Merge fort-nix/nix-bitcoin#428: Add `presets/bitcoind-remote.nix`

6b539627ee add presets/bitcoind-remote.nix (Erik Arvstedt) 5915a34891 configuration.md: fixes (Erik Arvstedt) 1596b3a5d2 minor fixes (Erik Arvstedt) 627b11d21b makeShell: use old nix tooling (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: utACK 6b539627ee Tree-SHA512: 2abdeaef03773631aae54dccdb95c671a0140dfbec28ff554b52400b1656612fb23fd482154716601c1476599a915d6a06af28744d0ee8b61a94ffad3fa68468
2021-12-07 19:40:10 +00:00 · 2021-12-07 19:40:10 +00:00 · 729888c62a
parent 8a7ec27e6d 6b539627ee
commit 729888c62a
6 changed files with 56 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -49,7 +49,7 @@ Get started
 Docs
 ---
-* [Hardware Requirements](docs/hardware.md)
+* [Hardware requirements](docs/hardware.md)
 * [Installation](docs/install.md)
 * [Configuration and maintenance](docs/configuration.md)
 * [Using services](docs/services.md)
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -89,21 +89,21 @@ services.bitcoind = {
 };
 # Open the p2p port in the firewall
-networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.port ];
+networking.firewall.allowedTCPPorts = [ config.services.bitcoind.port ];
 ```
 ## Allow bitcoind RPC connections from LAN
 ```nix
 services.bitcoind = {
-  # Listen to connections on all interfaces
+  # Listen to RPC connections on all interfaces
-  address = "0.0.0.0";
+  rpc.address = "0.0.0.0";
  # Allow RPC connections from external addresses
  rpc.allowip = [
    "10.10.0.0/24" # Allow a subnet
    "10.50.0.3" # Allow a specific address
-    "0.0.0.0" # Allow all addresses
+    "0.0.0.0/0" # Allow all addresses
  ];
  # Set this if you're using the `secure-node.nix` template
@ -111,7 +111,7 @@ services.bitcoind = {
 };
 # Open the RPC port in the firewall
-networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.rpc.port ];
+networking.firewall.allowedTCPPorts = [ config.services.bitcoind.rpc.port ];
 ```
 ## Allow connections to electrs
@ -181,9 +181,26 @@ Some services require extra steps:
 Use a bitcoind instance running on another node within a nix-bitcoin config.
 ```nix
 imports = [ <nix-bitcoin/modules/presets/bitcoind-remote.nix> ];
 services.bitcoind = {
  enable = true;
  # Address of the other node
  address = "10.10.0.2";
  rpc.address = "10.10.0.2";
  # Some nix-bitcoin services require whitelisted bitcoind p2p connections
  # to work reliably.
  # Search for `whitelistedPort` in this repo to see the affected services.
  # If you're using one of these services, either add a whitelisted p2p port
  # on your remote node via `whitebind` and set it here:
  whitelistedPort = <remote whitebind RPC port>;
  #
  # Or use the default p2p port and add `whitelist=<address of this node>` to
  # your remote bitcoind config:
  whitelistedPort = config.services.bitcoind.port;
  rpc.users = let
    # The fully privileged bitcoind RPC username of the other node
    name = "myrpcuser";
@ -196,8 +213,6 @@ services.bitcoind = {
    # joinmarket-ob-watcher.name = name;
  };
 };
 # Disable the local bitcoind service
 systemd.services.bitcoind.wantedBy = mkForce [];
 ```
 Now save the password of the RPC user to the following files on your nix-bitcoin node:
@ -211,6 +226,8 @@ $secretsDir/bitcoin-rpcpassword-public
 ```
 See: [Secrets dir](#secrets-dir)
 Restart `bitcoind` after updating the secrets: `systemctl restart bitcoind`.
 # Temporarily disable a service
 Sometimes you might want to disable a service without removing the service user and
@ -221,7 +238,8 @@ Use the following approach:
 ```
 systemd.services.<service>.wantedBy = mkForce [];
 ```
-This way, the systemd service still exists, but is not automatically started.
+This way, the systemd service still exists, but is not automatically started.\
 Note: This only works for services that are not required by other active services.
 # Appendix
--- a/helper/makeShell.nix
+++ b/helper/makeShell.nix
@ -106,7 +106,8 @@ pkgs.stdenv.mkDerivation {
    )}
    eval-config() {
-      NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" nix eval --raw -f ${nixpkgs}/nixos system.outPath
+      NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" \
        nix-instantiate --eval ${nixpkgs}/nixos -A system.outPath | tr -d '"'
      echo
    }
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -398,10 +398,12 @@ in {
          install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
        fi
      '';
      # Enable RPC access for group
      postStart = ''
        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
      '';
      serviceConfig = nbLib.defaultHardening // {
        Type = "notify";
        NotifyAccess = "all";
--- a/modules/hardware-wallets.nix
+++ b/modules/hardware-wallets.nix
@ -27,8 +27,6 @@ let
  };
  cfg = config.services.hardware-wallets;
  dataDir = "/var/lib/hardware-wallets/";
  enabled = cfg.ledger || cfg.trezor;
 in {
  inherit options;
--- a/modules/presets/bitcoind-remote.nix
+++ b/modules/presets/bitcoind-remote.nix
@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.bitcoind;
  secretsDir = config.nix-bitcoin.secretsDir;
 in {
  services.bitcoind = {
    # Make the local bitcoin-cli work with the remote node
    extraConfig = ''
      rpcuser=${cfg.rpc.users.privileged.name}
    '';
  };
  systemd.services.bitcoind = {
    preStart = lib.mkAfter ''
      echo "rpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-privileged)" >> '${cfg.dataDir}'/bitcoin.conf
    '';
    postStart = lib.mkForce "";
    serviceConfig = {
      Type = lib.mkForce "oneshot";
      ExecStart = lib.mkForce "${pkgs.coreutils}/bin/true";
      RemainAfterExit = true;
    };
  };
 }