2020-08-12 17:47:56 +03:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
options.services = {
|
|
|
|
btcpayserver = {
|
2021-12-14 21:51:23 +03:00
|
|
|
enable = mkEnableOption "btcpayserver, a self-hosted Bitcoin payment processor";
|
2021-01-14 15:24:05 +03:00
|
|
|
address = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "Address to listen on.";
|
2021-01-14 15:24:05 +03:00
|
|
|
};
|
|
|
|
port = mkOption {
|
|
|
|
type = types.port;
|
|
|
|
default = 23000;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "Port to listen on.";
|
2021-01-14 15:24:05 +03:00
|
|
|
};
|
2020-08-12 17:47:56 +03:00
|
|
|
package = mkOption {
|
|
|
|
type = types.package;
|
2021-07-13 17:03:08 +03:00
|
|
|
default = if cfg.btcpayserver.lbtc then
|
2021-12-08 06:07:26 +03:00
|
|
|
config.nix-bitcoin.pkgs.btcpayserver.override { altcoinSupport = true; }
|
2021-07-13 17:03:08 +03:00
|
|
|
else
|
2021-12-08 06:07:26 +03:00
|
|
|
config.nix-bitcoin.pkgs.btcpayserver;
|
2021-12-08 06:07:28 +03:00
|
|
|
defaultText = "(See source)";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The package providing btcpayserver binaries.";
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
|
|
|
dataDir = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "/var/lib/btcpayserver";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The data directory for btcpayserver.";
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
|
|
|
lightningBackend = mkOption {
|
|
|
|
type = types.nullOr (types.enum [ "clightning" "lnd" ]);
|
|
|
|
default = null;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The lightning node implementation to use.";
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
2021-07-13 17:03:08 +03:00
|
|
|
lbtc = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "Enable liquid support in btcpayserver.";
|
2021-07-13 17:03:08 +03:00
|
|
|
};
|
2020-12-30 13:56:51 +03:00
|
|
|
rootpath = mkOption {
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
|
|
|
example = "btcpayserver";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The prefix for root-relative btcpayserver URLs.";
|
2020-12-30 13:56:51 +03:00
|
|
|
};
|
2021-09-13 14:40:48 +03:00
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "btcpayserver";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The user as which to run btcpayserver.";
|
2021-09-13 14:40:48 +03:00
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = cfg.btcpayserver.user;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The group as which to run btcpayserver.";
|
2021-09-13 14:40:48 +03:00
|
|
|
};
|
2021-11-28 23:24:49 +03:00
|
|
|
tor.enforce = nbLib.tor.enforce;
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
2021-11-26 17:13:32 +03:00
|
|
|
|
|
|
|
nbxplorer = {
|
|
|
|
enable = mkOption {
|
|
|
|
# This option is only used by netns-isolation
|
|
|
|
internal = true;
|
|
|
|
default = cfg.btcpayserver.enable;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc ''
|
2021-11-26 17:13:32 +03:00
|
|
|
nbxplorer is always enabled when btcpayserver is enabled.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
package = mkOption {
|
|
|
|
type = types.package;
|
2021-12-08 06:07:26 +03:00
|
|
|
default = config.nix-bitcoin.pkgs.nbxplorer;
|
2021-12-08 06:07:28 +03:00
|
|
|
defaultText = "config.nix-bitcoin.pkgs.nbxplorer";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The package providing nbxplorer binaries.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
|
|
|
address = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "127.0.0.1";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "Address to listen on.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
|
|
|
port = mkOption {
|
|
|
|
type = types.port;
|
|
|
|
default = 24444;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "Port to listen on.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
