Commit Graph

599 Commits

Author SHA1 Message Date
Erik Arvstedt
2dd1a741f7
modules: group imports 2020-10-16 16:46:55 +02:00
Erik Arvstedt
36358066e4
spark-wallet: don't disable tor when onion-service is disabled
This fixes modules-only usage.

We can leave enabling tor and tor.client to secure-node.nix, on which
spark-wallet has a strict dependency.
2020-10-16 15:53:33 +02:00
Erik Arvstedt
24069aa2c6
electrs: add option 'monitoringPort' 2020-09-30 11:26:41 +02:00
Erik Arvstedt
611cfe5a28
electrs: remove redundant daemonrpc option 2020-09-30 11:26:41 +02:00
Erik Arvstedt
a19d3b07c2
electrs: add variable 'bitcoind' 2020-09-30 11:26:41 +02:00
Erik Arvstedt
a6dde36b87
electrs: use consistent args formatting
One line per arg.
2020-09-30 11:26:40 +02:00
Jonas Nick
c051544d46
Merge #234: loop: v0.8.1 -> v0.9.0
a89a3e934f test: increase diskSize (nixbitcoin)
24b506ff8a tests: simplify lightning-loop test (nixbitcoin)
e7c5f956ea lightning-loop: update module (nixbitcoin)
4a503f57bd lightning-loop: v0.8.1 -> v0.9.0 (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    reACK a89a3e934f
  erikarvstedt:
    I think it's okay if you would just merge 24b506ff8a, which is the direct parent of the ACK'd a89a3e934f, and removing a89a3e934f itself is totally uncontroversial.

Tree-SHA512: cee2a2714c714a22c35cea0fa829b42a371540983609cda6609f4d063d849f2e725643bd77cfe78eb71665725164d63f83b6c2589be9e72ba30aaecd7c8dee6c
2020-09-29 17:53:09 +00:00
nixbitcoin
73f4275d2a
backups: add btcpayserver database 2020-09-24 17:12:08 +00:00
nixbitcoin
e7c5f956ea
lightning-loop: update module
* commandlineArgs -> configFile
* introduce tls certs
* loop dataDir
* fix formatting and descriptions

Warning: Manual migration of existing loop data directory necessary
2020-09-24 16:40:11 +00:00
Jonas Nick
4cf31f8612
Merge #164: Add JoinMarket Clientserver
dd882753e6 joinmarket: add usage documentation (nixbitcoin)
d0701f518c joinmarket: automatically generate wallet (nixbitcoin)
d6d3e8ff62 joinmarket: add tests (nixbitcoin)
cce27da2ec backups: add joinmarket datadir to includelist (nixbitcoin)
173891fa5b joinmarket: add module (nixbitcoin)
263525d724 nix-bitcoin-services: add nb-services.privileged helper (nixbitcoin)
f00d1d24c5 joinmarket: add pkg and local dependencies (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK dd882753e6

Tree-SHA512: ad7bf56314877045bc8dc6037f966535dc3607d9e941cd03d19b610ee789307eac07447df7f93569dfa3e7553e8fc6d9757bdf8542fb123c5a2e2adec8f907a2
2020-09-22 17:16:08 +00:00
Jonas Nick
36c9c39d80
Deprecate lightning-charge and nanopos
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
2020-09-22 14:05:51 +00:00
nixbitcoin
d0701f518c
joinmarket: automatically generate wallet 2020-09-22 13:50:49 +00:00
nixbitcoin
cce27da2ec
backups: add joinmarket datadir to includelist 2020-09-22 13:50:43 +00:00
nixbitcoin
173891fa5b
joinmarket: add module 2020-09-22 13:50:37 +00:00
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper 2020-09-22 13:43:15 +00:00
nixbitcoin
3cfb9d074b
btcpayserver: sqlite -> postgresql 2020-09-17 10:17:33 +00:00
nixbitcoin
f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist 2020-09-15 12:09:33 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion 2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module 2020-09-15 12:09:12 +00:00
nixbitcoin
46d681a17e
lnd: generate custom macaroons
Create new `macaroon` option that allows any module to place its own
custom macaroon in the lnd RuntimeDirectory `/run/lnd`.
2020-09-15 12:09:02 +00:00
Erik Arvstedt
6f032e3c40
lnd: fix mnemonic file access vulnerability
Previously, the file was readable by 'other' for a short time after
creation.
2020-09-15 12:09:00 +00:00
nixbitcoin
b97584f5cb
netns: allow return traffic to outgoing connections 2020-09-15 12:08:58 +00:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config 2020-08-26 21:16:32 +02:00
Erik Arvstedt
205829b91f
bitcoind: remove whitespace 2020-08-26 21:16:32 +02:00
Erik Arvstedt
91ebc2d517
netns-exec: simplify installation 2020-08-25 14:53:12 +02:00
Erik Arvstedt
809e754851
netns: improve bridge setup
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
  This yields no noticable functional changes for now, but it's
  conceptually cleaner to finish the network setup before network.target
  becomes active.
- Add 'nb-' prefix to service name
2020-08-25 14:53:12 +02:00
Erik Arvstedt
b7450877a0
netns: rename bridge peer devices br-nb-veth* -> nb-veth-br*
This ensures a consistent 'nb-' namespace and simplifies the
dhcpcd.denyInterfaces rules.

Also rename vethName -> veth.
2020-08-25 14:53:12 +02:00
Erik Arvstedt
8bfb7bb2f8
netns: rename bridge br0 -> nb-br
br0 has a high risk of name clashes when nix-bitcoin used as part of a
larger config.
Use a more specific name.
2020-08-25 14:53:08 +02:00
Erik Arvstedt
32e70a7516
netns: move webindex config for modules-only usage
webindex is only available in secure-node.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
e385c73256
netns: separate implementation and service configs
This greatly improves clarity.

Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).

To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
0f0f6ddbb9
netns: add comment about undesirable algorithmic complexity
We don't want to be Accidentally Quadratic™
2020-08-25 11:40:26 +02:00
Erik Arvstedt
a3ae8668e6
netns: use map instead of concatMap 2020-08-25 11:40:26 +02:00
Erik Arvstedt
b7fc819be5
netns: consistent var naming
n is used elsewhere in similar contexts.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
5a81693ef3
netns: add range check for netns ids 2020-08-25 11:40:26 +02:00
Erik Arvstedt
74f1610668
netns: clarify addressblock description 2020-08-25 11:40:26 +02:00
Erik Arvstedt
4eb92df08c
netns: remove redundant filter
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
50de54aef1
netns: remove empty connections defs
Like in the netns defintion for bitcoind.
2020-08-25 11:40:26 +02:00
Jonas Nick
0f1f105948
Merge #225: Fix process info restriction
44de5064cd security: don't restrict process info by default for module users (Erik Arvstedt)
a36789b468 test: move security tests to separate function (Erik Arvstedt)
588a0b2405 security: enable full systemd-status for group 'proc' (Erik Arvstedt)
96ea2e671c security: simplify and fix dbus configuration (Erik Arvstedt)
343e026030 rename dbus.nix -> security.nix (Erik Arvstedt)
7367446761 test: rename assert_matches_exactly -> assert_full_match (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 44de5064cd

Tree-SHA512: f782cfdc81b5d6b3da968d0221bd54420791a9f5cd89cde9e62d6d04882d921b5efe9046d975133587b5c2d711c47133b3a5a2351940899a90a28bf16218a7ad
2020-08-24 14:56:05 +00:00
Jonas Nick
322ba5bfff
Add nix-bitcoin.lib for utility functions and types 2020-08-20 21:31:24 +00:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users 2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.

Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.

Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00
nixbitcoin
e4fb7a52de
backups: add module 2020-08-04 15:25:37 +00:00
Jonas Nick
62f83a71b8
Merge #218: Fix typos
df89ceed39 Fix typos (practicalswift)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK df89ceed39

Tree-SHA512: 8cd04469dd0c46259790f00f380a840c22f10424c2504a7667e70cfdb03f30801e34f3c53aeffc9259a971484d4a12f1dbe5ceade493c8559e8c00ec011e7c73
2020-08-04 15:13:09 +00:00
nixbitcoin
e650df30d5
bitcoind: bump rpcthread count 2020-08-04 14:46:57 +00:00
nixbitcoin
ac96fd59db
assertions: make lnd.enable depend on !clightning.enable or port != 9735 2020-08-04 14:07:10 +00:00
nixbitcoin
3ed564ea06
lnd: make listen IP address only 2020-08-04 14:07:08 +00:00
nixbitcoin
716e98789c
lnd: add listenPort option 2020-08-04 14:07:06 +00:00
nixbitcoin
43da15557d
clightning: refactor bind-addr to be IP address only
With typecheck
2020-08-04 14:07:02 +00:00
practicalswift
df89ceed39 Fix typos 2020-08-04 13:32:06 +00:00
nixbitcoin
d99ccc8445
clightning: add bindport option 2020-08-04 12:42:57 +00:00
Jonas Nick
0baeb2acce
Merge #209: Lightning loop
e9204946d4 lightning-loop: add tests (nixbitcoin)
491d83a658 lightning-loop: add module (nixbitcoin)
8f3588b13f lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b lightning-loop: add pkg (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e9204946d4

Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
nixbitcoin
491d83a658
lightning-loop: add module 2020-07-28 15:55:52 +00:00
nixbitcoin
8f3588b13f
lnd: higher attempt limit for less-powerful machines
Opening main database sometimes takes longer than 50 ExecStartPost
restPort connection attempts.
2020-07-28 15:55:50 +00:00
nixbitcoin
5086fc3234
bitcoin: drive-by prune fix 2020-07-28 14:32:54 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
nixbitcoin
02853067a1
bitcoind: postStart wait until bitcoind can receive rpc calls 2020-07-21 13:23:07 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled 2020-07-21 09:38:55 +00:00
nixbitcoin
c542b92e55
nginx: add netns
- Adds nginx to netns-isolation.services
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:53 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
  services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00
nixbitcoin
582cb86d74
nanopos: add netns
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
  services
- Adds charged-url option to allow using nanopos with network
  namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
2020-07-21 09:38:49 +00:00
nixbitcoin
7369f0a7ec
lightning-charge: add netns
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
  services
- Adds extraArgs option to allow using lightning-charge with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:47 +00:00
nixbitcoin
c4ab73d51f
spark-wallet: add netns
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
2020-07-21 09:38:45 +00:00
nixbitcoin
d6296acaba
electrs: add netns
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
  electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:43 +00:00
nixbitcoin
c0b02ac93a
liquid: add netns cli script 2020-07-21 09:38:41 +00:00
nixbitcoin
672a416ede
liquidd: add netns
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
nixbitcoin
4b8ca52647
lnd: add netns cli script 2020-07-21 09:38:37 +00:00
nixbitcoin
c55296433d
lnd: add netns
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00
nixbitcoin
3c0c446547
clightning: add netns
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
  namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
  enabled or not.
2020-07-21 09:38:30 +00:00
nixbitcoin
ae1230e13b
clightning: remove bitcoin-rpcuser option
Simplifies the clightning module.
2020-07-21 09:38:28 +00:00
nixbitcoin
65b5dab3d4
clightning: add announce-tor
From the clightning manpage:

autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or  announce-addr options  are
specified. Setting this to false disables that.

We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.

For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
2020-07-21 09:38:26 +00:00
nixbitcoin
515aae2825
bitcoind: add netns and nonetns cli scripts
nonetns script needed for bitcoind-import-banlist
2020-07-21 09:38:24 +00:00
nixbitcoin
75ca6f186c
bitcoind: add netns
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
  network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
2020-07-21 09:38:22 +00:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
2020-07-21 09:38:20 +00:00
Jonas Nick
a03597ae8e
Merge #189: Update configuration.nix
f280d54bb8 add module assertions (nixbitcoin)
23cd323ad1 assertions: add lnd, clightning exclusivity (nixbitcoin)
0ad524ca2d example config: clarify nix-bitcoin will auto-detect invalid settings (nixbitcoin)
c16924b850 example config: change hwi excluding dependency to high-memory (nixbitcoin)
0fd99c4cc0 bitcoind: simplify pruning (nixbitcoin)
b9a7a71873 example config: document enabling pruning (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK f280d54bb8

Tree-SHA512: a900dc2b95cdc01b457c65853930cb1c31b5288fab06d665207ffb2bcd1d54d75add73113ccaacd98e882d4e6674eb8393fec1ae0a01688de1b56250d5d3d3d6
2020-06-17 09:27:46 +00:00
nixbitcoin
f280d54bb8
add module assertions 2020-06-17 09:23:17 +00:00
nixbitcoin
23cd323ad1
assertions: add lnd, clightning exclusivity 2020-06-15 13:02:58 +00:00
nixbitcoin
0fd99c4cc0
bitcoind: simplify pruning
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
2020-06-15 10:55:57 +00:00
nixbitcoin
12adabe407
banlist: update to newest version
Received by E-Mail from gmaxwell
2020-06-11 09:23:26 +00:00
Jonas Nick
94672e8f34
Merge #188: lnd: add option for configuring REST port
03a627a06f lnd: add option for configuring REST port (Martin Milata)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 03a627a06f

Tree-SHA512: b184d5ee825382d1f104e17a091ff49fa170230e4e690323cdfd570a0c7f0bf11e57da84f39fda9169fcbead75f0c0597268f728665135e743fa7fee73a1b66c
2020-06-07 14:40:54 +00:00
Jonas Nick
16e602e2b5
Merge #190: services: use 'port' option type
db48ab9b69 services: use 'port' option type (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK db48ab9b69

Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
2020-06-05 20:40:57 +00:00
Martin Milata
03a627a06f lnd: add option for configuring REST port 2020-06-03 12:07:04 +02:00
Erik Arvstedt
db48ab9b69
services: use 'port' option type 2020-06-02 17:31:28 +02:00
nixbitcoin
ccc3a70344
service hardening: add more restrictions
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
2020-05-24 11:14:45 +00:00
nixbitcoin
3fbfa98635
service hardening: replace obtuse SystemCallFilter with @system-service
@system-service whitelist and additional
https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
blacklist.
2020-05-24 11:14:37 +00:00
nixbitcoin
e34d1c884e
service hardening: Add PrivateUsers
Exceptions in webindex & onion-chef
2020-05-22 16:16:19 +00:00
nixbitcoin
1c75543f2f
clightning: add user and group options 2020-05-22 16:16:17 +00:00
Erik Arvstedt
5f3f362451
lnd: add strict hardening
Add ProtectSystem=strict, remove PermissionStartOnly.

Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.

Simplify preStart and fix dataDir quoting.
2020-05-22 16:13:58 +00:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
2020-05-22 15:47:01 +00:00
nixbitcoin
adc71b892e
Remove PermissionStartOnly where possible and replace with bitcoinrpc
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)

Give reason for PermissionsStartOnly in lightning-charge

Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-22 15:04:49 +00:00
nixbitcoin
91b6b2c370
All modules with preStart: Use systemd.tmpfiles.rules
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
2020-05-22 14:54:39 +00:00
nixbitcoin
423ebf862b
lnd: only enable bitcoind zmqpub if lnd.enable
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.

However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
2020-05-22 14:53:33 +00:00
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork 2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user 2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.

so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00
nixbitcoin
95d230d1d6
Remove bitcoinrpc group remnants 2020-05-19 11:13:22 +00:00
nixbitcoin
563b210835
spark-wallet: Run under spark-wallet user 2020-05-19 11:13:20 +00:00
nixbitcoin
205fca3576
bitcoind: only make blocksdir group-readable when dataDirReadableByGroup 2020-05-19 11:13:18 +00:00
nixbitcoin
81a04a4ef1
lightning-charge: add dedicated user 2020-05-19 11:13:16 +00:00
nixbitcoin
0ba55757f8
clightning: allow group access to RPC socket 2020-05-19 11:13:12 +00:00
nixbitcoin
304dd297ba
clightning: remove config group read access 2020-05-19 11:13:05 +00:00
nixbitcoin
04c6936ce9
clightning: Remove clightning "bitcoinrpc" membership
Secrets are written to clightning config file during preStart with root
permissions because of PermissionsStartOnly.
2020-05-19 11:09:13 +00:00
nixbitcoin
393ab0fb3c
electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
2020-05-19 11:08:59 +00:00
nixbitcoin
7cfae66db4
electrs: Drop insecure TLS ciphers 2020-05-19 11:08:52 +00:00
nixbitcoin
4c139a6d77
electrs: Make TLSProxy truly optional
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic
directly to electrs.
2020-05-19 11:08:48 +00:00
Erik Arvstedt
509fca5328
fix syntax error
Fixes #172
2020-05-06 12:13:32 +02:00
nixbitcoin
159f551b93
Remove bitcoin, clightning, electrs, liquid user home directory 2020-04-26 14:08:08 +02:00
nixbitcoin
742aef1e0f
Only set dataDirReadableByGroup if cfg.high-memory is enabled 2020-04-24 16:21:12 +02:00
Erik Arvstedt
4dc6c3ba5d
add option 'dataDirReadableByGroup'
These settings are now more accessible for users that don't use
nix-bitcoin's default node config.
Additionally, remove 'other' permissions via umask.
2020-04-16 15:55:34 +02:00
Erik Arvstedt
3e188238d0
only update bitcoin.conf when changed 2020-04-12 22:32:37 +02:00
Erik Arvstedt
08322eed9b
use [[ test 2020-04-12 22:32:37 +02:00
Erik Arvstedt
201fc33782
move line to relevant code section (blocks dir setup) 2020-04-12 22:32:37 +02:00
Erik Arvstedt
1f8fe310d0
remove option 'configFileOption'
It doesn't make sense for bitcoind users to completely redefine their
config file. Also, it's poorly named and the description is faulty.

This is a breaking change, but this option has probably no actual users.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
4e5c1d7551
disable redundant logfile 2020-04-12 22:32:37 +02:00
Erik Arvstedt
a05551fd1c
improve config file formatting 2020-04-12 22:32:37 +02:00
Erik Arvstedt
5e81d60d63
improve formatting 2020-04-12 22:32:37 +02:00
Erik Arvstedt
d60a5aa4db
define rpc.users submodule inline
Improves readability.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1a2271fb14
remove unused variable 'hexStr' 2020-04-12 22:32:36 +02:00
Erik Arvstedt
4e92b1c818
remove redundant hardening options
These are already defined in nix-bitcoin-services.defaultHardening.
2020-04-12 22:32:36 +02:00
Erik Arvstedt
47fd6cd0f3
simplify ExecStart 2020-04-12 22:32:36 +02:00
Erik Arvstedt
64fc63cc40
remove pidFile
- service type "simple" is the default
- pidFile is not needed for service type "simple"
2020-04-12 22:32:36 +02:00
Erik Arvstedt
bceaa361ca
operator: allow reading systemd journal 2020-04-09 11:02:06 +02:00
Erik Arvstedt
145961c2de
fix operator authorized keys setup
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
  file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
2020-04-09 11:02:06 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
These are generally useful and shouldn't be limited to secure-node.nix.

Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
6c22e13b7f
copy-root-authorized-keys: use inline script definition 2020-04-08 17:35:14 +02:00
Erik Arvstedt
63c6fe3213
fixup! use '' for multi-line string 2020-04-08 17:35:14 +02:00
Erik Arvstedt
ab617946a9
extract variable 'cfg' 2020-04-08 17:35:13 +02:00
Erik Arvstedt
36c84d8360
add option clightning.onionport
Analogous to electrs.onionport
2020-04-08 17:35:13 +02:00
Erik Arvstedt
681dbaf328
move electrs.onionport option
Only used in secure-node.nix
2020-04-08 17:35:13 +02:00
Erik Arvstedt
74fbfa3a5d
use lib.optionals 2020-04-08 17:35:13 +02:00
Erik Arvstedt
ec6d33fbb6
rearrange code sections
Move services to the top, operator account setup to the bottom.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
e16ddc9c77
extract 'mkHiddenService'
toPort equals port by default.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
89d3d58850
use mkIf 2020-04-08 17:35:13 +02:00
Erik Arvstedt
85e52a06cb
improve grouping of suboptions 2020-04-08 17:35:12 +02:00
Erik Arvstedt
1a63f0ca6a
remove option 'services.nix-bitcoin.enable'
Users can enable the node config just by importing secure-node.nix
2020-04-08 17:35:12 +02:00
Erik Arvstedt
0f8b2e91fd
add nix-bitcoin.nix for backwards compatibility 2020-04-08 17:35:12 +02:00
Erik Arvstedt
28792f79dc
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-08 17:35:12 +02:00
Jonas Nick
9239268ab6
Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module
b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:08 +00:00
Erik Arvstedt
b07c77f4a4
secrets.nix: remove obsolete comment 2020-03-29 18:51:34 +02:00
Erik Arvstedt
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-03-24 21:43:21 +00:00
Jonas Nick
106dcacb61
lnd: add package option 2020-03-09 08:22:00 +00:00
Erik Arvstedt
5596bcf4fb
bitcoind: set default rpcuser
We're already setting a default rpcpassword, so we should set an
accompanying rpcuser so that rpc clients like electrs work out of the box.
2020-03-04 18:09:52 +01:00
Erik Arvstedt
c4cf323873
electrs: add option 'extraArgs'
Electrs allows defining settings multiple times via cmdline args, but
not via config files.
So 'extraArgs' is the only way to implement overridable settings,
'extraOptions' wouldn't work.
2020-03-04 18:09:52 +01:00
Erik Arvstedt
e731d71232
electrs: add option 'address' 2020-03-04 18:09:52 +01:00
Erik Arvstedt
0be67c325e
electrs: use cfg.user, cfg.group 2020-03-04 18:09:51 +01:00
Erik Arvstedt
48be5a79fa
electrs.enable: use mkEnableOption 2020-03-04 18:09:51 +01:00
Erik Arvstedt
b75b2a1626
electrs: improve description 2020-03-04 18:09:51 +01:00
Erik Arvstedt
fa3455d01f
electrs: don't leak bitcoinrpc secret through process ARGV
Supply secret via private config file instead.
2020-03-04 18:09:51 +01:00
Erik Arvstedt
47481b2642
electrs: quote dataDir in shell cmd 2020-03-04 18:09:50 +01:00
Erik Arvstedt
8fb33d1099
electrs: use bitcoind.dataDir option 2020-03-04 18:09:50 +01:00
Erik Arvstedt
45ba1f1fb3
electrs: don't print timestamps to log
Already provided by journald.
2020-03-04 18:09:49 +01:00
Erik Arvstedt
88080a58bf
electrs: wrap long lines in preStart 2020-03-04 18:09:49 +01:00
Erik Arvstedt
301bb91ae5
simplify setting high-memory options 2020-03-04 18:09:49 +01:00
Erik Arvstedt
93fd2329b8
electrs: make nginx TLS proxy optional
Electrs users shouldn't be forced to run a TLS proxy.
2020-03-04 18:09:48 +01:00
Erik Arvstedt
acde24ce43
electrs: move user/group definitions to bottom
Consistent with other service defs.
2020-03-04 18:09:48 +01:00
Erik Arvstedt
148327326b
electrs: formatting 2020-03-04 18:09:48 +01:00
Erik Arvstedt
cce9932b62
make pinned pkgs accessible through pkgs/default.nix
Useful for developing and for importing pinned pkgs via config.nix.
2020-03-04 18:09:48 +01:00
Jonas Nick
ea8d29d96f
Merge #141: Fix secrets setup
ad23b508e3 {generate,setup}-secrets: remove process hardening (Erik Arvstedt)
89f9bedb9d generate-secrets.nix: fix indentation (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ad23b508e3

Tree-SHA512: 1cb031f9dbfd3150316e4d4f365d37cb7f591910412ee3c70e01beda3498dbf514d4b620f257f32f64c6dcc4845659f45f69f5839e0b7401997320140530d2a0
2020-02-26 21:40:14 +00:00
Jonas Nick
323b2a7f17
Allow adding multiple nodes to bitcoind with the addnodes option and improve bitcoin module option descriptions 2020-02-26 21:34:18 +00:00
Erik Arvstedt
ad23b508e3
{generate,setup}-secrets: remove process hardening
ProtectSystem=full disables writing to /etc which is the default
secrets location.

Besides that, hardening is pointless for {generate,setup}-secrets which
don't read external input and are fully under our control.
2020-02-26 20:38:46 +01:00
Erik Arvstedt
89f9bedb9d
generate-secrets.nix: fix indentation 2020-02-26 20:38:46 +01:00
Jonas Nick
9d3588e1de
Convert nix-bitcoin extraConfig options to regular options 2020-02-23 19:22:07 +00:00
Erik Arvstedt
6fe647ecc4
spark-wallet, lightning-charge: specify mainchain network in clightning data dir
This fixes warnings in each service.
2020-01-15 23:13:48 +00:00
Erik Arvstedt
eaaa6b8701
clightning: update to v0.8.0
To continue using inotify would be too complicated because we would also need to
monitor the creation of the 'bitcoin' subdirectory.
2020-01-15 23:13:19 +00:00
Jonas Nick
a985abcd21
Merge #133: Improve modularity, remove dependency on nixops, add modules test
187ff884db add modules test (Erik Arvstedt)
826245484e make secrets dir location configurable (Erik Arvstedt)
b1e13e9415 simplify secrets file format (Erik Arvstedt)
314272a228 lnd, nanopos: move user and group definitions to the bottom (Erik Arvstedt)
766fa4f300 travis: cache all build outputs with cachix (Erik Arvstedt)
b0e759160d travis: set NIX_PATH as early as possible (Erik Arvstedt)
c51bbcf104 travis: move comment (Erik Arvstedt)
7092dce0c7 travis: remove use of deprecated statements (Erik Arvstedt)
190a92507c travis: split up scripts into statements (Erik Arvstedt)
10d6b04ac8 support enabling clightning and lnd simultaneously (Erik Arvstedt)
ad7a519284 bitcoind: wait until RPC port is open (Erik Arvstedt)
5536b64fb3 lnd: wait until wallet is created (Erik Arvstedt)
6f2a55d63c lnd: wait until RPC port is open (Erik Arvstedt)
1868bef462 lnd: add option 'rpcPort' (Erik Arvstedt)
120e3e8cfe lnd postStart: suppress curl response output (Erik Arvstedt)
3e86637327 lnd postStart: poll for REST service availability (Erik Arvstedt)
795c51dc01 lnd postStart: make more idiomatic (Erik Arvstedt)
6e58beae8a lnd: use postStart option for script (Erik Arvstedt)
86167c6e6d clightning: wait until the RPC socket appears (Erik Arvstedt)
60c732a6a1 onion-chef: set RemainAfterExit, fix tor dependency (Erik Arvstedt)
2b9b3ba1c5 systemPackages: improve readability with shorter service references (Erik Arvstedt)
14ecb5511a liquid: add cli option (Erik Arvstedt)
cd5ed39b9c lnd: add cli option (Erik Arvstedt)
1833b15888 clightning: add cli option (Erik Arvstedt)
b90bf6691b add generate-secrets.service (Erik Arvstedt)
6447694214 add generate-secrets pkg (Erik Arvstedt)
e34093a8ac generate_secrets.sh: add opensslConf option (Erik Arvstedt)
9d14d5ba64 generate_secrets.sh: write secrets to working directory (Erik Arvstedt)
51fb054001 generate_secrets.sh: extract makepw command (Erik Arvstedt)
e3b47ce18a add setup-secrets.service (Erik Arvstedt)
437b268433 extract make-secrets.nix (Erik Arvstedt)
f9c29b9318 simplify secret definitions (Erik Arvstedt)
cd0fd6926b don't copy secret files to store during nixops deployment (Erik Arvstedt)
f0a36fe0c7 add 'nix-bitcoin-services' option (Erik Arvstedt)
7aaf30501c nix-bitcoin-services: simplify formatting (Erik Arvstedt)
760da232e0 add nix-bitcoin pkgs namespace (Erik Arvstedt)
6def181dbc add modules.nix (Erik Arvstedt)
3b842e5fe7 add nix-bitcoin-secrets.target (Erik Arvstedt)
bbf2bbc04a network.nix: simplify import of main config (Erik Arvstedt)
7e021a2629 simplify overlay.nix (Erik Arvstedt)
07dc3e04ac move bitcoinrpc group definition to bitcoind (Erik Arvstedt)
d61b185c3a simplify user and group definitions (Erik Arvstedt)

Pull request description:

  The nix-bitcoin modules consist of three fundamental components:
  1. a set of bitcoin-related modules for general use.
  2. an opinionated configuration of these modules (`nix-bitcoin.nix`), to be deployed on a
     dedicated machine.
  3. machinery for nixops deployment.

  This PR removes dependencies that reach from top to bottom in the list.
  This means that 1. is now usable on its own and that 2. can be used without 3.

  Besides improving nix-bitcoin's general usefulness, this
  - simplifies testing. This PR includes a Travis-enabled modules test using the NixOS testing framework.
  - paves the way for krops deployment.
  - unlocks direct deployment in NixOS containers which allows for super fast experimentation.

  ### Details
  Here are the unnecessary inter-component dependencies and how they're resolved by the commits. I'm using the numbering from the list above.

  - `1. -> 3.` The modules (1.) use the nixops-specific (3.) `keys` group.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 3.` 1. requires nixops-specific key services.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 2.` bitcoind needs the bitcoinrpc group which is defined in `nix-bitcoin.nix` (2.).
    Resolved by `move bitcoinrpc group definition to bitcoind`.

  Further obstacles for standalone usage of 1.:

  - We can't easily import 1. as a standalone module set.
    Resolved by `add modules.nix`.

  - Users of 1. shouldn't be forced to import nix-bitcoin's packages as top-level items in the pkgs namespace.
    Resolved by `add nix-bitcoin pkgs namespace`.

  ### Non-nixops deployments
  Commit `add setup-secrets.service` simplifies non-nixops deployment methods like containers, NixOS VMs or krops.

  Secrets can now deployed as follows:
  1. create local secrets.
  2. transfer secrets to machine.
  3. on the machine, `setup-secrets.service` creates extra secrets from `secrets.nix` and sets owner and
     permissions for all secrets.

  As krops integrates step 2. we now have all ingredients for automatic krops deployment.

  The service is complicated by the creation of secrets like `bitcoin-rpcpassword` that are composed of attrs from `secrets.nix` instead of being simply backed by a file like `lnd_key`. We could simplify this by creating all secret files locally.

  Running nix-bitcoin in NixOS containers gives you faster rebuild cycles when developing. [Here's](https://gist.github.com/5db4fa7dd3f1137920b58e39647116f6) an example.

  ### Test
  The last commits starting with `clightning: add cli option` are testing-related and mostly fix non-critical bugs that were exposed by the test.

  All `STABLE=1` builds from the Travis build matrix are implicit in the modules test.
  Should we remove these individual builds?

  Regarding commit `travis: cache all build outputs with cachix`:
  To replace my cache with a cache that's owned by you (maybe named `nix-bitcoin-ci`), run
  ```
  nix-shell -p travis --run 'travis encrypt CACHIX_SIGNING_KEY=... -r fort-nix/nix-bitcoin'
  ```
  where `...` is the value of `secretKey` in `~/.config/cachix/cachix.dhall`. Let me know the travis secret and I'll fixup the commit.

  ### Docs
  If you like the proposed changes, I'll add another PR with updates to the docs regarding the project layout, non-nixops deployment, and how to use nix-bitcoin within a larger NixOS config.

ACKs for top commit:
  jonasnick:
    ACK 187ff884db

Tree-SHA512: f4be65215c592a4f41bb7fa991a6d8d7c463cf631b88bf53051ca57ba280e7a60b8b09d0d1521345d5b656f844daa2166fff5d00a3105077c9e263465eacfb0a
2020-01-13 08:22:17 +00:00
Erik Arvstedt
826245484e
make secrets dir location configurable
Users of the nix-bitcoin modules shouldn't be forced to add an extra
dir under root.
The secrets location is unchanged for the default node config.
2020-01-13 00:25:12 +01:00
Erik Arvstedt
b1e13e9415
simplify secrets file format
Each secret file to be deployed is now backed by one local file.
This simplifies 'setup-secrets' and the secret definitions.
Also, with the old format it was not possible to add new secrets
to secrets.nix in a simple way.

Old secrets are automatically converted to the new format when running
nix-shell.

Using the new option 'nix-bitcoin.secrets', secrets are now directly
defined by the services that use them.
2020-01-13 00:25:11 +01:00
Erik Arvstedt
314272a228
lnd, nanopos: move user and group definitions to the bottom
This is the default service formatting style in nixpkgs.
2020-01-13 00:25:11 +01:00
Erik Arvstedt
10d6b04ac8
support enabling clightning and lnd simultaneously
Needed for testing.
2020-01-12 20:02:04 +01:00
Erik Arvstedt
ad7a519284
bitcoind: wait until RPC port is open
This fixes rare failures in clightning which requires an open bitcoind
RPC port
2020-01-12 20:02:04 +01:00
Erik Arvstedt
5536b64fb3
lnd: wait until wallet is created 2020-01-12 20:02:04 +01:00
Erik Arvstedt
6f2a55d63c
lnd: wait until RPC port is open 2020-01-12 20:02:03 +01:00
Erik Arvstedt
1868bef462
lnd: add option 'rpcPort'
10009 is lnd's default port.
Needed for the following commit.
2020-01-12 20:02:03 +01:00
Erik Arvstedt
120e3e8cfe
lnd postStart: suppress curl response output
Errors are still shown
2020-01-12 20:02:03 +01:00
Erik Arvstedt
3e86637327
lnd postStart: poll for REST service availability
Improves service startup time compared to just sleeping
2020-01-12 20:02:03 +01:00
Erik Arvstedt
795c51dc01
lnd postStart: make more idiomatic
- [[]]-style tests
- indent all multi-line statements the same way
2020-01-12 20:02:03 +01:00
Erik Arvstedt
6e58beae8a
lnd: use postStart option for script
- set -e is implicit
- coreutils are in PATH and don't have to be explicitly referenced (echo is a shell builtin anyways)
- exit 0 is unneeded ('if' statements never fail)
2020-01-12 20:02:03 +01:00
Erik Arvstedt
86167c6e6d
clightning: wait until the RPC socket appears
This fixes failures with spark-wallet which requires clightning RPC
2020-01-12 20:02:02 +01:00
Erik Arvstedt
60c732a6a1
onion-chef: set RemainAfterExit, fix tor dependency
This better fits the semantics of this unit and allows for easier
automated testing whether the service is active.

wantedBy = bindsTo = after = tor.service is the simplest way to ensure
that this unit is always running/restarted in lockstep with tor.
Previously, onion-chef would have stayed inactive in the case
that tor was stopped and then later restarted.
2020-01-12 20:02:02 +01:00
Erik Arvstedt
2b9b3ba1c5
systemPackages: improve readability with shorter service references 2020-01-12 20:02:02 +01:00
Erik Arvstedt
14ecb5511a
liquid: add cli option 2020-01-12 20:02:02 +01:00
Erik Arvstedt
cd5ed39b9c
lnd: add cli option 2020-01-12 20:02:02 +01:00
Erik Arvstedt
1833b15888
clightning: add cli option
An executable is more robust to use than shell aliases.

This is also a preparation for commit 'add module test' because the
NixOS testing framework makes interactive aliases hard to use: It
unsets 'PS1' which is used by programs/bash/bash.nix to detect
interactive shells.
2020-01-12 20:02:02 +01:00
Erik Arvstedt
b90bf6691b
add generate-secrets.service 2020-01-12 20:02:01 +01:00
Erik Arvstedt
e3b47ce18a
add setup-secrets.service 2020-01-12 20:02:01 +01:00
Erik Arvstedt
437b268433
extract make-secrets.nix
Needed by the next commit.
2020-01-12 20:02:00 +01:00
Erik Arvstedt
f0a36fe0c7
add 'nix-bitcoin-services' option
1. Makes the content easily accessible for module users
2. Avoids needlessly recalculating the attrset in every client module
2020-01-12 20:02:00 +01:00
Erik Arvstedt
7aaf30501c
nix-bitcoin-services: simplify formatting 2020-01-09 10:43:30 +01:00
Erik Arvstedt
760da232e0
add nix-bitcoin pkgs namespace
Not polluting the main pkgs namespace with internal pkgs makes it
easier to integrate the nix-bitcoin modules into a larger config.

Also, by overriding the nix-bitcoin namespace, users can now easily set the
packages used by services that offer no explicit `package` option, like `clightning`.
2020-01-09 10:43:30 +01:00
Erik Arvstedt
6def181dbc
add modules.nix
Importing modules.nix enables the stand-alone use of the modules, without the
config presets of nix-bitcoin.nix.
2020-01-09 10:43:29 +01:00
Erik Arvstedt
3b842e5fe7
add nix-bitcoin-secrets.target
Remove use of nixops-specific 'keys' group and key services.
Instead:
- Add nix-bitcoin-secrets.target, which should be required by all
  units that depend on secrets. (To keep it simple, it's okay to meet
  the secrets dependency indirectly by e.g. depending on bitcoind.)

  Various secret deployment methods can use this target by
  setting up the secrets before activating the target.
  In case of nixops we just specify that nixops' keys.target comes
  before nix-bitcoin-secrets.target.

  If the target is left undefined in the case of manual secrets
  deployment, systemd will simply ignore unit dependencies on
  the target.

- Allow all users to access the secrets dir.
  The access protection for the individual secret files is unchanged.
  This allows us to drop the unit dependency on the nixops 'keys' group.
2020-01-09 10:43:29 +01:00
Erik Arvstedt
07dc3e04ac
move bitcoinrpc group definition to bitcoind
services.bitcoind has a strict dependency on the 'bitcoinrpc' group
via the 'bitcoin-rpcpassword' secret.
2019-11-27 14:05:19 +01:00
Erik Arvstedt
d61b185c3a
simplify user and group definitions 2019-11-27 14:05:19 +01:00
Jonas Nick
43507a7ce5
Update assumevalid to block 605181 2019-11-24 05:19:19 +00:00
Erik Arvstedt
c36c496507
banlist: fail on unexpected errors
Also, don't output the 'already banned' error message
2019-11-14 13:06:21 +01:00
Erik Arvstedt
e0276503ed
fixup! ignore banlist errors (like in master) 2019-11-14 13:04:42 +01:00
Erik Arvstedt
d64156e485
banlist: don't wait in preStart until bitcoind is ready
preStart is meant for short-run scripts, but bitcoind can take a long
time until it accepts commands, especially on low-powered systems.

Fixes #122
2019-11-12 19:59:06 +01:00
Erik Arvstedt
d87c50a305
banlist: simplify unit, bind to bitcoind, fix wantedBy
Type = "simple" is the default unit type.

Being wanted by bitcoind instead of a system target is more appropriate.

By binding to bitcoind, the service is automatically stopped when
bitcoind exits. This eliminates the bitcoind liveness check in preStart.
2019-11-12 19:44:44 +01:00
Erik Arvstedt
39885d37c1
banlist: simplify script, remove package
We're now directly using Greg's unmodified banlist which
simplifies the update process.

The banlist package with its dependency on the bitcoin datadir path is only
relevant for internal use within nix-bitcoin, so we can safely remove
it.

We're now using the bitcoin-cli from `services.bitcoind.package`.

Fixes #129
2019-11-12 19:42:33 +01:00
Erik Arvstedt
55e73f32e3
bitcoind: add cli option 2019-11-12 19:41:29 +01:00
Erik Arvstedt
8807b9f6b2
bitcoind: remove 'StateDirectory'
This option is useless because we're doing our own state dir management
via 'dataDir'.
2019-11-12 19:41:29 +01:00
Jonas Nick
6157a79956
Merge #118: Move zmq options from nix-bitcoin.nix to bitcoind module
0c22af03b7 Allow AnyProtocol for bitcoin if zmq options are set (and not if lnd is enabled) (Jonas Nick)
cf39d88c63 Move zmq options from nix-bitcoin.nix to bitcoind module (Jonas Nick)

Pull request description:

