commit

Enables a systemd service to automatically copy deployed extensions to the LNBits extensions directory.

This allows for easier management of extensions by automatically synchronizing extensions located in /var/src/lnbits-extensions/ with the active extensions directory /var/lib/lnbits/extensions/, ensuring the correct permissions are set.

config/lnbits.nix

@@ -37,7 +37,7 @@ in
       # LNBITS_EXTENSIONS_DEFAULT_INSTALL =
       #   "nostrclient,nostrmarket,nostrrelay,lnurlp,events";
       LNBITS_ADMIN_EXTENSIONS = "ngrok,nostrclient,nostrrelay,satmachineadmin";
-      LNBITS_USER_DEFAULT_EXTENSIONS = "lnurlp,nostrmarket,events,lndhub";
+      LNBITS_USER_DEFAULT_EXTENSIONS = "lnurlp,nostrmarket,events,castle,lndhub";
       LNBITS_CUSTOM_FRONTEND_URL = "https://app.${domain}";
     };
   };
@@ -114,16 +114,16 @@ in
   #
   # Option 2: Manually merge deployed extensions with existing ones
   # Copy deployed extensions into the extensions directory without replacing it:
-  # systemd.tmpfiles.rules = [
-  #   "d /var/src/lnbits-extensions 0755 root root - -"
-  # ];
-  # systemd.services.lnbits-copy-extensions = {
-  #   description = "Copy deployed LNBits extensions";
-  #   before = [ "lnbits.service" ];
-  #   wantedBy = [ "lnbits.service" ];
-  #   serviceConfig = {
-  #     Type = "oneshot";
-  #     ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.rsync}/bin/rsync -av /var/src/lnbits-extensions/ /var/lib/lnbits/extensions/ && ${pkgs.coreutils}/bin/chown -R lnbits:lnbits /var/lib/lnbits/extensions/'";
-  #   };
-  # };
+  systemd.tmpfiles.rules = [
+    "d /var/src/lnbits-extensions 0755 root root - -"
+  ];
+  systemd.services.lnbits-copy-extensions = {
+    description = "Copy deployed LNBits extensions";
+    before = [ "lnbits.service" ];
+    wantedBy = [ "lnbits.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.rsync}/bin/rsync -av /var/src/lnbits-extensions/ /var/lib/lnbits/extensions/ && ${pkgs.coreutils}/bin/chown -R lnbits:lnbits /var/lib/lnbits/extensions/'";
+    };
+  };
 }

config/machines/prod-castle/ariege-home-dist/assets/index-DsYavE7Z.css

@@ -0,0 +1 @@
+*{margin:0;padding:0;box-sizing:border-box}body{overflow:hidden}.app{position:relative;width:100vw;height:100vh;display:flex;align-items:center;justify-content:center}.galaxy-background{position:fixed;top:0;left:0;width:100%;height:100%;z-index:-1}.content{text-align:center;color:#fff;z-index:1}.content h1{font-size:4rem;font-weight:300;margin-bottom:1rem;background:linear-gradient(45deg,#fff,#a8edea);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text;animation:glow 2s ease-in-out infinite alternate}.content p{font-size:1.5rem;font-weight:200;opacity:.8;letter-spacing:2px}@keyframes glow{0%{text-shadow:0 0 20px rgba(168,237,234,.3)}to{text-shadow:0 0 30px rgba(168,237,234,.6)}}.footer{position:fixed;bottom:20px;left:20px;z-index:1}.footer p{font-size:.8rem;opacity:.6;color:#fff;margin:0}.footer a{color:#a8edeacc;text-decoration:none;transition:opacity .3s ease}.footer a:hover{opacity:1;text-decoration:underline}@media (max-width: 768px){.content h1{font-size:2.5rem}.content p{font-size:1.2rem}.footer{bottom:10px;left:10px}.footer p{font-size:.7rem}}

config/machines/prod-castle/ariege-home-dist/index.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Ariege.io - Coming Soon</title>
+    <style>
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen',
+          'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue',
+          sans-serif;
+        -webkit-font-smoothing: antialiased;
+        -moz-osx-font-smoothing: grayscale;
+      }
+    </style>
+    <script type="module" crossorigin src="/assets/index-BBdw2NZT.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-DsYavE7Z.css">
+  </head>
+  <body>
+    <div id="app"></div>
+  </body>
+</html>

