Commit Graph

349 Commits

Author SHA1 Message Date
Erik Arvstedt
2dd1a741f7
modules: group imports 2020-10-16 16:46:55 +02:00
Erik Arvstedt
36358066e4
spark-wallet: don't disable tor when onion-service is disabled
This fixes modules-only usage.

We can leave enabling tor and tor.client to secure-node.nix, on which
spark-wallet has a strict dependency.
2020-10-16 15:53:33 +02:00
Erik Arvstedt
24069aa2c6
electrs: add option 'monitoringPort' 2020-09-30 11:26:41 +02:00
Erik Arvstedt
611cfe5a28
electrs: remove redundant daemonrpc option 2020-09-30 11:26:41 +02:00
Erik Arvstedt
a19d3b07c2
electrs: add variable 'bitcoind' 2020-09-30 11:26:41 +02:00
Erik Arvstedt
a6dde36b87
electrs: use consistent args formatting
One line per arg.
2020-09-30 11:26:40 +02:00
Jonas Nick
c051544d46
Merge #234: loop: v0.8.1 -> v0.9.0
a89a3e934f test: increase diskSize (nixbitcoin)
24b506ff8a tests: simplify lightning-loop test (nixbitcoin)
e7c5f956ea lightning-loop: update module (nixbitcoin)
4a503f57bd lightning-loop: v0.8.1 -> v0.9.0 (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    reACK a89a3e934f
  erikarvstedt:
    I think it's okay if you would just merge 24b506ff8a, which is the direct parent of the ACK'd a89a3e934f, and removing a89a3e934f itself is totally uncontroversial.

Tree-SHA512: cee2a2714c714a22c35cea0fa829b42a371540983609cda6609f4d063d849f2e725643bd77cfe78eb71665725164d63f83b6c2589be9e72ba30aaecd7c8dee6c
2020-09-29 17:53:09 +00:00
nixbitcoin
73f4275d2a
backups: add btcpayserver database 2020-09-24 17:12:08 +00:00
nixbitcoin
e7c5f956ea
lightning-loop: update module
* commandlineArgs -> configFile
* introduce tls certs
* loop dataDir
* fix formatting and descriptions

Warning: Manual migration of existing loop data directory necessary
2020-09-24 16:40:11 +00:00
Jonas Nick
4cf31f8612
Merge #164: Add JoinMarket Clientserver
dd882753e6 joinmarket: add usage documentation (nixbitcoin)
d0701f518c joinmarket: automatically generate wallet (nixbitcoin)
d6d3e8ff62 joinmarket: add tests (nixbitcoin)
cce27da2ec backups: add joinmarket datadir to includelist (nixbitcoin)
173891fa5b joinmarket: add module (nixbitcoin)
263525d724 nix-bitcoin-services: add nb-services.privileged helper (nixbitcoin)
f00d1d24c5 joinmarket: add pkg and local dependencies (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK dd882753e6

Tree-SHA512: ad7bf56314877045bc8dc6037f966535dc3607d9e941cd03d19b610ee789307eac07447df7f93569dfa3e7553e8fc6d9757bdf8542fb123c5a2e2adec8f907a2
2020-09-22 17:16:08 +00:00
Jonas Nick
36c9c39d80
Deprecate lightning-charge and nanopos
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
2020-09-22 14:05:51 +00:00
nixbitcoin
d0701f518c
joinmarket: automatically generate wallet 2020-09-22 13:50:49 +00:00
nixbitcoin
cce27da2ec
backups: add joinmarket datadir to includelist 2020-09-22 13:50:43 +00:00
nixbitcoin
173891fa5b
joinmarket: add module 2020-09-22 13:50:37 +00:00
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper 2020-09-22 13:43:15 +00:00
nixbitcoin
3cfb9d074b
btcpayserver: sqlite -> postgresql 2020-09-17 10:17:33 +00:00
nixbitcoin
f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist 2020-09-15 12:09:33 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion 2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module 2020-09-15 12:09:12 +00:00
nixbitcoin
46d681a17e
lnd: generate custom macaroons
Create new `macaroon` option that allows any module to place its own
custom macaroon in the lnd RuntimeDirectory `/run/lnd`.
2020-09-15 12:09:02 +00:00
Erik Arvstedt
6f032e3c40
lnd: fix mnemonic file access vulnerability
Previously, the file was readable by 'other' for a short time after
creation.
2020-09-15 12:09:00 +00:00
nixbitcoin
b97584f5cb
netns: allow return traffic to outgoing connections 2020-09-15 12:08:58 +00:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config 2020-08-26 21:16:32 +02:00
Erik Arvstedt
205829b91f
bitcoind: remove whitespace 2020-08-26 21:16:32 +02:00
Erik Arvstedt
91ebc2d517
netns-exec: simplify installation 2020-08-25 14:53:12 +02:00
Erik Arvstedt
809e754851
netns: improve bridge setup
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
  This yields no noticable functional changes for now, but it's
  conceptually cleaner to finish the network setup before network.target
  becomes active.
- Add 'nb-' prefix to service name
2020-08-25 14:53:12 +02:00
Erik Arvstedt
b7450877a0
netns: rename bridge peer devices br-nb-veth* -> nb-veth-br*
This ensures a consistent 'nb-' namespace and simplifies the
dhcpcd.denyInterfaces rules.

Also rename vethName -> veth.
2020-08-25 14:53:12 +02:00
Erik Arvstedt
8bfb7bb2f8
netns: rename bridge br0 -> nb-br
br0 has a high risk of name clashes when nix-bitcoin used as part of a
larger config.
Use a more specific name.
2020-08-25 14:53:08 +02:00
Erik Arvstedt
32e70a7516
netns: move webindex config for modules-only usage
webindex is only available in secure-node.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
e385c73256
netns: separate implementation and service configs
This greatly improves clarity.

Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).

To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
0f0f6ddbb9
netns: add comment about undesirable algorithmic complexity
We don't want to be Accidentally Quadratic™
2020-08-25 11:40:26 +02:00
Erik Arvstedt
a3ae8668e6
netns: use map instead of concatMap 2020-08-25 11:40:26 +02:00
Erik Arvstedt
b7fc819be5
netns: consistent var naming
n is used elsewhere in similar contexts.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
5a81693ef3
netns: add range check for netns ids 2020-08-25 11:40:26 +02:00
Erik Arvstedt
74f1610668
netns: clarify addressblock description 2020-08-25 11:40:26 +02:00
Erik Arvstedt
4eb92df08c
netns: remove redundant filter
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
50de54aef1
netns: remove empty connections defs
Like in the netns defintion for bitcoind.
2020-08-25 11:40:26 +02:00
Jonas Nick
0f1f105948
Merge #225: Fix process info restriction
44de5064cd security: don't restrict process info by default for module users (Erik Arvstedt)
a36789b468 test: move security tests to separate function (Erik Arvstedt)
588a0b2405 security: enable full systemd-status for group 'proc' (Erik Arvstedt)
96ea2e671c security: simplify and fix dbus configuration (Erik Arvstedt)
343e026030 rename dbus.nix -> security.nix (Erik Arvstedt)
7367446761 test: rename assert_matches_exactly -> assert_full_match (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 44de5064cd

Tree-SHA512: f782cfdc81b5d6b3da968d0221bd54420791a9f5cd89cde9e62d6d04882d921b5efe9046d975133587b5c2d711c47133b3a5a2351940899a90a28bf16218a7ad
2020-08-24 14:56:05 +00:00
Jonas Nick
322ba5bfff
Add nix-bitcoin.lib for utility functions and types 2020-08-20 21:31:24 +00:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users 2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.

Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.

Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00