  ... which is a better place for this. CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: 47d1b95fef78ee31711b5ad5a59000adfb0fcd3bbfe82c7321d87f5a6d7c998646d3428a1c86ff9b0103b167501c8cf3b16e00d4e2b5c09425ab09f732f75a57
2019-11-09 19:47:47 +00:00
Jonas Nick
0c22af03b7
Allow AnyProtocol for bitcoin if zmq options are set (and not if lnd is enabled) 2019-11-09 19:44:06 +00:00
Jonas Nick
664c5c6762
Switch from python 3.5 to python 3.x for trezor 2019-10-28 20:59:15 +00:00
Jonas Nick
8dd27b6334
Use types.str instead of types.string to avoid warning 2019-10-28 20:59:15 +00:00
Jonas Nick
09d2df1a81
Use stable tor module instead of unstable which we had to use because stable didn't support v3 onion services 2019-10-28 20:59:15 +00:00
Jonas Nick
b2fb83c910
Use our own bitcoind module instead of nixpkgs' 2019-10-28 20:59:07 +00:00
Jonas Nick
c1d67c4cee
Update nixpkgs 2019-10-07 11:53:05 +00:00
Jonas Nick
cf39d88c63
Move zmq options from nix-bitcoin.nix to bitcoind module 2019-09-30 07:18:02 +00:00
Jonas Nick
e4d2aab561
Merge #107: Add LND support
9d029fd1af Remove lnd explicit tor onion service config (Ștefan D. Mihăilă)
1f407ef22c Remove lnd user from onion-chef (Ștefan D. Mihăilă)
5880023158 Increase xxd column size (Ștefan D. Mihăilă)
101ae3c370 Instruct user to backup channel.backup (Ștefan D. Mihăilă)
fccd91972a Fix "value is a list [...]" error when lnd is not enabled (Ștefan D. Mihăilă)
700fdf6feb Add logdir and tor.privatekeypath to lnd.conf (Ștefan D. Mihăilă)
5a2517b926 Check for existing secrets and create them  more granularly (Ștefan D. Mihăilă)
d6f961db89 Reuse lnd seed (Ștefan D. Mihăilă)
9b0753135c Add LND support (Ștefan D. Mihăilă)
4acf5cd32c Remove unused nginx.csr file (Ștefan D. Mihăilă)
19b971f21f Rename nginx certificate files (Ștefan D. Mihăilă)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 9d029fd1af

Tree-SHA512: 58ee80bcab6c3a1c4642a5d40b94e10d28311557ae7c69539fee90d6f252a6afc70b8066cc7d7ddc0a45e2675978718a369b0341c518f8ce7590cbde1403eaeb
2019-08-31 15:21:38 +00:00
Ștefan D. Mihăilă
9d029fd1af
Remove lnd explicit tor onion service config 2019-08-25 02:25:35 +02:00
Ștefan D. Mihăilă
1f407ef22c
Remove lnd user from onion-chef 2019-08-25 02:11:45 +02:00
Ștefan D. Mihăilă
5880023158
Increase xxd column size 2019-08-25 02:01:05 +02:00
Ștefan D. Mihăilă
fccd91972a
Fix "value is a list [...]" error when lnd is not enabled 2019-08-24 22:05:41 +02:00
Ștefan D. Mihăilă
700fdf6feb
Add logdir and tor.privatekeypath to lnd.conf
This will put the logs dir and tor priv keys directly in the
datadir of lnd. Before this commit, they were stored in a .lnd
dir inside the datadir.
2019-08-23 03:45:32 +02:00
Ștefan D. Mihăilă
d6f961db89
Reuse lnd seed 2019-08-22 17:03:39 +02:00
Jonas Nick
5f567ee1ed
Merge #113: Simplify clightning preStart
67a464d097 Mention problems with hardened kernel and NUCs in README (Jonas Nick)
7771a4c931 Refer to systemd man pages for hardening options (Jonas Nick)
a5e10a82d8 Simplify clightning preStart (Jonas Nick)

Pull request description:

  CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: aa726f29e499cc268b21cac8cd07617be591cfdaa89dd0495cb979ebd3e49cc01164af25924c554429a1d35d14167dea276f7d61877452b69f027143cc3eee97
2019-08-21 14:58:22 +00:00
Ștefan D. Mihăilă
9b0753135c
Add LND support 2019-08-20 23:54:47 +02:00
Ștefan D. Mihăilă
19b971f21f
Rename nginx certificate files 2019-08-20 16:26:35 +02:00
Jonas Nick
1c8dadd876
Add allowAnyProtocol option to nix-bitcoin-services 2019-08-19 21:11:08 +00:00
Jonas Nick
7771a4c931
Refer to systemd man pages for hardening options 2019-08-19 20:44:10 +00:00
Jonas Nick
a5e10a82d8
Simplify clightning preStart 2019-08-19 20:39:13 +00:00
Ștefan D. Mihăilă
161ee02550
style: remove extra space 2019-08-18 12:53:09 +02:00
Ștefan D. Mihăilă
4e6e05a4a8
Improve electrs ports descriptions 2019-08-18 12:53:08 +02:00
Ștefan D. Mihăilă
cd722cac1a
Fix identation 2019-08-18 12:53:08 +02:00
Ștefan D. Mihăilă
df784b341e
Expose electrs high-memory option in configuration.nix 2019-08-18 12:53:08 +02:00
Jonas Nick
b9f51e3f70
Add liquid-swap tool 2019-08-07 14:51:15 +00:00
Jonas Nick
923939fe57
Clarify liquid/elements relation 2019-08-05 20:37:29 +00:00
Jonas Nick
5edf0d7240
Replace liquidd with elementsd package 2019-08-03 14:26:31 +00:00
Jonas Nick
f58a2e62e3
Fix liquid data directory permission 2019-08-01 15:19:02 +00:00
Jonas Nick
30b04d075f
Merge remote-tracking branch 'upstream-pull/99/head' 2019-08-01 12:53:51 +00:00
nixbitcoin
8f9082f893
Enable validatepegin for Liquid 2019-08-01 10:38:05 +02:00
Jonas Nick
684a57211c
Merge remote-tracking branch 'upstream-pull/96/head' 2019-07-29 09:52:05 +00:00
nixbitcoin
d9fbb9aff2
Move electrs startscript to tempdir and fix nits 2019-07-28 17:29:52 +02:00
Jonas Nick
f707d970ae
Always chown bitcoin/liquid data directories 2019-07-12 15:32:34 +00:00
Jonas Nick
5fd3875646
Fix spark-wallet rate lookup 2019-06-16 22:27:31 +00:00
Jonas Nick
0cca1d4df8
Merge branch 'hwi-better' 2019-05-21 22:59:33 +00:00
Jonas Nick
9e913263df
Merge branch 'fix-packages' 2019-05-21 22:55:28 +00:00
Jonas Nick
2554cde92a
Add qrencode package 2019-05-18 00:00:35 +00:00
Jonas Nick
7b4cf2c450
bech32 by default 2019-05-17 23:59:15 +00:00
Jonas Nick
4ecb77250f
Merge remote-tracking branch 'upstream-pull/59/head' 2019-05-17 23:09:29 +00:00
Jonas Nick
f1445c396e
Use bitcoind consistently without GUI. The 'bitcoin' package includes the GUI. 2019-05-17 22:39:00 +00:00
Jonas Nick
3f9a2aec68
Disable miniupnpc. It's only useful for introducing vulnerabilities. 2019-05-17 22:30:16 +00:00
Jonas Nick
2a4e5fb16f
Merge branch 'hwi' 2019-05-12 18:09:17 +00:00
nixbitcoin
48f6bc5f81
Fix clightning port typo (9375 instead of 9735) 2019-05-12 18:29:22 +02:00
nixbitcoin
7416ec4a29
Limit syscalls with Docker whitelist 2019-05-10 12:42:06 +02:00
Jonas Nick
c2f8bf8067
Add support for ledger and trezor with bitcoin-core/HWI 2019-05-05 20:49:31 +00:00
Jonas Nick
54a6a3363e
Merge branch 'service-hardening' 2019-05-03 15:51:38 +00:00
Jonas Nick
e1ee5023e2
Rename service settings for 'node' to 'nodejs' to avoid confusion 2019-05-03 10:44:16 +00:00
Jonas Nick
469c1de6a9
Fix electrum after disallowing anything but localhost by adding ipv6 local address 2019-04-28 18:54:13 +00:00
Jonas Nick
7fb1cc1e93
Add security section to README 2019-04-28 13:15:17 +00:00
Jonas Nick
6f8dac6e07
Restrict namespaces for systemd services by default 2019-04-28 13:15:17 +00:00
Jonas Nick
eaaf8e9aab
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-28 13:15:17 +00:00
Jonas Nick
d9533edad1
Fix memory deny write execute for nodejs services 2019-04-28 13:15:16 +00:00
Jonas Nick
a089d65d25
Move service hardening flags into separate file 2019-04-28 13:15:12 +00:00
0xB10C
a79c4db7a9
added missing semicolon to recurring-donations 2019-04-28 12:30:59 +02:00
nixbitcoin
37b71d87b8
electrs ssl 2019-04-26 23:41:55 +02:00
Jonas Nick
bb9aa8fb29
Fix invoice amount check in recurring-donations 2019-04-22 00:37:45 +00:00
Jonas Nick
492eab0e26
Add recurring donations module 2019-04-17 22:11:55 +00:00
Jonas Nick
c9e6397763
Merge branch 'user-config' of https://github.com/nixbitcoin/nix-bitcoin into nixbitcoin-user-config 2019-04-12 09:03:59 +00:00
Jonas Nick
58ba467ffd
Stop assuming that clightning is always enabled 2019-04-10 15:48:55 +00:00
nixbitcoin
6d723e896f
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-10 11:13:39 +02:00
Jonas Nick
0b364718d3
Make deployment faster by importing banlist in background instead of waiting for it to finish 2019-04-08 08:36:28 +00:00
nixbitcoin
8b9972f078
Fix typo "ngninx" in nix-bitcoin.nix services.onion-chef.access.operator 2019-04-06 18:56:58 +02:00
Jonas Nick
c440dfba9f
Merge branch 'electrum-server' of https://github.com/nixbitcoin/nix-bitcoin into nixbitcoin-electrum-server 2019-04-02 15:35:09 +00:00
Jonas Nick
0d5c67c1cf
Fix spark wallet QR code display by providing the onion hostname as public url 2019-04-02 15:10:21 +00:00
Jonas Nick
aba1b7dfc2
Give operator access to onion hostnames through new onion-manager module 2019-04-02 15:02:31 +00:00
nixbitcoin
4000829002
Use rust stable 1.31 instead of rust nightly for electrs, update electrs, specify electrum-rpc 2019-04-01 17:43:07 +02:00
Clemens Fruhwirth
687bf8017d Make repository importable as NUR (including an overlay)
https://github.com/nix-community/NUR is a Nix community project that
aims to make out of tree derivations more easily discoverable and
accessible to Nix users. Converting the nix-bitcoin repo to conform to
that style is a minor change and enhances reusability of its
components. For instance, I could slap on the clightning module more
easily onto my existing bitcoin node without having to redeploy the
whole as nixops driven installation. Having the repo in NUR style
would make that easier.
2019-03-29 11:12:05 +01:00
Clemens Fruhwirth
95b42b62a8 Give pkgs their own directory and convert everything to callPackage. 2019-03-29 11:12:05 +01:00
Jonas Nick
bf184c17e0
fix making banlist importer wait for bitcoind to start up 2019-03-29 09:44:30 +00:00
Jonas Nick
e2f3f38876
Import bitcoind banlist in separate service 2019-03-27 10:46:36 +00:00
Clemens Fruhwirth
66d9650f48 Create /var/lib/bitcoind/blocks
Otherwise:
Mar 25 13:33:22 nix-bitcoin systemd[1]: Starting Bitcoin daemon...
Mar 25 13:33:22 nix-bitcoin f3ickn20fqrz5gd0zm7hgm247b9ajdl8-unit-script-bitcoind-pre-start[1883]: chmod: cannot access '/var/lib/bitcoind/blocks': No such fi>
Mar 25 13:33:22 nix-bitcoin systemd[1]: bitcoind.service: Control process exited, code=exited status=1
Mar 25 13:33:22 nix-bitcoin systemd[1]: bitcoind.service: Failed with result 'exit-code'.
2019-03-25 14:59:36 +01:00
Clemens Fruhwirth
5e40066c7f nanopos, lightning-charge and spark-wallet: Package via node2nix
The strategy of invoking node2nix inside a derivation (installPhase in
this case) does not work, as under NixOS installations there is no
network traffic allowed during a derivation build. Hence, we move
node2nix outside and rewrite the packaging into the modules.

Also switch to callPackage instead of plain imports. This could
probably be done on all other imported packages inside of
nix-bitcoin-pkgs.nix.
2019-03-25 14:32:55 +01:00
Jonas Nick
0c83f87233
Don't include electrs in 'all' profile 2019-03-24 20:46:33 +00:00
Jonas Nick
d39a253d20
Fix definition of high memory systems 2019-03-24 20:46:29 +00:00
Jonas Nick
7eed67278d
Merge branch 'electrum-server' of https://github.com/nixbitcoin/nix-bitcoin into nixbitcoin-electrum-server 2019-03-24 20:45:26 +00:00
nixbitcoin
eb4968d292
Add high-memory description 2019-03-24 11:38:37 +01:00
nixbitcoin
fca4af59ac
Remove mentions of electrs in the bitcoind module, set sysperms & disablewallet only when electrs is enabled, electrs enabled in "all" setting, remove
unnecessary newline, make sysperms & disablewallet optional
2019-03-21 11:27:28 +01:00
nixbitcoin
fbc78ce6ed
Add Greg Maxwell's banlist to bitcoind postStart 2019-03-21 10:11:18 +01:00
nixbitcoin
d6facee486
Add config.services.liquidd.port 2019-03-18 14:17:38 +01:00
nixbitcoin
eacd057963
Fix electrs and add electrs hidden service 2019-03-16 16:11:54 +01:00
nixbitcoin
de889d584f
Add proxy and hidden service to liquidd 2019-03-14 11:19:28 +01:00
nixbitcoin
132703637c
Tor proxy, always-use-proxy, bind to localhost clightning 2019-03-07 13:37:00 +01:00
Jonas Nick
6005307129
Enable validatepegin in liquid module 2019-02-11 08:02:11 +00:00
Jonas Nick
5404907e3e
Turn off pruning 2019-02-10 18:46:07 +00:00