krops-lamassu/example/krops.nix
padreug 6febf28955 Initial commit: krops-lamassu deployment template
NixOS deployment template for Lamassu Bitcoin ATM server using
nix-bitcoin and krops.

Features:
- Lamassu server with PostgreSQL and auto-generated secrets
- TLS certificates (self-signed)
- Test VM for local development
- Template structure for easy customization
2026-01-11 23:57:22 +01:00

137 lines
4 KiB
Nix

# Krops deployment for nix-bitcoin
#
# Usage:
# Deploy to target: nix-build krops.nix -A deploy --no-out-link && ./result
# Test build only: nix-build krops.nix -A test --no-out-link
# Run test VM: nix-build krops.nix -A vm --no-out-link && ./result/bin/run-*-vm
#
# For more info: https://cgit.krebsco.de/krops/
let
# FIXME: Set your deployment target (user@hostname or user@ip)
target = "root@bitcoin-node";
# Import nix-bitcoin release
nix-bitcoin = import ./config/nix-bitcoin-release.nix;
krops = (import nix-bitcoin {}).krops;
# Additional source files to deploy
# FIXME: Add any extra config files you create here
extraSources = {
# "my-custom-config.nix".file = toString ./config/my-custom-config.nix;
};
source = krops.lib.evalSource [({
nixos-config.file = builtins.toFile "nixos-config" ''
{
imports = [
./configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
];
}
'';
"configuration.nix".file = toString ./config/configuration.nix;
nixpkgs.file = {
path = toString <nixpkgs>;
useChecksum = true;
filters = [
{
type = "exclude";
pattern = "/pkgs/development/libraries/readline/update-patch-set.sh";
}
];
};
nix-bitcoin.file = {
path = toString nix-bitcoin;
useChecksum = true;
filters = [{
type = "exclude";
pattern = ".git";
}];
};
# lamassu-server source is cloned directly on target by lamassu-build service
secrets.file = toString ./secrets;
} // extraSources)];
in {
# Deploy to target machine
deploy = krops.pkgs.krops.writeDeploy "deploy-nix-bitcoin" {
inherit source target;
force = true;
};
# Test build locally (writes to /tmp/krops-test)
test = krops.pkgs.krops.writeTest "test-nix-bitcoin" {
inherit source;
target = "/tmp/krops-test";
};
# Build a test VM with preconfigured settings
# Run with: nix-build krops.nix -A vm --no-out-link && ./result/bin/run-*-vm
#
# The VM starts with:
# - Lamassu server with auto-generated secrets
# - Auto-login to root console
# - Services accessible via localhost
#
# Useful for testing configuration changes before deploying to production.
vm = (import <nixpkgs/nixos> {
configuration = { config, lib, pkgs, modulesPath, ... }: {
imports = [
(modulesPath + "/virtualisation/qemu-vm.nix")
"${nix-bitcoin}/modules/modules.nix"
];
# VM-specific settings
virtualisation = {
graphics = false;
memorySize = 2048;
cores = 2;
diskSize = 4096; # 4GB disk (default is too small)
# Forward ports to host (0.0.0.0 = accessible from LAN)
forwardPorts = [
{ from = "host"; host.address = "0.0.0.0"; host.port = 8443; guest.port = 443; }
{ from = "host"; host.address = "0.0.0.0"; host.port = 3000; guest.port = 3000; }
];
};
# Auto-login for easy access
services.getty.autologinUser = "root";
# Generate secrets automatically in VM
nix-bitcoin.secretsDir = "/secrets";
nix-bitcoin.generateSecrets = true;
nix-bitcoin.setupSecrets = true;
# Enable operator user (required by nix-bitcoin)
nix-bitcoin.operator.enable = true;
# FIXME: replace 127.0.0.1 with your host IP to add to self-signed cert
# for pairing
# Lamassu server
# IMPORTANT: Set both hostname and certificate.extraIPs to the same value
# Use the IP address of the server that ATMs will connect to
services.lamassu-server = {
enable = true;
source.ref = "main";
mode = "production";
hostname = "127.0.0.1";
certificate.extraIPs = [ "127.0.0.1" ];
skip2FA = true;
};
# Basic system config
networking.hostName = "lamassu-vm";
time.timeZone = "UTC";
system.stateVersion = "25.11";
nix-bitcoin.configVersion = "0.0.85";
environment.systemPackages = with pkgs; [ vim ];
};
}).config.system.build.vm;
}