yash/crypto_alert_bot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
crypto_alert_bot/NIX.md
yash 7eb4977b99 flake
2026-02-26 16:30:56 +03:00

5.3 KiB
Raw Blame History

NixOS Deployment

Flake outputs

Output Description
packages.default The crypto-alert-bot binary
devShells.default Dev shell with Go toolchain, gopls, golangci-lint, go-migrate
nixosModules.default NixOS module that runs the bot as a systemd service

NixOS module

The module handles all infrastructure automatically:

  • Enables and configures services.postgresql
  • Creates the crypto-alert-bot database and PostgreSQL role
  • Connects via Unix socket using peer authentication (no password)
  • Creates a dedicated system user crypto-alert-bot
  • Runs the bot as a hardened systemd service

The only secret you need to supply is the Telegram bot token, via a file path.

Options

Option Type Default Description
enable bool false Enable the service
package package flake default Override the binary package
telegramTokenFile path Required. Path to a file containing the bot token
dbName string "crypto-alert-bot" PostgreSQL database name
logLevel debug|info|warn|error "info" Log verbosity
logEncoding console|json "json" Log format
logServiceName string "alert-bot" Service name field in log output
bybitBaseUrl string "https://api.bybit.com" Bybit REST API base URL

Minimal configuration

# flake.nix of your NixOS config
{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    crypto-alert-bot.url = "github:youruser/crypto_alert_bot";
    agenix.url = "github:ryantm/agenix";
  };

  outputs = { nixpkgs, crypto-alert-bot, agenix, ... }: {
    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
      modules = [
        crypto-alert-bot.nixosModules.default
        agenix.nixosModules.default
        ./configuration.nix
      ];
    };
  };
}

# configuration.nix
services.crypto-alert-bot = {
  enable = true;
  telegramTokenFile = config.age.secrets.telegram-token.path;
};

Encrypting the Telegram token with agenix

agenix encrypts secrets with age and decrypts them at boot using SSH host keys already present on the machine. Encrypted secret files are safe to commit to your NixOS config repository.

1. Install age and agenix

# age — encryption tool
nix shell nixpkgs#age

# agenix CLI — manages encrypted secret files
nix shell github:ryantm/agenix

2. Collect recipient public keys

agenix encrypts each secret for one or more recipients. Typical recipients:

  • SSH host key of the target machine (used for decryption at boot)
  • Your personal SSH key (used so you can re-encrypt or rotate secrets from your workstation)
# Get the host's SSH public key (run on the target machine or from your config)
cat /etc/ssh/ssh_host_ed25519_key.pub

# Get your personal SSH public key
cat ~/.ssh/id_ed25519.pub

3. Create secrets.nix

In the root of your NixOS config repository, create secrets/secrets.nix. This file declares which keys can decrypt each secret — it is not sensitive and should be committed.

# secrets/secrets.nix
let
  # SSH public key of the target host
  host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... root@myhost";

  # Your personal SSH public key (for re-encryption from your workstation)
  me = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@workstation";
in
{
  "telegram-token.age".publicKeys = [ host me ];
}

4. Encrypt the token

cd secrets/

# agenix will open $EDITOR so you can type the token, then encrypt on save
agenix -e telegram-token.age

Type (or paste) the raw token value — just the token string, no quotes, no newline:

1234567890:ABCdefGHIjklMNOpqrSTUvwxYZ

Save and close the editor. agenix writes telegram-token.age — this encrypted file is safe to commit.

5. Wire the secret into your NixOS config

# configuration.nix
{ config, ... }:
{
  # Declare the secret; agenix decrypts it at boot to /run/agenix/telegram-token
  age.secrets.telegram-token = {
    file = ./secrets/telegram-token.age;
    # The service user must be able to read the decrypted file
    owner = "crypto-alert-bot";
    mode  = "0400";
  };

  services.crypto-alert-bot = {
    enable = true;
    telegramTokenFile = config.age.secrets.telegram-token.path;
    # Optionally tune logging:
    # logLevel    = "debug";
    # logEncoding = "console";
  };
}

6. Deploy

nixos-rebuild switch --flake .#myhost

At boot, agenix decrypts telegram-token.age using the host's SSH private key and places the plaintext at /run/agenix/telegram-token (mode 0400, owned by crypto-alert-bot). The bot service reads the token from that path at start time.

Rotating the token

Edit the encrypted file from your workstation with your personal SSH key:

cd secrets/
agenix -e telegram-token.age   # opens $EDITOR with decrypted content
# change the value, save, close
git add telegram-token.age && git commit -m "rotate telegram token"

Then redeploy:

nixos-rebuild switch --flake .#myhost
systemctl restart crypto-alert-bot

Development shell

nix develop

# Start the database locally (Docker or Podman)
docker compose up -d

# Run the bot
CONFIG_PATH=./internal/config/local.yml go run ./cmd/app/main.go