enable-tor: disable default onion services for clightning, lnd, btcpayserver
In case of btcpayserver the default onion service is a security risk because any visitor can register an admin account on a freshly setup node.
This commit is contained in:
parent
18c7842e1a
commit
2a240d6f4a
@ -48,7 +48,7 @@ See the [examples directory](examples/README.md).
|
|||||||
Features
|
Features
|
||||||
---
|
---
|
||||||
A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node
|
A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node
|
||||||
* All applications use Tor for outbound connections and accept inbound connections via onion services.
|
* All applications use Tor for outbound connections and support accepting inbound connections via onion services.
|
||||||
* Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node.
|
* Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node.
|
||||||
|
|
||||||
NixOS modules
|
NixOS modules
|
||||||
|
@ -11,7 +11,7 @@ nix-shell
|
|||||||
|
|
||||||
The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then
|
The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then
|
||||||
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\
|
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\
|
||||||
By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning` (with an onion service).
|
By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`.
|
||||||
|
|
||||||
- [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
|
- [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
|
||||||
This is the fastest way to set up a node.\
|
This is the fastest way to set up a node.\
|
||||||
|
@ -96,6 +96,12 @@
|
|||||||
# The lightning backend service automatically enabled.
|
# The lightning backend service automatically enabled.
|
||||||
# Afterwards you need to go into Store > General Settings > Lightning Nodes
|
# Afterwards you need to go into Store > General Settings > Lightning Nodes
|
||||||
# and click to use "the internal lightning node of this BTCPay Server".
|
# and click to use "the internal lightning node of this BTCPay Server".
|
||||||
|
#
|
||||||
|
# Set this to create an onion service to make the btcpayserver web interface
|
||||||
|
# accessible via Tor.
|
||||||
|
# Security WARNING: Create a btcpayserver administrator account before allowing
|
||||||
|
# public access to the web interface.
|
||||||
|
# nix-bitcoin.onionServices.btcpayserver.enable = true;
|
||||||
|
|
||||||
### LIQUIDD
|
### LIQUIDD
|
||||||
# Enable this module to use Liquid, a sidechain for an inter-exchange
|
# Enable this module to use Liquid, a sidechain for an inter-exchange
|
||||||
@ -206,5 +212,5 @@
|
|||||||
# The nix-bitcoin release version that your config is compatible with.
|
# The nix-bitcoin release version that your config is compatible with.
|
||||||
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
|
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
|
||||||
# an error and provide hints for migrating your config to the new release.
|
# an error and provide hints for migrating your config to the new release.
|
||||||
nix-bitcoin.configVersion = "0.0.26";
|
nix-bitcoin.configVersion = "0.0.30";
|
||||||
}
|
}
|
||||||
|
@ -26,11 +26,8 @@ in {
|
|||||||
# Add onion services for incoming connections
|
# Add onion services for incoming connections
|
||||||
nix-bitcoin.onionServices = {
|
nix-bitcoin.onionServices = {
|
||||||
bitcoind.enable = defaultTrue;
|
bitcoind.enable = defaultTrue;
|
||||||
clightning.enable = defaultTrue;
|
|
||||||
lnd.enable = defaultTrue;
|
|
||||||
liquidd.enable = defaultTrue;
|
liquidd.enable = defaultTrue;
|
||||||
electrs.enable = defaultTrue;
|
electrs.enable = defaultTrue;
|
||||||
btcpayserver.enable = defaultTrue;
|
|
||||||
spark-wallet.enable = defaultTrue;
|
spark-wallet.enable = defaultTrue;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -5,7 +5,19 @@ let
|
|||||||
version = config.nix-bitcoin.configVersion;
|
version = config.nix-bitcoin.configVersion;
|
||||||
|
|
||||||
# Sorted by increasing version numbers
|
# Sorted by increasing version numbers
|
||||||
changes = [
|
changes = let
|
||||||
|
mkOnionServiceChange = service: {
|
||||||
|
version = "0.0.30";
|
||||||
|
condition = config.services.${service}.enable;
|
||||||
|
message = ''
|
||||||
|
The onion service for ${service} has been disabled in the default
|
||||||
|
configuration (`secure-node.nix`).
|
||||||
|
|
||||||
|
To enable the onion service, add the following to your configuration:
|
||||||
|
nix-bitcon.onionServices.${service}.enable = true;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in [
|
||||||
{
|
{
|
||||||
version = "0.0.26";
|
version = "0.0.26";
|
||||||
condition = config.services.joinmarket.enable;
|
condition = config.services.joinmarket.enable;
|
||||||
@ -54,6 +66,9 @@ let
|
|||||||
https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/v0.8.0/docs/NATIVE-SEGWIT-UPGRADE.md
|
https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/v0.8.0/docs/NATIVE-SEGWIT-UPGRADE.md
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
(mkOnionServiceChange "clightning")
|
||||||
|
(mkOnionServiceChange "lnd")
|
||||||
|
(mkOnionServiceChange "btcpayserver")
|
||||||
];
|
];
|
||||||
|
|
||||||
incompatibleChanges = optionals
|
incompatibleChanges = optionals
|
||||||
|
Loading…
Reference in New Issue
Block a user