config/machines/prod-castle/ario-home.nix

@@ -0,0 +1,19 @@
+{ config, pkgs, domain, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    # Web-app service
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      root = "/var/src/config-machine/ariege-home-dist";
+      locations."/" = {
+        index = "index.html";
+        tryFiles = "$uri $uri/ /index.html";
+      };
+      locations."~^/.well-known/lnurlp/" = {
+        return = "301 https://lnbits.demo.${domain}$request_uri";
+      };
+    };
+  };
+}

config/machines/prod-castle/boot.nix

@@ -0,0 +1,5 @@
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

config/machines/prod-castle/borg-lnbits.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./modules/lnbits-backup.nix  # Add this line
+  ];
+
+  # Enable LNbits Borg backup
+  services.lnbits-backup = {
+    enable = true;
+
+    # Repository path - update with your actual path
+    # Option 1: Traditional format
+    # repository = "borg@192.168.1.100:/mnt/my_ssd/borg-backups/lnbits";
+
+    # Option 2: Full SSH URL format (note double slash for absolute path)
+    # Note this ip is fixed on unifi
+    repository = "ssh://borg@192.168.0.194//mnt/borg-backups/lnbits-ario";
+
+    # Backup schedule
+    schedule = "*:0/15";  # Backup schedule (hourly, daily, or systemd timer format)
+
+    # Compression with auto-detection
+    # "auto" skips compression for already-compressed files (images, videos, etc.)
+    compression = "auto,lz4";      # For Raspberry Pi (faster)
+    # compression = "auto,zstd";   # For RockPro64 (better compression)
+
+    # Retention policy, leave all of these
+    retention = {
+      hourly = 24;   # Last 24 hours
+      daily = 7;     # Last 7 days
+      weekly = 4;    # Last 4 weeks
+      monthly = 6;   # Last 6 months
+    };
+  };
+}

config/machines/prod-castle/configuration.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+let
+  domain = "ariege.io";
+in
+{
+  imports = [
+    { _module.args = { inherit domain; }; }  # Uses the let binding
+    (import /var/src/config-shared {
+      inherit config pkgs domain;            # Uses the let binding
+    })
+    ./hardware-configuration.nix
+    ./boot.nix
+    ./wireguard.nix
+    ./ario-home.nix
+    ./jellyfin.nix
+
+    # BORG backup
+    # read docs/lnbits-borg-backup-guide.md
+    ./borg-lnbits.nix
+
+  ];
+  # networking.hostName = "castle-prod"; # TODO: test this out before uncommenting
+}

config/machines/prod-castle/hardware-configuration.nix

@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7886f40d-f016-42db-a787-218530f3464e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/09EB-1B4F";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/2c629168-62a8-4b48-9135-f933e513286b"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

config/machines/prod-castle/jellyfin.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+
+  services.nginx.virtualHosts."media.castle" = {
+    # Listen on HTTP
+    listen = [ { addr = "0.0.0.0"; port = 80; } ];
+
+    # Pass traffic to Jellyfin’s default port
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      proxyWebsockets = true; # Jellyfin needs this!
+    };
+  };
+}

config/machines/prod-castle/modules/lnbits-backup.nix

@@ -0,0 +1,177 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.lnbits-backup;
+
+in {
+  options.services.lnbits-backup = {
+    enable = mkEnableOption "LNbits Borg Backup Service";
+
+    dataPath = mkOption {
+      type = types.path;
+      default = "/var/lib/lnbits/data";
+      description = "Path to LNbits data directory";
+    };
+
+    repository = mkOption {
+      type = types.str;
+      example = "ssh://borg@192.168.1.100//mnt/my_ssd/borg-backups/lnbits";
+      description = "Borg repository location (SSH URL or user@host:/path format)";
+    };
+
+    schedule = mkOption {
+      type = types.str;
+      default = "hourly";
+      description = "Backup schedule (hourly, daily, or systemd timer format)";
+    };
+
+    compression = mkOption {
+      type = types.str;
+      default = "auto,lz4";
+      description = "Compression: auto,lz4 (Pi), auto,zstd (RockPro64). 'auto' skips already-compressed files.";
+    };
+
+    passphraseFile = mkOption {
+      type = types.path;
+      default = "/root/secrets/borg-passphrase";
+      description = "Path to Borg passphrase file";
+    };
+
+    sshKeyFile = mkOption {
+      type = types.path;
+      default = "/root/.ssh/borg_backup_key";
+      description = "SSH private key for repository access";
+    };
+
+    retention = {
+      hourly = mkOption { type = types.int; default = 24; };
+      daily = mkOption { type = types.int; default = 7; };
+      weekly = mkOption { type = types.int; default = 4; };
+      monthly = mkOption { type = types.int; default = 6; };
+    };
+
+    alertEmail = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Email for alerts (optional)";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.borgbackup.jobs.lnbits = {
+      paths = [
+        cfg.dataPath
+        "/tmp/lnbits-snapshot.sqlite3"
+      ];
+
+      exclude = [ "*.log" "*.pyc" "__pycache__" "*.tmp" ];
+      repo = cfg.repository;
+
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat ${cfg.passphraseFile}";
+      };
+
+      compression = cfg.compression;
+      startAt = cfg.schedule;
+      persistentTimer = true;  # Run missed backups after reboots
+
+      prune.keep = {
+        inherit (cfg.retention) hourly daily weekly monthly;
+      };
+
+      preHook = ''
+        echo "=== LNbits Backup Starting: $(date) ==="
+
+        if [ -f "${cfg.dataPath}/database.sqlite3" ]; then
+          echo "Creating SQLite snapshot..."
+          ${pkgs.sqlite}/bin/sqlite3 "${cfg.dataPath}/database.sqlite3" \
+            ".backup '/tmp/lnbits-snapshot.sqlite3'"
+
+          SIZE=$(stat -c%s "/tmp/lnbits-snapshot.sqlite3")
+          echo "Snapshot created: $SIZE bytes"
+
+          if [ "$SIZE" -lt 1000 ]; then
+            echo "ERROR: Snapshot too small!"
+            rm -f /tmp/lnbits-snapshot.sqlite3
+            exit 1
+          fi
+        else
+          echo "ERROR: Database not found!"
+          exit 1
+        fi
+      '';
+
+      postHook = ''
+        rm -f /tmp/lnbits-snapshot.sqlite3
+
+        # Weekly integrity check (Sundays)
+        if [ $(date +%u) -eq 7 ]; then
+          echo "Running weekly integrity check..."
+          ${pkgs.borgbackup}/bin/borg check --repository-only ${cfg.repository}
+        fi
+
+        echo "=== Backup Complete: $(date) ==="
+      '';
+
+      environment = {
+        BORG_RSH = "ssh -i ${cfg.sshKeyFile} -o StrictHostKeyChecking=accept-new";
+      };
+    };
+
+    # Install required packages and helper commands
+    environment.systemPackages = with pkgs; [
+      borgbackup
+      sqlite
+
+      (writeShellScriptBin "lnbits-borg-list" ''
+        export BORG_PASSPHRASE=$(cat ${cfg.passphraseFile})
+        export BORG_RSH="ssh -i ${cfg.sshKeyFile}"
+        ${borgbackup}/bin/borg list ${cfg.repository} "$@"
+      '')
+
+      (writeShellScriptBin "lnbits-borg-info" ''
+        export BORG_PASSPHRASE=$(cat ${cfg.passphraseFile})
+        export BORG_RSH="ssh -i ${cfg.sshKeyFile}"
+        ${borgbackup}/bin/borg info ${cfg.repository} "$@"
+      '')
+
+      (writeShellScriptBin "lnbits-borg-restore" ''
+        if [ $# -lt 1 ]; then
+          echo "Usage: lnbits-borg-restore <archive-name> [destination]"
+          echo ""
+          echo "Available archives:"
+          lnbits-borg-list
+          exit 1
+        fi
+
+        ARCHIVE="$1"
+        DEST="''${2:-/tmp/lnbits-restore}"
+
+        export BORG_PASSPHRASE=$(cat ${cfg.passphraseFile})
+        export BORG_RSH="ssh -i ${cfg.sshKeyFile}"
+
+        mkdir -p "$DEST"
+        cd "$DEST"
+        echo "Restoring to: $DEST"
+        ${borgbackup}/bin/borg extract ${cfg.repository}::$ARCHIVE
+        echo "Done! Restored files in: $DEST"
+      '')
+
+      (writeShellScriptBin "lnbits-borg-mount" ''
+        MOUNT="''${1:-/mnt/borg-browse}"
+
+        export BORG_PASSPHRASE=$(cat ${cfg.passphraseFile})
+        export BORG_RSH="ssh -i ${cfg.sshKeyFile}"
+
+        mkdir -p "$MOUNT"
+        ${borgbackup}/bin/borg mount ${cfg.repository} "$MOUNT"
+        echo "Mounted at: $MOUNT"
+        echo "Unmount: borg umount $MOUNT"
+      '')
+    ];
+  };
+}
+

