electrs: remove TLSProxy

https://github.com/spesmilo/electrum/issues/5278 was resolved
This commit is contained in:
nixbitcoin 2020-05-10 16:13:20 +02:00
parent 6856b8cb42
commit 4dbc348921
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
6 changed files with 14 additions and 106 deletions

View File

@ -63,7 +63,7 @@ Connect to electrs
### Requirements Android
* Android phone
* [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
* [Electrum mobile app](https://electrum.org/#home) installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum)
* [Electrum mobile app](https://electrum.org/#home) 4.0.1 and newer installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum)
### Requirements Desktop
* [Tor](https://www.torproject.org/) installed from [source](https://www.torproject.org/docs/tor-doc-unix.html.en) or [repository](https://www.torproject.org/docs/debian.html.en)
@ -94,22 +94,20 @@ Connect to electrs
4. Connect to electrs
On electrum wallet laptop
Make sure Tor is running on Desktop or as Orbot on Android.
On Desktop
```
electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050
electrum --oneserver -1 -s "<ELECTRS_ONION>:50001:t" -p socks5:localhost:9050
```
On electrum android phone
On Android
```
Three dots in the upper-right-hand corner
Network
Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
Ok
Server
Host: <ELECTRS_ONION>, Port: 50002
Ok
Auto-connect: OFF
One-server mode: ON
Network > Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
Network > Auto-connect: OFF
Network > One-server mode: ON
Network > Server: <ELECTRS_ONION>:50001:t
```
Connect to nix-bitcoin node through ssh Tor Hidden Service

View File

@ -6,10 +6,6 @@ let
inherit (config) nix-bitcoin-services;
secretsDir = config.nix-bitcoin.secretsDir;
in {
imports = [
(mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
];
options.services.electrs = {
enable = mkEnableOption "electrs";
dataDir = mkOption {
@ -17,14 +13,6 @@ in {
default = "/var/lib/electrs";
description = "The data directory for electrs.";
};
# Needed until electrs tls proxy is removed
host = mkOption {
type = types.str;
default = "localhost";
description = ''
The host on which incoming connections arrive.
'';
};
user = mkOption {
type = types.str;
default = "electrs";
@ -64,18 +52,10 @@ in {
default = "";
description = "Extra command line arguments passed to electrs.";
};
TLSProxy = {
enable = mkEnableOption "Nginx TLS proxy";
port = mkOption {
type = types.port;
default = 50003;
description = "Port on which to listen for TLS client connections.";
};
};
enforceTor = nix-bitcoin-services.enforceTor;
};
config = mkIf cfg.enable (mkMerge [{
config = mkIf cfg.enable {
assertions = [
{ assertion = config.services.bitcoind.prune == 0;
message = "electrs does not support bitcoind pruning.";
@ -132,53 +112,5 @@ in {
extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
};
users.groups.${cfg.group} = {};
}
(mkIf cfg.TLSProxy.enable {
services.nginx = {
enable = true;
appendConfig = let
address =
if cfg.address == "0.0.0.0" then
"127.0.0.1"
else if cfg.address == "::" then
"::1"
else
cfg.address;
in ''
stream {
upstream electrs {
server ${address}:${toString cfg.port};
}
server {
listen ${toString cfg.TLSProxy.port} ssl;
proxy_pass electrs;
ssl_certificate ${secretsDir}/nginx-cert;
ssl_certificate_key ${secretsDir}/nginx-key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
}
}
'';
};
systemd.services = {
electrs.wants = [ "nginx.service" ];
nginx = {
requires = [ "nix-bitcoin-secrets.target" ];
after = [ "nix-bitcoin-secrets.target" ];
};
};
nix-bitcoin.secrets = rec {
nginx-key = {
user = "nginx";
group = "root";
};
nginx-cert = nginx-key;
};
})
]);
}

View File

@ -102,8 +102,7 @@ in {
};
electrs = {
id = 16;
connections = [ "bitcoind" ]
++ ( optionals config.services.electrs.TLSProxy.enable [ "nginx" ]);
connections = [ "bitcoind" ];
};
spark-wallet = {
id = 17;
@ -270,7 +269,6 @@ in {
# electrs: Custom netns configs
services.electrs = mkIf config.services.electrs.enable {
host = if config.services.electrs.TLSProxy.enable then netns.nginx.address else netns.electrs.address;
address = netns.electrs.address;
daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}";
};

View File

@ -29,11 +29,6 @@ in {
default = 9735;
description = "Port on which to listen for tor client connections.";
};
services.electrs.onionport = mkOption {
type = types.port;
default = 50002;
description = "Port on which to listen for tor client connections.";
};
nix-bitcoin.operatorName = mkOption {
type = types.str;
default = "operator";
@ -113,14 +108,8 @@ in {
services.electrs = {
port = 50001;
enforceTor = true;
TLSProxy.enable = true;
TLSProxy.port = 50003;
};
services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {
port = cfg.electrs.onionport;
toPort = if cfg.electrs.TLSProxy.enable then cfg.electrs.TLSProxy.port else cfg.electrs.port;
toHost = cfg.electrs.host;
});
services.tor.hiddenServices.electrs = mkHiddenService { port = cfg.electrs.port; toHost = cfg.electrs.address; };
services.spark-wallet = {
onion-service = true;

View File

@ -16,13 +16,6 @@ makePasswordSecret spark-wallet-password
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
if [[ ! -e nginx-key || ! -e nginx-cert ]]; then
openssl genrsa -out nginx-key 2048
openssl req -new -key nginx-key -out nginx.csr -subj '/CN=localhost/O=electrs'
openssl x509 -req -days 1825 -in nginx.csr -signkey nginx-key -out nginx-cert
rm nginx.csr
fi
if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
openssl ecparam -genkey -name prime256v1 -out lnd-key
openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'

View File

@ -40,8 +40,6 @@ extractPassword liquidrpcpassword liquid-rpcpassword
extractPassword lightning-charge-api-token lightning-charge-token
extractPassword spark-wallet-password
rename nginx.key nginx-key
rename nginx.cert nginx-cert
rename lnd.key lnd-key
rename lnd.cert lnd-cert