin) + nix-bitcoin.operator.enable = true; + + # FIXME: replace 127.0.0.1 with your host IP to add to self-signed cert + # for pairing + # Lamassu server + # IMPORTANT: Set both hostname and certificate.extraIPs to the same value + # Use the IP address of the server that ATMs will connect to + services.lamassu-server = { + enable = true; + source.ref = "main"; + mode = "production"; + hostname = "127.0.0.1"; + certificate.extraIPs = [ "127.0.0.1" ]; + skip2FA = true; + }; + + # Basic system config + networking.hostName = "lamassu-vm"; + time.timeZone = "UTC"; + system.stateVersion = "25.11"; + nix-bitcoin.configVersion = "0.0.85"; + + environment.systemPackages = with pkgs; [ vim ]; + }; + }).config.system.build.vm; +} diff --git a/secrets/.gitkeep b/secrets/.gitkeep new file mode 100644 index 0000000..affa172 --- /dev/null +++ b/secrets/.gitkeep @@ -0,0 +1,5 @@ +# This directory contains secrets for nix-bitcoin services. +# Secrets are automatically generated on first deployment if not present. +# +# Do NOT commit actual secrets to version control. +# Add this directory to .gitignore or use encrypted storage. diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..f6863f8 --- /dev/null +++ b/shell.nix @@ -0,0 +1,18 @@ +# Development shell for nix-bitcoin deployment +# +# Enter the shell with: nix-shell +# +# This provides all tools needed for deployment and management. + +let + nix-bitcoin = toString (import ./config/nix-bitcoin-release.nix); +in + import "${nix-bitcoin}/helper/makeShell.nix" { + configDir = ./config; + shellVersion = "0.0.85"; + + # Set this to modify your shell + # extraShellInitCmds = pkgs: '' + # echo "nix-bitcoin development shell" + # ''; + }