config/machines/prod-castle/wireguard.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  # Enable WireGuard with WebSocket-optimized settings
+  networking.wireguard.interfaces = {
+    wg0 = {
+      # Generate with: wg genkey | tee privatekey | wg pubkey > publickey
+      privateKeyFile = "/etc/wireguard/privatekey";
+      
+      ips = [ "10.0.0.2/24" ];
+      
+      peers = [
+        {
+          publicKey = "R6uB4o5ELEKEHCvK+llRYbzdkZGDHegVmS0f08aRtWM=";
+          allowedIPs = [ "10.0.0.1/32" ];
+          endpoint = "170.75.161.21:51820";
+          persistentKeepalive = 15;
+        }
+      ];
+    };
+  };
+
+  # Systemd service optimization for WireGuard
+  systemd.services."wireguard-wg0".serviceConfig = {
+    # Restart the service if it fails
+    Restart = "on-failure";
+    RestartSec = "5s";
+  };
+}

config/modules/forgejo-vue3-app.nix

@@ -0,0 +1 @@
+/home/padreug/projects/NixOS/vue3-pwa/forgejo-vue3-app.nix

config/modules/lnbits-backup.nix

@@ -0,0 +1 @@
+/home/padreug/repos/NixOS/modules/lnbits-backup.nix

machine-specific/prod-castle/env/.env

@@ -0,0 +1,31 @@
+# App Branding
+VITE_APP_NAME=Ariège
+
+LNBITS_CUSTOM_FRONTEND_URL=https://app.ariege.io
+
+VITE_PICTRS_BASE_URL=https://img.ariege.io
+
+# Lightning Address Domain (optional)
+# Override the domain used for Lightning Addresses
+# If not set, domain will be extracted from VITE_LNBITS_BASE_URL
+# Example: mydomain.com will show addresses as username@mydomain.com
+VITE_LIGHTNING_DOMAIN=ariege.io
+
+# VITE_NOSTR_RELAYS=["wss://relay.damus.io","wss://nos.lol"]
+VITE_NOSTR_RELAYS=["wss://lnbits.ariege.io/nostrrelay/castle"]
+
+VITE_LNBITS_BASE_URL=https://lnbits.ariege.io
+# Invoice/Read Key below
+VITE_API_KEY=8d21ba88c4bb4c04a05809bd25b997dc
+
+VITE_ADMIN_PUBKEYS=["24076f99c21dfed5201087e99d9e51a6c4927b7ec7101181bb0186718bdf6c4e"]
+
+# Push Notifications
+VITE_VAPID_PUBLIC_KEY=BOJWlTx0YGI9vIMYmNOZEupe2QY7-7yt0YfzZcCEfk5Kz20tzCB5wzdU7AwfyI5D5vDUQV_mqTch4_9jMQnYMfU
+VITE_PUSH_NOTIFICATIONS_ENABLED=true
+
+# Market Configuration
+VITE_MARKET_NADDR=naddr1qqjxxcejx9jnvdfc95exyc3j956rxet9943xxcty943x2ve4xqcrsct9v5ukxqg4waehxw309aex2mrp0yhxzunfv4nk2tnfduqjvamn8ghj7vfjxuhrqt3s9ccn5dfsxqmz7mn0wd68yun9d3shjtmdv95ku6r4vgqjwamnwvaz7tmvde3xjarn9eshy6t9vajju6t09ahx7um5wfex2mrp0yhkyetwv93sygrslyar9s2wle09chkhcye4rh2nmcm8wqwaqrw3pg0cj2qv03vx65psgqqqw4ps0ur9cw
+# VITE_MARKET_RELAYS=["wss://lnbits.demo.ariege.io/nostrrelay/benac"]
+VITE_LIGHTNING_ENABLED=true
+VITE_MARKET_DEFAULT_CURRENCY=sat

machine-specific/prod-castle/images/mask-icon.svg

@@ -0,0 +1,3 @@
+<svg width="16" height="16" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path d="M13 3L4 14h7l-2 7 9-11h-7l2-7z" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>