From df2070b44abeaea5a988a5f597c7f522e348cbea Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 15 Oct 2021 15:56:13 +0200 Subject: [PATCH 1/2] bitcoind: add separate p2p socket for tor connections This re-enables onion tagging while still supporting untagged connections. Onion sockets are not yet supported in the latest liquidd/elements version 0.18.1.12 available on nixpkgs. --- modules/bitcoind.nix | 14 ++++++++++++-- modules/onion-services.nix | 8 ++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index d2f3769..bcd12e9 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -15,6 +15,14 @@ let default = 8333; description = "Port to listen for peer connections."; }; + onionPort = mkOption { + type = types.nullOr types.port; + default = null; + description = '' + Port to listen for Tor peer connections. + If set, inbound connections to this port are tagged as onion peers. + ''; + }; getPublicAddressCmd = mkOption { type = types.str; default = ""; @@ -253,8 +261,10 @@ let ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"} # Connection options - ${optionalString cfg.listen "bind=${cfg.address}"} - port=${toString cfg.port} + ${optionalString cfg.listen + "bind=${cfg.address}:${toString cfg.port}"} + ${optionalString (cfg.listen && cfg.onionPort != null) + "bind=${cfg.address}:${toString cfg.onionPort}=onion"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} listen=${if cfg.listen then "1" else "0"} ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"} diff --git a/modules/onion-services.nix b/modules/onion-services.nix index 490f136..8fa3549 100644 --- a/modules/onion-services.nix +++ b/modules/onion-services.nix @@ -18,7 +18,7 @@ let default = config.public; description = '' Create an onion service for the given service. - The service must define options 'address' and 'port'. + The service must define options 'address' and 'onionPort' (or `port`). ''; }; public = mkOption { @@ -64,7 +64,7 @@ in { inherit (cfg.${name}) externalPort; in nbLib.mkOnionService { port = if externalPort != null then externalPort else service.port; - target.port = service.port; + target.port = service.onionPort or service.port; target.addr = nbLib.address service.address; } ); @@ -118,6 +118,10 @@ in { externalPort = 80; }; }; + + # When the bitcoind onion service is enabled, add an onion-tagged socket + # to distinguish local connections from Tor connections + services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334; } ]; } From ec4a4dbe4117857231e39524b792025968dd1fc9 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 15 Oct 2021 15:56:14 +0200 Subject: [PATCH 2/2] btcpayserver: fix whitelist security issue Whitelisting localhost implicitly whitelists all inbound onion connections. This prevents banning misbehaving inbound onion peers and enables message `mempool` which can cause privacy leaks. Instead, grant `download` as the single bitcoind whitelist permission, which should be safe for onion peers. Remove liquidd whitelisting because it doesn't support fine-grained permissions. After a cursory glance at the nbxplorer code I think that nbxplorer requires none of the other default whitelist permissions (noban, mempool, relay). Details: https://github.com/dgarage/NBXplorer/issues/344 --- modules/btcpayserver.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index cc959aa..4a95900 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -119,7 +119,7 @@ in { # Enable p2p connections listen = true; extraConfig = '' - whitelist=${nbLib.address cfg.nbxplorer.address} + whitelist=download@${nbLib.address cfg.nbxplorer.address} ''; }; services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; @@ -128,9 +128,6 @@ in { enable = true; # Enable p2p connections listen = true; - extraConfig = '' - whitelist=${nbLib.address cfg.nbxplorer.address} - ''; }; services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {