Commit Graph

770 Commits

Author SHA1 Message Date
Jonas Nick
a03597ae8e
Merge #189: Update configuration.nix
f280d54bb8 add module assertions (nixbitcoin)
23cd323ad1 assertions: add lnd, clightning exclusivity (nixbitcoin)
0ad524ca2d example config: clarify nix-bitcoin will auto-detect invalid settings (nixbitcoin)
c16924b850 example config: change hwi excluding dependency to high-memory (nixbitcoin)
0fd99c4cc0 bitcoind: simplify pruning (nixbitcoin)
b9a7a71873 example config: document enabling pruning (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK f280d54bb8

Tree-SHA512: a900dc2b95cdc01b457c65853930cb1c31b5288fab06d665207ffb2bcd1d54d75add73113ccaacd98e882d4e6674eb8393fec1ae0a01688de1b56250d5d3d3d6
2020-06-17 09:27:46 +00:00
nixbitcoin
f280d54bb8
add module assertions 2020-06-17 09:23:17 +00:00
nixbitcoin
23cd323ad1
assertions: add lnd, clightning exclusivity 2020-06-15 13:02:58 +00:00
nixbitcoin
0ad524ca2d
example config: clarify nix-bitcoin will auto-detect invalid settings 2020-06-15 10:56:01 +00:00
nixbitcoin
c16924b850
example config: change hwi excluding dependency to high-memory
HWI can be enabled if electrs is enabled as long as electrs.high-memory
is disabled.
2020-06-15 10:55:59 +00:00
nixbitcoin
0fd99c4cc0
bitcoind: simplify pruning
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
2020-06-15 10:55:57 +00:00
nixbitcoin
b9a7a71873
example config: document enabling pruning 2020-06-15 10:55:55 +00:00
Jonas Nick
919ea334a3
Merge #199: banlist: update to newest version
12adabe407 banlist: update to newest version (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 12adabe407.
  jonasnick:
    ACK 12adabe407

Tree-SHA512: 9dc7816817f524d06f40f16fb73253d2623e32eee48f7d296fb3d0682c0f0c8fd166d7d818298ffbb87004a4ee06a314282a8cff21cd451e38267c1eb97e990e
2020-06-12 20:58:35 +00:00
nixbitcoin
12adabe407
banlist: update to newest version
Received by E-Mail from gmaxwell
2020-06-11 09:23:26 +00:00
Jonas Nick
94672e8f34
Merge #188: lnd: add option for configuring REST port
03a627a06f lnd: add option for configuring REST port (Martin Milata)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 03a627a06f

Tree-SHA512: b184d5ee825382d1f104e17a091ff49fa170230e4e690323cdfd570a0c7f0bf11e57da84f39fda9169fcbead75f0c0597268f728665135e743fa7fee73a1b66c
2020-06-07 14:40:54 +00:00
Jonas Nick
16e602e2b5
Merge #190: services: use 'port' option type
db48ab9b69 services: use 'port' option type (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK db48ab9b69

Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
2020-06-05 20:40:57 +00:00
Martin Milata
03a627a06f lnd: add option for configuring REST port 2020-06-03 12:07:04 +02:00
Erik Arvstedt
db48ab9b69
services: use 'port' option type 2020-06-02 17:31:28 +02:00
Jonas Nick
8cc0b30902
Merge #174: Hardening systemd
ccc3a70344 service hardening: add more restrictions (nixbitcoin)
3fbfa98635 service hardening: replace obtuse SystemCallFilter with @system-service (nixbitcoin)
e34d1c884e service hardening: Add PrivateUsers (nixbitcoin)
1c75543f2f clightning: add user and group options (nixbitcoin)
5f3f362451 lnd: add strict hardening (Erik Arvstedt)
a040e52854 All modules: ProtectSystem = strict (nixbitcoin)
adc71b892e Remove PermissionStartOnly where possible and replace with bitcoinrpc (nixbitcoin)
91b6b2c370 All modules with preStart: Use systemd.tmpfiles.rules (nixbitcoin)
423ebf862b lnd: only enable bitcoind zmqpub if lnd.enable (nixbitcoin)
81a1c3f908 service hardening: Add CapabilityBoundingSets (nixbitcoin)
3cd61506e0 webindex & onion-chef: Run non-network-facing services in PrivateNetwork (nixbitcoin)
7c70dd43ac All modules: Give service config precedence over defaultHardening (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK ccc3a70344
  jonasnick:
    ACK ccc3a70344 very nice

Tree-SHA512: 069f74b11b46b17fd180e9da5328a3b9952aa90100b5077251d1e56a4d64f03ba64587adf153ddc6cf42f750c13a168f9f0fe43bc379bcd4a9f6709e635e512a
2020-05-26 11:17:50 +00:00
nixbitcoin
ccc3a70344
service hardening: add more restrictions
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
2020-05-24 11:14:45 +00:00
nixbitcoin
3fbfa98635
service hardening: replace obtuse SystemCallFilter with @system-service
@system-service whitelist and additional
https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
blacklist.
2020-05-24 11:14:37 +00:00
nixbitcoin
e34d1c884e
service hardening: Add PrivateUsers
Exceptions in webindex & onion-chef
2020-05-22 16:16:19 +00:00
nixbitcoin
1c75543f2f
clightning: add user and group options 2020-05-22 16:16:17 +00:00
Erik Arvstedt
5f3f362451
lnd: add strict hardening
Add ProtectSystem=strict, remove PermissionStartOnly.

Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.

Simplify preStart and fix dataDir quoting.
2020-05-22 16:13:58 +00:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
2020-05-22 15:47:01 +00:00
nixbitcoin
adc71b892e
Remove PermissionStartOnly where possible and replace with bitcoinrpc
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)

Give reason for PermissionsStartOnly in lightning-charge

Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-22 15:04:49 +00:00
nixbitcoin
91b6b2c370
All modules with preStart: Use systemd.tmpfiles.rules
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
2020-05-22 14:54:39 +00:00
nixbitcoin
423ebf862b
lnd: only enable bitcoind zmqpub if lnd.enable
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.

However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
2020-05-22 14:53:33 +00:00
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork 2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
Jonas Nick
0ac1e496b2
Merge #171: Hardening DAC
b8e10afe18 recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101 nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6 Remove bitcoinrpc group remnants (nixbitcoin)
563b210835 spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca3576 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef1 lightning-charge: add dedicated user (nixbitcoin)
e67a818297 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba clightning: remove config group read access (nixbitcoin)
04c6936ce9 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db4 electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d77 electrs: Make TLSProxy truly optional (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b8e10afe18

Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
2020-05-19 12:25:00 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user 2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.

so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00
nixbitcoin
95d230d1d6
Remove bitcoinrpc group remnants 2020-05-19 11:13:22 +00:00
nixbitcoin
563b210835
spark-wallet: Run under spark-wallet user 2020-05-19 11:13:20 +00:00
nixbitcoin
205fca3576
bitcoind: only make blocksdir group-readable when dataDirReadableByGroup 2020-05-19 11:13:18 +00:00
nixbitcoin
81a04a4ef1
lightning-charge: add dedicated user 2020-05-19 11:13:16 +00:00
nixbitcoin
e67a818297
lightning-charge: 0.4.14 -> 0.4.19 2020-05-19 11:13:13 +00:00
nixbitcoin
0ba55757f8
clightning: allow group access to RPC socket 2020-05-19 11:13:12 +00:00
nixbitcoin
304dd297ba
clightning: remove config group read access 2020-05-19 11:13:05 +00:00
nixbitcoin
04c6936ce9
clightning: Remove clightning "bitcoinrpc" membership
Secrets are written to clightning config file during preStart with root
permissions because of PermissionsStartOnly.
2020-05-19 11:09:13 +00:00
nixbitcoin
393ab0fb3c
electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
2020-05-19 11:08:59 +00:00
nixbitcoin
7cfae66db4
electrs: Drop insecure TLS ciphers 2020-05-19 11:08:52 +00:00
nixbitcoin
4c139a6d77
electrs: Make TLSProxy truly optional
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic
directly to electrs.
2020-05-19 11:08:48 +00:00
Jonas Nick
ca7f287f6d
Merge #178: examples: execute bash sessions in script environment
0f1ee5f533 examples: improve shell session usability (Erik Arvstedt)
719dcd77bb examples: execute bash sessions in script environment (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 0f1ee5f533

