lamassu: simplify to production mode only, document future nginx support

Current state: - Admin UI runs on port 443 (hardcoded in upstream) - devMode and nginx options commented out (would conflict with port 443) - adminPort option removed (not configurable in upstream) Future implementation documented in docs/lamassu-future-nginx.md: - Add --ui-port flag to upstream lamassu-server - Re-enable devMode, adminPort, and nginx options - Allow nginx as reverse proxy on 443 with admin UI on internal port 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-23 12:58:25 +01:00 · 2025-12-23 12:58:25 +01:00 · a7d96d2d2e
commit a7d96d2d2e
parent c5fcf567d8
2 changed files with 191 additions and 89 deletions
--- a/modules/lamassu-lnbits.nix
+++ b/modules/lamassu-lnbits.nix
@ -40,15 +40,12 @@ in
      description = "Port for the main lamassu server API";
    };

-    adminPort = mkOption {
-      type = types.port;
-      default = 8070;
-      description = ''
-        Port for the lamassu admin interface in dev mode.
-        Only used when devMode = true. In production mode, the admin
-        interface always runs on port 443 (hardcoded in upstream).
-      '';
-    };
+    # NOTE: Admin UI port is currently hardcoded in upstream lamassu-server:
+    # - Production mode (default): port 443
+    # - Dev mode (--dev flag): port 8070
+    # Future: Add --ui-port support to upstream to make this configurable.
+    # This would also enable nginx reverse proxy (which also needs port 443).
+    # See docs/lamassu-future-nginx.md for implementation details.

    dataDir = mkOption {
      type = types.path;
@ -86,11 +83,13 @@ in
      description = "Skip 2FA authentication (useful for initial setup)";
    };

-    devMode = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Run admin server in development mode (port 8070). When false, runs in production mode (port 443).";
-    };
+    # NOTE: devMode is disabled for now. Admin UI runs in production mode (port 443).
+    # Future: Re-enable when --ui-port is added to upstream lamassu-server.
+    # devMode = mkOption {
+    #   type = types.bool;
+    #   default = false;
+    #   description = "Run admin server in development mode (port 8070).";
+    # };

    database = {
      name = mkOption {
@ -151,16 +150,18 @@ in
      description = "Path to the TLS private key.";
    };

-    nginx = {
-      enable = mkEnableOption "Nginx reverse proxy on port 443";
-
-      hostname = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-        description = "Hostname for nginx virtual host (if different from main hostname)";
-        example = "lamassu.example.com";
-      };
-    };
+    # NOTE: nginx is disabled for now because admin UI binds directly to port 443.
+    # Enabling nginx would cause a port conflict.
+    # Future: Add --ui-port to upstream, run admin UI on internal port (e.g., 8070),
+    # and use nginx as reverse proxy on 443. See docs/lamassu-future-nginx.md
+    # nginx = {
+    #   enable = mkEnableOption "Nginx reverse proxy on port 443";
+    #   hostname = mkOption {
+    #     type = types.nullOr types.str;
+    #     default = null;
+    #     description = "Hostname for nginx virtual host";
+    #   };
+    # };

    enableBitcoin = mkOption {
      type = types.bool;
@ -188,56 +189,8 @@ in

    # ═══════════════════════════════════════════════════════════════════════════

-    # Nginx reverse proxy (optional, disabled by default)
-    services.nginx = mkIf cfg.nginx.enable {
-      enable = true;
-      recommendedTlsSettings = true;
-      recommendedProxySettings = true;
-
-      virtualHosts.${if cfg.nginx.hostname != null then cfg.nginx.hostname else cfg.hostname} = {
-        forceSSL = true;
-        sslCertificate = cfg.certPath;
-        sslCertificateKey = cfg.keyPath;
-
-        # Route API endpoints to main server (port 3000)
-        locations."/ca" = {
-          proxyPass = "https://127.0.0.1:${toString cfg.serverPort}";
-          extraConfig = ''
-            proxy_ssl_verify off;
-            proxy_ssl_server_name on;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        locations."/pair" = {
-          proxyPass = "https://127.0.0.1:${toString cfg.serverPort}";
-          extraConfig = ''
-            proxy_ssl_verify off;
-            proxy_ssl_server_name on;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-
-        # Route everything else to admin server (port 8070)
-        locations."/" = {
-          proxyPass = "https://127.0.0.1:${toString cfg.adminPort}";
-          extraConfig = ''
-            proxy_ssl_verify off;
-            proxy_ssl_server_name on;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-          '';
-        };
-      };
-    };
+    # NOTE: Nginx reverse proxy is disabled. See docs/lamassu-future-nginx.md
+    # for future implementation when --ui-port is added to upstream.

    # Enable PostgreSQL
    services.postgresql = {
@ -272,9 +225,6 @@ in
        home = cfg.dataDir;
        createHome = true;
      };
-    } // optionalAttrs cfg.nginx.enable {
-      # Add nginx user to lamassu-server group to access SSL certificates
-      nginx.extraGroups = [ cfg.group ];
    };

    users.groups.${cfg.group} = {};
@ -463,7 +413,7 @@ in
        '';
      in defaultHardening // {
        WorkingDirectory = "${cfg.package}/packages/server";
-        ExecStart = "${lamassuAdminEnv} ${pkgs.nodejs_22}/bin/node packages/server/bin/lamassu-admin-server ${optionalString cfg.devMode "--dev"} --logLevel ${cfg.logLevel}";
+        ExecStart = "${lamassuAdminEnv} ${pkgs.nodejs_22}/bin/node packages/server/bin/lamassu-admin-server --logLevel ${cfg.logLevel}";
        MemoryDenyWriteExecute = false;
        ReadWritePaths = [ cfg.dataDir cfg.package ];
        User = cfg.user;
@ -471,20 +421,16 @@ in
        Restart = "on-failure";
        RestartSec = "10s";

-        # Allow binding to privileged port 443 when in production mode (not dev mode)
-        AmbientCapabilities = optionals (!cfg.devMode) [ "CAP_NET_BIND_SERVICE" ];
-        CapabilityBoundingSet = optionals (!cfg.devMode) [ "CAP_NET_BIND_SERVICE" ];
+        # Allow binding to privileged port 443 (production mode)
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
      };
    };

    # Open firewall ports
-    # Port 3000 for machine API access (required for pairing and operation)
-    # Port 8070 for admin interface (only in dev mode)
-    # Port 443 for admin interface (production mode) or nginx reverse proxy
-    networking.firewall.allowedTCPPorts =
-      [ cfg.serverPort ] ++
-      (optionals cfg.devMode [ cfg.adminPort ]) ++
-      (optionals (cfg.nginx.enable || !cfg.devMode) [ 443 ]);
+    # Port 3000 (configurable): machine API access (required for pairing and operation)
+    # Port 443: admin UI (production mode, hardcoded in upstream)
+    networking.firewall.allowedTCPPorts = [ cfg.serverPort 443 ];

    # Add useful packages
    environment.systemPackages = with pkgs; [
@ -513,7 +459,7 @@ in
        echo ""
        echo "=== Network Access ==="
        echo "Server API: https://localhost:${toString cfg.serverPort}"
-        echo "Admin UI: https://localhost:${if cfg.devMode then toString cfg.adminPort else "443"}"
+        echo "Admin UI: https://localhost:443"
      '')
    ];
  };