Merge fort-nix/nix-bitcoin#405: bitcoind: add separate p2p socket for tor connections

ec4a4dbe41 btcpayserver: fix whitelist security issue (Erik Arvstedt) df2070b44a bitcoind: add separate p2p socket for tor connections (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK ec4a4dbe41 Tree-SHA512: 457bfb5806dca65507261c1868ca89c86a39f63bd10833b7531fd74dd779816083270c8ccc95ad08a5306e9b31c440904e3cba35464d47c0d87418d0be3e732d
2021-10-21 12:17:12 +00:00 · 2021-10-21 12:17:12 +00:00 · bfe8ac972c
commit bfe8ac972c
parent 8b1b06311d ec4a4dbe41
3 changed files with 19 additions and 8 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -15,6 +15,14 @@ let
        default = 8333;
        description = "Port to listen for peer connections.";
      };
      onionPort = mkOption {
        type = types.nullOr types.port;
        default = null;
        description = ''
          Port to listen for Tor peer connections.
          If set, inbound connections to this port are tagged as onion peers.
        '';
      };
      getPublicAddressCmd = mkOption {
        type = types.str;
        default = "";
@ -263,8 +271,10 @@ let
    ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
    # Connection options
-    ${optionalString cfg.listen "bind=${cfg.address}"}
+    ${optionalString cfg.listen
-    port=${toString cfg.port}
+      "bind=${cfg.address}:${toString cfg.port}"}
    ${optionalString (cfg.listen && cfg.onionPort != null)
      "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
    ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
    ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
    ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -119,7 +119,7 @@ in {
      # Enable p2p connections
      listen = true;
      extraConfig = ''
-        whitelist=${nbLib.address cfg.nbxplorer.address}
+        whitelist=download@${nbLib.address cfg.nbxplorer.address}
      '';
    };
    services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
@ -128,9 +128,6 @@ in {
      enable = true;
      # Enable p2p connections
      listen = true;
      extraConfig = ''
        whitelist=${nbLib.address cfg.nbxplorer.address}
      '';
    };
    services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@ -18,7 +18,7 @@ let
            default = config.public;
            description = ''
              Create an onion service for the given service.
-              The service must define options 'address' and 'port'.
+              The service must define options 'address' and 'onionPort' (or `port`).
            '';
          };
          public = mkOption {
@ -64,7 +64,7 @@ in {
            inherit (cfg.${name}) externalPort;
          in nbLib.mkOnionService {
            port = if externalPort != null then externalPort else service.port;
-            target.port = service.port;
+            target.port = service.onionPort or service.port;
            target.addr = nbLib.address service.address;
          }
        );
@ -118,6 +118,10 @@ in {
          externalPort = 80;
        };
      };
      # When the bitcoind onion service is enabled, add an onion-tagged socket
      # to distinguish local connections from Tor connections
      services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
    }
  ];
 }