Tree-SHA512: efaa79b345628026543d3cd7c5449390707a189849d9b375604e319beaf8cd656e554e6097a5a317713713ebfae85464d05a469f12d9aa23d79c685232f1c5c9
2020-05-18 06:44:06 +00:00
Erik Arvstedt
0f1ee5f533
examples: improve shell session usability
- Add usage prompt when starting shell sessions

- Give all examples an uniform interface ("c") for running commands
  or starting a shell on the node.
2020-05-17 23:53:32 +02:00
Erik Arvstedt
719dcd77bb
examples: execute bash sessions in script environment
Previously, the sessions contained only explicitly exported variables
and functions.
This was fragile and in part buggy due to lacking exports.

Interactive features like user-defined aliases and functions are still
working as before.
2020-05-17 14:30:39 +02:00
Jonas Nick
e3a6ca3bb1
Merge #176: Update nixpkgs (lnd 0.10, clightning 0.8.2)
041af87ec1 Update nixpkgs (lnd 0.10, clightning 0.8.2) (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 041af87ec1

Tree-SHA512: 8f3c98090d10cfe4b496cf92bd27d8aa32542d2b7599b8bedb57dd5fd7fcc6cda35a354aee6c151bebce0ae132df6e68d49d544f3349d9ba4fd778501d992e4e
2020-05-15 16:20:25 +00:00
Jonas Nick
041af87ec1
Update nixpkgs (lnd 0.10, clightning 0.8.2) 2020-05-14 22:16:41 +00:00
Jonas Nick
93ac1ac323
Merge #169: Update spark-wallet 0.2.13 -> 0.2.14
8b2ae9c1b7 spark-wallet: update 0.2.13 -> 0.2.14 (nixbitcoin)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 3f9189d20f21f9fb569d0819102817899436877a1291d69339604a098f15ef836a5072b0054960ec2cd6dfe35732f5f9fbe490c512dfa6266a65698fc5987f91
2020-05-11 07:55:25 +00:00
nixbitcoin
8b2ae9c1b7
spark-wallet: update 0.2.13 -> 0.2.14
Download shesek's github spark-npm.tgz, verify signature, unpack
spark-npm.tgz, patch package.json to include qrcode-terminal in
dependencies, run node2nix with tmpdir as local source, replace tmpdir
spark-wallet source with shesek's github spark-npm.tgz in
node-packages.nix.

spark-wallet: erikarvstedt fixups
2020-05-10 17:12:45 +02:00
Jonas Nick
7c35b93d53
Merge #173: fix syntax error
509fca5328 fix syntax error (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 509fca5328

Tree-SHA512: 924677137216e842b65f4b7c80339ffded03e9a40678856a7372f8711b7e1c9103cde3ebd7ec57e11a2149541974cf83fa3d9458519c5b531acb6a310d9a23f3
2020-05-06 14:01:21 +00:00
Erik Arvstedt
509fca5328
fix syntax error
Fixes #172
2020-05-06 12:13:32 +02:00
Jonas Nick
ca2834a6a2
Merge #166: Update nixpkgs (stable 19.09 -> 20.03)
b9f07bf706 test: use older qemu version for travis compatibility (Erik Arvstedt)
026a22fcee use python testing from stable nixpkgs (Erik Arvstedt)
45de0d427d Travis: test electrs with unstable nixpkgs as well (Jonas Nick)
2d3a1e839e electrs: fix conditional cargoSha256 (Erik Arvstedt)
f5dbac318d nixops: fix format exception from upstream nixops (Jonas Nick)
c03ad1ccfa Update nixpkgs (stable 19.09 -> 20.03) (Jonas Nick)
b7047c7286 HWI: allow building with unstable nixpkgs (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK b9f07bf706

Tree-SHA512: 20766cdbe465d01b4d503e76741307a7fba403db575869c1f9cf401941b05d5afa7db735772ac235cf88a35b8e4ce49f888adfa5ee9891d4264b5ed570baaca9
2020-05-04 14:59:32 +00:00