|
|
|
dataDir = mkOption {
|
|
|
|
type = types.path;
|
|
|
|
default = "/var/lib/nbxplorer";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The data directory for nbxplorer.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
|
|
|
user = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "nbxplorer";
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The user as which to run nbxplorer.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = cfg.nbxplorer.user;
|
2022-12-18 15:13:47 +03:00
|
|
|
description = mdDoc "The group as which to run nbxplorer.";
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
2021-11-28 23:24:49 +03:00
|
|
|
tor.enforce = nbLib.tor.enforce;
|
2021-11-26 17:13:32 +03:00
|
|
|
};
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
|
|
|
|
2021-09-13 14:40:47 +03:00
|
|
|
cfg = config.services;
|
|
|
|
nbLib = config.nix-bitcoin.lib;
|
2021-09-13 14:40:49 +03:00
|
|
|
|
2021-10-01 12:51:56 +03:00
|
|
|
inherit (config.services) bitcoind liquidd;
|
2021-09-13 14:40:47 +03:00
|
|
|
in {
|
|
|
|
inherit options;
|
|
|
|
|
2020-08-12 17:47:56 +03:00
|
|
|
config = mkIf cfg.btcpayserver.enable {
|
2021-10-01 12:51:58 +03:00
|
|
|
services.bitcoind = {
|
|
|
|
enable = true;
|
|
|
|
rpc.users.btcpayserver = {
|
|
|
|
passwordHMACFromFile = true;
|
|
|
|
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
|
|
|
"setban"
|
|
|
|
"generatetoaddress"
|
|
|
|
"getpeerinfo"
|
|
|
|
];
|
|
|
|
};
|
2021-10-29 18:56:57 +03:00
|
|
|
listenWhitelisted = true;
|
2021-10-01 12:51:58 +03:00
|
|
|
};
|
2020-10-18 15:49:20 +03:00
|
|
|
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
2021-10-30 15:55:55 +03:00
|
|
|
services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
|
|
|
enable = true;
|
|
|
|
macaroons.btcpayserver = {
|
|
|
|
inherit (cfg.btcpayserver) user;
|
|
|
|
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
|
|
|
};
|
|
|
|
};
|
2021-10-01 12:51:58 +03:00
|
|
|
services.liquidd = mkIf cfg.btcpayserver.lbtc {
|
|
|
|
enable = true;
|
2021-10-29 18:56:57 +03:00
|
|
|
listenWhitelisted = true;
|
2021-02-02 00:53:22 +03:00
|
|
|
};
|
2020-09-17 11:04:23 +03:00
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
2022-04-30 16:35:46 +03:00
|
|
|
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
|
|
|
|
ensureUsers = [
|
2023-12-03 01:26:51 +03:00
|
|
|
{ name = cfg.btcpayserver.user; }
|
|
|
|
{ name = cfg.nbxplorer.user; }
|
2022-04-30 16:35:46 +03:00
|
|
|
];
|
2020-09-17 11:04:23 +03:00
|
|
|
};
|
2023-12-03 01:26:51 +03:00
|
|
|
systemd.services.postgresql.postStart = lib.mkAfter ''
|
|
|
|
$PSQL -tAc '
|
|
|
|
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
|
|
|
|
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
|
|
|
|
'
|
|
|
|
'';
|
2020-09-17 11:04:23 +03:00
|
|
|
|
2021-02-02 00:53:22 +03:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
|
|
|
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
|
|
|
];
|
|
|
|
|
2020-08-12 17:47:56 +03:00
|
|
|
systemd.services.nbxplorer = let
|
|
|
|
configFile = builtins.toFile "config" ''
|
2021-09-13 14:40:49 +03:00
|
|
|
network=${bitcoind.network}
|
2020-08-12 17:47:56 +03:00
|
|
|
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
|
2021-10-01 12:51:57 +03:00
|
|
|
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
|
2021-10-29 18:56:57 +03:00
|
|
|
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
|
2021-01-14 15:24:05 +03:00
|
|
|
bind=${cfg.nbxplorer.address}
|
2020-10-16 18:43:11 +03:00
|
|
|
port=${toString cfg.nbxplorer.port}
|
2021-07-13 17:03:08 +03:00
|
|
|
${optionalString cfg.btcpayserver.lbtc ''
|
|
|
|
chains=btc,lbtc
|
2021-10-01 12:51:56 +03:00
|
|
|
lbtcrpcuser=${liquidd.rpcuser}
|
2021-10-01 12:51:57 +03:00
|
|
|
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
|
2021-11-01 14:59:05 +03:00
|
|
|
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
|
2021-07-13 17:03:08 +03:00
|
|
|
''}
|
2022-04-30 16:35:46 +03:00
|
|
|
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
|
|
|
|
automigrate=1
|
2020-08-12 17:47:56 +03:00
|
|
|
'';
|
2021-11-02 15:07:38 +03:00
|
|
|
in rec {
|
2020-08-12 17:47:56 +03:00
|
|
|
wantedBy = [ "multi-user.target" ];
|
2022-04-30 16:35:46 +03:00
|
|
|
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
|
2023-10-03 14:00:23 +03:00
|
|
|
after = requires ++ [ "nix-bitcoin-secrets.target" ];
|
2020-08-12 17:47:56 +03:00
|
|
|
preStart = ''
|
2021-02-02 00:53:21 +03:00
|
|
|
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
|
2021-07-13 17:03:08 +03:00
|
|
|
{
|
|
|
|
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
|
|
|
|
${optionalString cfg.btcpayserver.lbtc ''
|
|
|
|
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
|
|
|
|
''}
|
|
|
|
} >> '${cfg.nbxplorer.dataDir}/settings.config'
|
2020-08-12 17:47:56 +03:00
|
|
|
'';
|
2021-02-04 00:44:41 +03:00
|
|
|
serviceConfig = nbLib.defaultHardening // {
|
2020-08-12 17:47:56 +03:00
|
|
|
ExecStart = ''
|
|
|
|
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
|
|
|
|
--datadir=${cfg.nbxplorer.dataDir}
|
|
|
|
'';
|
|
|
|
User = cfg.nbxplorer.user;
|
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = "10s";
|
2022-05-07 21:34:21 +03:00
|
|
|
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
2023-01-20 15:45:07 +03:00
|
|
|
MemoryDenyWriteExecute = false;
|
2021-11-28 23:24:49 +03:00
|
|
|
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.btcpayserver = let
|
2021-11-26 17:13:29 +03:00
|
|
|
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
|
2021-09-13 14:40:49 +03:00
|
|
|
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
|
2022-10-24 13:06:45 +03:00
|
|
|
configFile = builtins.toFile "btcpayserver-config" (''
|
2021-09-13 14:40:49 +03:00
|
|
|
network=${bitcoind.network}
|
2021-02-02 00:53:01 +03:00
|
|
|
bind=${cfg.btcpayserver.address}
|
|
|
|
port=${toString cfg.btcpayserver.port}
|
2021-08-05 01:49:00 +03:00
|
|
|
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
|
2021-07-13 17:03:08 +03:00
|
|
|
btcexplorerurl=${nbExplorerUrl}
|
|
|
|
btcexplorercookiefile=${nbExplorerCookie}
|
2021-02-02 00:53:01 +03:00
|
|
|
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
|
2021-11-26 17:13:29 +03:00
|
|
|
'' + optionalString (cfg.btcpayserver.rootpath != null) ''
|
|
|
|
rootpath=${cfg.btcpayserver.rootpath}
|
2020-08-12 17:47:56 +03:00
|
|
|
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
|
2022-06-04 00:39:36 +03:00
|
|
|
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
|
2022-10-24 13:06:45 +03:00
|
|
|
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
|
|
|
|
(
|
|
|
|
"btclightning=type=lnd-rest;" +
|
|
|
|
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
|
|
|
|
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
|
|
|
|
"certfilepath=${config.services.lnd.certPath}" +
|
|
|
|
"\n"
|
|
|
|
)
|
|
|
|
+ optionalString cfg.btcpayserver.lbtc ''
|
2021-07-13 17:03:08 +03:00
|
|
|
chains=btc,lbtc
|
|
|
|
lbtcexplorerurl=${nbExplorerUrl}
|
|
|
|
lbtcexplorercookiefile=${nbExplorerCookie}
|
2020-08-12 17:47:56 +03:00
|
|
|
'');
|
|
|
|
in let self = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2021-02-02 00:53:00 +03:00
|
|
|
requires = [ "nbxplorer.service" "postgresql.service" ]
|
2020-08-12 17:47:56 +03:00
|
|
|
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
|
|
|
|
after = self.requires;
|
2021-02-04 00:44:41 +03:00
|
|
|
serviceConfig = nbLib.defaultHardening // {
|
2020-08-12 17:47:56 +03:00
|
|
|
ExecStart = ''
|
2022-10-24 13:06:45 +03:00
|
|
|
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
|
2021-10-01 12:51:56 +03:00
|
|
|
--datadir='${cfg.btcpayserver.dataDir}'
|
2020-08-12 17:47:56 +03:00
|
|
|
'';
|
|
|
|
User = cfg.btcpayserver.user;
|
2023-02-27 15:17:09 +03:00
|
|
|
# Also restart after the program has exited successfully.
|
|
|
|
# This is required to support restarting from the web interface after
|
|
|
|
# interactive plugin installation.
|
|
|
|
# Restart rate limiting is implemented via the `startLimit*` options below.
|
|
|
|
Restart = "always";
|
2022-05-07 21:34:21 +03:00
|
|
|
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
2023-01-20 15:45:07 +03:00
|
|
|
MemoryDenyWriteExecute = false;
|
2021-11-28 23:24:49 +03:00
|
|
|
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
2023-02-27 15:17:09 +03:00
|
|
|
startLimitIntervalSec = 30;
|
|
|
|
startLimitBurst = 10;
|
2020-08-12 17:47:56 +03:00
|
|
|
}; in self;
|
|
|
|
|
|
|
|
users.users.${cfg.nbxplorer.user} = {
|
2021-08-05 01:48:59 +03:00
|
|
|
isSystemUser = true;
|
2020-08-12 17:47:56 +03:00
|
|
|
group = cfg.nbxplorer.group;
|
2021-07-13 17:03:08 +03:00
|
|
|
extraGroups = [ "bitcoinrpc-public" ]
|
2021-10-01 12:51:56 +03:00
|
|
|
++ optional cfg.btcpayserver.lbtc liquidd.group;
|
2020-08-12 17:47:56 +03:00
|
|
|
home = cfg.nbxplorer.dataDir;
|
|
|
|
};
|
|
|
|
users.groups.${cfg.nbxplorer.group} = {};
|
|
|
|
users.users.${cfg.btcpayserver.user} = {
|
2021-08-05 01:48:59 +03:00
|
|
|
isSystemUser = true;
|
2020-08-12 17:47:56 +03:00
|
|
|
group = cfg.btcpayserver.group;
|
2021-02-16 19:52:45 +03:00
|
|
|
extraGroups = [ cfg.nbxplorer.group ]
|
2020-08-12 17:47:56 +03:00
|
|
|
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
|
|
|
|
home = cfg.btcpayserver.dataDir;
|
|
|
|
};
|
|
|
|
users.groups.${cfg.btcpayserver.group} = {};
|
|
|
|
|
2021-02-02 00:53:22 +03:00
|
|
|
nix-bitcoin.secrets = {
|
|
|
|
bitcoin-rpcpassword-btcpayserver = {
|
2021-02-16 19:52:45 +03:00
|
|
|
user = cfg.bitcoind.user;
|
|
|
|
group = cfg.nbxplorer.group;
|
2021-02-02 00:53:22 +03:00
|
|
|
};
|
2021-02-16 19:52:45 +03:00
|
|
|
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
2021-09-08 18:01:18 +03:00
|
|
|
nix-bitcoin.generateSecretsCmds.btcpayserver = ''
|
|
|
|
makeBitcoinRPCPassword btcpayserver
|
|
|
|
'';
|
2020-08-12 17:47:56 +03:00
|
|
|
};
|
|
|
|
}
|