diff --git a/README.md b/README.md index e123ea4..09f4b47 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ Get started Docs --- -* [Hardware Requirements](docs/hardware.md) +* [Hardware requirements](docs/hardware.md) * [Installation](docs/install.md) * [Configuration and maintenance](docs/configuration.md) * [Using services](docs/services.md) diff --git a/docs/configuration.md b/docs/configuration.md index fa872d5..4a64c57 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -89,21 +89,21 @@ services.bitcoind = { }; # Open the p2p port in the firewall -networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.port ]; +networking.firewall.allowedTCPPorts = [ config.services.bitcoind.port ]; ``` ## Allow bitcoind RPC connections from LAN ```nix services.bitcoind = { - # Listen to connections on all interfaces - address = "0.0.0.0"; + # Listen to RPC connections on all interfaces + rpc.address = "0.0.0.0"; # Allow RPC connections from external addresses rpc.allowip = [ "10.10.0.0/24" # Allow a subnet "10.50.0.3" # Allow a specific address - "0.0.0.0" # Allow all addresses + "0.0.0.0/0" # Allow all addresses ]; # Set this if you're using the `secure-node.nix` template @@ -111,7 +111,7 @@ services.bitcoind = { }; # Open the RPC port in the firewall -networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.rpc.port ]; +networking.firewall.allowedTCPPorts = [ config.services.bitcoind.rpc.port ]; ``` ## Allow connections to electrs @@ -181,9 +181,26 @@ Some services require extra steps: Use a bitcoind instance running on another node within a nix-bitcoin config. ```nix +imports = [ ]; + services.bitcoind = { + enable = true; + # Address of the other node address = "10.10.0.2"; + rpc.address = "10.10.0.2"; + + # Some nix-bitcoin services require whitelisted bitcoind p2p connections + # to work reliably. + # Search for `whitelistedPort` in this repo to see the affected services. + # If you're using one of these services, either add a whitelisted p2p port + # on your remote node via `whitebind` and set it here: + whitelistedPort = ; + # + # Or use the default p2p port and add `whitelist=
` to + # your remote bitcoind config: + whitelistedPort = config.services.bitcoind.port; + rpc.users = let # The fully privileged bitcoind RPC username of the other node name = "myrpcuser"; @@ -196,8 +213,6 @@ services.bitcoind = { # joinmarket-ob-watcher.name = name; }; }; -# Disable the local bitcoind service -systemd.services.bitcoind.wantedBy = mkForce []; ``` Now save the password of the RPC user to the following files on your nix-bitcoin node: @@ -211,6 +226,8 @@ $secretsDir/bitcoin-rpcpassword-public ``` See: [Secrets dir](#secrets-dir) +Restart `bitcoind` after updating the secrets: `systemctl restart bitcoind`. + # Temporarily disable a service Sometimes you might want to disable a service without removing the service user and @@ -221,7 +238,8 @@ Use the following approach: ``` systemd.services..wantedBy = mkForce []; ``` -This way, the systemd service still exists, but is not automatically started. +This way, the systemd service still exists, but is not automatically started.\ +Note: This only works for services that are not required by other active services. # Appendix diff --git a/helper/makeShell.nix b/helper/makeShell.nix index 933ecb4..7dd93fb 100644 --- a/helper/makeShell.nix +++ b/helper/makeShell.nix @@ -106,7 +106,8 @@ pkgs.stdenv.mkDerivation { )} eval-config() { - NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" nix eval --raw -f ${nixpkgs}/nixos system.outPath + NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" \ + nix-instantiate --eval ${nixpkgs}/nixos -A system.outPath | tr -d '"' echo } diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index b38cf25..2d1ea64 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -398,10 +398,12 @@ in { install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile fi ''; + # Enable RPC access for group postStart = '' chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie' ''; + serviceConfig = nbLib.defaultHardening // { Type = "notify"; NotifyAccess = "all"; diff --git a/modules/hardware-wallets.nix b/modules/hardware-wallets.nix index 807fb66..d8d2871 100644 --- a/modules/hardware-wallets.nix +++ b/modules/hardware-wallets.nix @@ -27,8 +27,6 @@ let }; cfg = config.services.hardware-wallets; - dataDir = "/var/lib/hardware-wallets/"; - enabled = cfg.ledger || cfg.trezor; in { inherit options; diff --git a/modules/presets/bitcoind-remote.nix b/modules/presets/bitcoind-remote.nix new file mode 100644 index 0000000..9c62125 --- /dev/null +++ b/modules/presets/bitcoind-remote.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.bitcoind; + secretsDir = config.nix-bitcoin.secretsDir; +in { + services.bitcoind = { + # Make the local bitcoin-cli work with the remote node + extraConfig = '' + rpcuser=${cfg.rpc.users.privileged.name} + ''; + }; + + systemd.services.bitcoind = { + preStart = lib.mkAfter '' + echo "rpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-privileged)" >> '${cfg.dataDir}'/bitcoin.conf + ''; + postStart = lib.mkForce ""; + serviceConfig = { + Type = lib.mkForce "oneshot"; + ExecStart = lib.mkForce "${pkgs.coreutils}/bin/true"; + RemainAfterExit = true; + }; + }; +}