Erik Arvstedt
2dd1a741f7
modules: group imports
2020-10-16 16:46:55 +02:00
Erik Arvstedt
36358066e4
spark-wallet: don't disable tor when onion-service is disabled
...
This fixes modules-only usage.
We can leave enabling tor and tor.client to secure-node.nix, on which
spark-wallet has a strict dependency.
2020-10-16 15:53:33 +02:00
Erik Arvstedt
24069aa2c6
electrs: add option 'monitoringPort'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
611cfe5a28
electrs: remove redundant daemonrpc option
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a19d3b07c2
electrs: add variable 'bitcoind'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a6dde36b87
electrs: use consistent args formatting
...
One line per arg.
2020-09-30 11:26:40 +02:00
Jonas Nick
c051544d46
Merge #234 : loop: v0.8.1 -> v0.9.0
...
a89a3e934f
test: increase diskSize (nixbitcoin)
24b506ff8a
tests: simplify lightning-loop test (nixbitcoin)
e7c5f956ea
lightning-loop: update module (nixbitcoin)
4a503f57bd
lightning-loop: v0.8.1 -> v0.9.0 (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
reACK a89a3e934f
erikarvstedt:
I think it's okay if you would just merge 24b506ff8a
, which is the direct parent of the ACK'd a89a3e934f
, and removing a89a3e934f
itself is totally uncontroversial.
Tree-SHA512: cee2a2714c714a22c35cea0fa829b42a371540983609cda6609f4d063d849f2e725643bd77cfe78eb71665725164d63f83b6c2589be9e72ba30aaecd7c8dee6c
2020-09-29 17:53:09 +00:00
nixbitcoin
73f4275d2a
backups: add btcpayserver database
2020-09-24 17:12:08 +00:00
nixbitcoin
e7c5f956ea
lightning-loop: update module
...
* commandlineArgs -> configFile
* introduce tls certs
* loop dataDir
* fix formatting and descriptions
Warning: Manual migration of existing loop data directory necessary
2020-09-24 16:40:11 +00:00
Jonas Nick
4cf31f8612
Merge #164 : Add JoinMarket Clientserver
...
dd882753e6
joinmarket: add usage documentation (nixbitcoin)
d0701f518c
joinmarket: automatically generate wallet (nixbitcoin)
d6d3e8ff62
joinmarket: add tests (nixbitcoin)
cce27da2ec
backups: add joinmarket datadir to includelist (nixbitcoin)
173891fa5b
joinmarket: add module (nixbitcoin)
263525d724
nix-bitcoin-services: add nb-services.privileged helper (nixbitcoin)
f00d1d24c5
joinmarket: add pkg and local dependencies (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK dd882753e6
Tree-SHA512: ad7bf56314877045bc8dc6037f966535dc3607d9e941cd03d19b610ee789307eac07447df7f93569dfa3e7553e8fc6d9757bdf8542fb123c5a2e2adec8f907a2
2020-09-22 17:16:08 +00:00
Jonas Nick
36c9c39d80
Deprecate lightning-charge and nanopos
...
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
2020-09-22 14:05:51 +00:00
nixbitcoin
d0701f518c
joinmarket: automatically generate wallet
2020-09-22 13:50:49 +00:00
nixbitcoin
cce27da2ec
backups: add joinmarket datadir to includelist
2020-09-22 13:50:43 +00:00
nixbitcoin
173891fa5b
joinmarket: add module
2020-09-22 13:50:37 +00:00
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper
2020-09-22 13:43:15 +00:00
nixbitcoin
3cfb9d074b
btcpayserver: sqlite -> postgresql
2020-09-17 10:17:33 +00:00
nixbitcoin
f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist
2020-09-15 12:09:33 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion
2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module
2020-09-15 12:09:12 +00:00
nixbitcoin
46d681a17e
lnd: generate custom macaroons
...
Create new `macaroon` option that allows any module to place its own
custom macaroon in the lnd RuntimeDirectory `/run/lnd`.
2020-09-15 12:09:02 +00:00
Erik Arvstedt
6f032e3c40
lnd: fix mnemonic file access vulnerability
...
Previously, the file was readable by 'other' for a short time after
creation.
2020-09-15 12:09:00 +00:00
nixbitcoin
b97584f5cb
netns: allow return traffic to outgoing connections
2020-09-15 12:08:58 +00:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
...
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
...
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
...
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
...
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config
2020-08-26 21:16:32 +02:00
Erik Arvstedt
205829b91f
bitcoind: remove whitespace
2020-08-26 21:16:32 +02:00
Erik Arvstedt
91ebc2d517
netns-exec: simplify installation
2020-08-25 14:53:12 +02:00
Erik Arvstedt
809e754851
netns: improve bridge setup
...
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
This yields no noticable functional changes for now, but it's
conceptually cleaner to finish the network setup before network.target
becomes active.
- Add 'nb-' prefix to service name
2020-08-25 14:53:12 +02:00
Erik Arvstedt
b7450877a0
netns: rename bridge peer devices br-nb-veth* -> nb-veth-br*
...
This ensures a consistent 'nb-' namespace and simplifies the
dhcpcd.denyInterfaces rules.
Also rename vethName -> veth.
2020-08-25 14:53:12 +02:00
Erik Arvstedt
8bfb7bb2f8
netns: rename bridge br0 -> nb-br
...
br0 has a high risk of name clashes when nix-bitcoin used as part of a
larger config.
Use a more specific name.
2020-08-25 14:53:08 +02:00
Erik Arvstedt
32e70a7516
netns: move webindex config for modules-only usage
...
webindex is only available in secure-node.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
...
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
...
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
e385c73256
netns: separate implementation and service configs
...
This greatly improves clarity.
Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
...
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
0f0f6ddbb9
netns: add comment about undesirable algorithmic complexity
...
We don't want to be Accidentally Quadratic™
2020-08-25 11:40:26 +02:00
Erik Arvstedt
a3ae8668e6
netns: use map instead of concatMap
2020-08-25 11:40:26 +02:00
Erik Arvstedt
b7fc819be5
netns: consistent var naming
...
n is used elsewhere in similar contexts.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
5a81693ef3
netns: add range check for netns ids
2020-08-25 11:40:26 +02:00
Erik Arvstedt
74f1610668
netns: clarify addressblock description
2020-08-25 11:40:26 +02:00
Erik Arvstedt
4eb92df08c
netns: remove redundant filter
...
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
50de54aef1
netns: remove empty connections defs
...
Like in the netns defintion for bitcoind.
2020-08-25 11:40:26 +02:00
Jonas Nick
0f1f105948
Merge #225 : Fix process info restriction
...
44de5064cd
security: don't restrict process info by default for module users (Erik Arvstedt)
a36789b468
test: move security tests to separate function (Erik Arvstedt)
588a0b2405
security: enable full systemd-status for group 'proc' (Erik Arvstedt)
96ea2e671c
security: simplify and fix dbus configuration (Erik Arvstedt)
343e026030
rename dbus.nix -> security.nix (Erik Arvstedt)
7367446761
test: rename assert_matches_exactly -> assert_full_match (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 44de5064cd
Tree-SHA512: f782cfdc81b5d6b3da968d0221bd54420791a9f5cd89cde9e62d6d04882d921b5efe9046d975133587b5c2d711c47133b3a5a2351940899a90a28bf16218a7ad
2020-08-24 14:56:05 +00:00
Jonas Nick
322ba5bfff
Add nix-bitcoin.lib for utility functions and types
2020-08-20 21:31:24 +00:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users
2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
...
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
...
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.
Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.
Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
...
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00