From 4dbc348921bffe19bd2c26f8313ace17f3e0cb61 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Sun, 10 May 2020 16:13:20 +0200 Subject: [PATCH] electrs: remove TLSProxy https://github.com/spesmilo/electrum/issues/5278 was resolved --- docs/usage.md | 22 ++++--- modules/electrs.nix | 72 +---------------------- modules/netns-isolation.nix | 4 +- modules/presets/secure-node.nix | 13 +--- pkgs/generate-secrets/generate-secrets.sh | 7 --- pkgs/generate-secrets/update-secrets.sh | 2 - 6 files changed, 14 insertions(+), 106 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index be7675c..5f54222 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -63,7 +63,7 @@ Connect to electrs ### Requirements Android * Android phone * [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en) -* [Electrum mobile app](https://electrum.org/#home) installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum) +* [Electrum mobile app](https://electrum.org/#home) 4.0.1 and newer installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum) ### Requirements Desktop * [Tor](https://www.torproject.org/) installed from [source](https://www.torproject.org/docs/tor-doc-unix.html.en) or [repository](https://www.torproject.org/docs/debian.html.en) @@ -94,22 +94,20 @@ Connect to electrs 4. Connect to electrs - On electrum wallet laptop + Make sure Tor is running on Desktop or as Orbot on Android. + + On Desktop ``` - electrum --oneserver --server=:50002:s --proxy=socks5:localhost:9050 + electrum --oneserver -1 -s ":50001:t" -p socks5:localhost:9050 ``` - On electrum android phone + On Android ``` Three dots in the upper-right-hand corner - Network - Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 - Ok - Server - Host: , Port: 50002 - Ok - Auto-connect: OFF - One-server mode: ON + Network > Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 + Network > Auto-connect: OFF + Network > One-server mode: ON + Network > Server: :50001:t ``` Connect to nix-bitcoin node through ssh Tor Hidden Service diff --git a/modules/electrs.nix b/modules/electrs.nix index a8773a6..da2de1b 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -6,10 +6,6 @@ let inherit (config) nix-bitcoin-services; secretsDir = config.nix-bitcoin.secretsDir; in { - imports = [ - (mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ]) - ]; - options.services.electrs = { enable = mkEnableOption "electrs"; dataDir = mkOption { @@ -17,14 +13,6 @@ in { default = "/var/lib/electrs"; description = "The data directory for electrs."; }; - # Needed until electrs tls proxy is removed - host = mkOption { - type = types.str; - default = "localhost"; - description = '' - The host on which incoming connections arrive. - ''; - }; user = mkOption { type = types.str; default = "electrs"; @@ -64,18 +52,10 @@ in { default = ""; description = "Extra command line arguments passed to electrs."; }; - TLSProxy = { - enable = mkEnableOption "Nginx TLS proxy"; - port = mkOption { - type = types.port; - default = 50003; - description = "Port on which to listen for TLS client connections."; - }; - }; enforceTor = nix-bitcoin-services.enforceTor; }; - config = mkIf cfg.enable (mkMerge [{ + config = mkIf cfg.enable { assertions = [ { assertion = config.services.bitcoind.prune == 0; message = "electrs does not support bitcoind pruning."; @@ -132,53 +112,5 @@ in { extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ]; }; users.groups.${cfg.group} = {}; - } - - (mkIf cfg.TLSProxy.enable { - services.nginx = { - enable = true; - appendConfig = let - address = - if cfg.address == "0.0.0.0" then - "127.0.0.1" - else if cfg.address == "::" then - "::1" - else - cfg.address; - in '' - stream { - upstream electrs { - server ${address}:${toString cfg.port}; - } - - server { - listen ${toString cfg.TLSProxy.port} ssl; - proxy_pass electrs; - - ssl_certificate ${secretsDir}/nginx-cert; - ssl_certificate_key ${secretsDir}/nginx-key; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 4h; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - } - } - ''; - }; - systemd.services = { - electrs.wants = [ "nginx.service" ]; - nginx = { - requires = [ "nix-bitcoin-secrets.target" ]; - after = [ "nix-bitcoin-secrets.target" ]; - }; - }; - nix-bitcoin.secrets = rec { - nginx-key = { - user = "nginx"; - group = "root"; - }; - nginx-cert = nginx-key; - }; - }) - ]); + }; } diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index 22eaf12..f9ba6d6 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -102,8 +102,7 @@ in { }; electrs = { id = 16; - connections = [ "bitcoind" ] - ++ ( optionals config.services.electrs.TLSProxy.enable [ "nginx" ]); + connections = [ "bitcoind" ]; }; spark-wallet = { id = 17; @@ -270,7 +269,6 @@ in { # electrs: Custom netns configs services.electrs = mkIf config.services.electrs.enable { - host = if config.services.electrs.TLSProxy.enable then netns.nginx.address else netns.electrs.address; address = netns.electrs.address; daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}"; }; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 269557e..7d5cfe3 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -29,11 +29,6 @@ in { default = 9735; description = "Port on which to listen for tor client connections."; }; - services.electrs.onionport = mkOption { - type = types.port; - default = 50002; - description = "Port on which to listen for tor client connections."; - }; nix-bitcoin.operatorName = mkOption { type = types.str; default = "operator"; @@ -113,14 +108,8 @@ in { services.electrs = { port = 50001; enforceTor = true; - TLSProxy.enable = true; - TLSProxy.port = 50003; }; - services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService { - port = cfg.electrs.onionport; - toPort = if cfg.electrs.TLSProxy.enable then cfg.electrs.TLSProxy.port else cfg.electrs.port; - toHost = cfg.electrs.host; - }); + services.tor.hiddenServices.electrs = mkHiddenService { port = cfg.electrs.port; toHost = cfg.electrs.address; }; services.spark-wallet = { onion-service = true; diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh index 3ccbd3f..6bb6e9d 100755 --- a/pkgs/generate-secrets/generate-secrets.sh +++ b/pkgs/generate-secrets/generate-secrets.sh @@ -16,13 +16,6 @@ makePasswordSecret spark-wallet-password [[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env [[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login -if [[ ! -e nginx-key || ! -e nginx-cert ]]; then - openssl genrsa -out nginx-key 2048 - openssl req -new -key nginx-key -out nginx.csr -subj '/CN=localhost/O=electrs' - openssl x509 -req -days 1825 -in nginx.csr -signkey nginx-key -out nginx-cert - rm nginx.csr -fi - if [[ ! -e lnd-key || ! -e lnd-cert ]]; then openssl ecparam -genkey -name prime256v1 -out lnd-key openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd' diff --git a/pkgs/generate-secrets/update-secrets.sh b/pkgs/generate-secrets/update-secrets.sh index c9600aa..e78a3a9 100644 --- a/pkgs/generate-secrets/update-secrets.sh +++ b/pkgs/generate-secrets/update-secrets.sh @@ -40,8 +40,6 @@ extractPassword liquidrpcpassword liquid-rpcpassword extractPassword lightning-charge-api-token lightning-charge-token extractPassword spark-wallet-password -rename nginx.key nginx-key -rename nginx.cert nginx-cert rename lnd.key lnd-key rename lnd.cert lnd-cert