Commit Graph

991 Commits

Author SHA1 Message Date
nixbitcoin
4b8ca52647
lnd: add netns cli script 2020-07-21 09:38:37 +00:00
nixbitcoin
c55296433d
lnd: add netns
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00
nixbitcoin
3c0c446547
clightning: add netns
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
  namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
  enabled or not.
2020-07-21 09:38:30 +00:00
nixbitcoin
ae1230e13b
clightning: remove bitcoin-rpcuser option
Simplifies the clightning module.
2020-07-21 09:38:28 +00:00
nixbitcoin
65b5dab3d4
clightning: add announce-tor
From the clightning manpage:

autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or  announce-addr options  are
specified. Setting this to false disables that.

We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.

For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
2020-07-21 09:38:26 +00:00
nixbitcoin
515aae2825
bitcoind: add netns and nonetns cli scripts
nonetns script needed for bitcoind-import-banlist
2020-07-21 09:38:24 +00:00
nixbitcoin
75ca6f186c
bitcoind: add netns
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
  network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
2020-07-21 09:38:22 +00:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
2020-07-21 09:38:20 +00:00
Jonas Nick
4a7199a3da
netns-exec: add c program to execute commands in netns
c program allows executing commands in nb-bitcoind, nb-lnd, nb-liquidd
(the netns's needed for operator cli scripts).
2020-07-21 09:38:16 +00:00
Jonas Nick
5bb9aa5d6d
Merge #201: Update: nixpkgs and elementsd
ae364a68ad hwi: 1.0.3 -> 1.1.2 (nixbitcoin)
fe6e118bb3 elementsd: 0.18.1.3 -> 0.18.1.8 (nixbitcoin)
5ca58a2a26 nixpkgs: update stable and unstable (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ae364a68ad

Tree-SHA512: b8eb4be1ae6496586acb3d0635d6dea676f029a85f17512dccab280aaf3135fccf0455feaf17517e54af85aa5bf92d13df3194ba8893d7c7631d089b9b208b8d
2020-07-19 19:27:11 +00:00
nixbitcoin
ae364a68ad
hwi: 1.0.3 -> 1.1.2
hidapi needed to be added as a custom dependency to be able to build
from unstable.
2020-07-19 13:52:46 +00:00
nixbitcoin
fe6e118bb3
elementsd: 0.18.1.3 -> 0.18.1.8
Also includes `get-sha256.sh` to easily determine verified sha256's
2020-07-19 12:15:39 +00:00
nixbitcoin
5ca58a2a26
nixpkgs: update stable and unstable
Includes bitcoin 0.20.0 and lnd 0.10.3
2020-07-19 12:15:33 +00:00
Jonas Nick
b2d6f0929b
Merge #208: Missing folder added to path in example
56b6ce00af Missing folder added to path in example (Candle)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 56b6ce00af

Tree-SHA512: 1f32f7b528f63218e47285cfb0b899c935312d35bb0c01e6edac0820e2324eb05f1c6803a43692fde30310c8f31e56a39d7c9dddc6ef8014817606205f34c18c
2020-07-10 07:03:49 +00:00
Candle
56b6ce00af
Missing folder added to path in example 2020-07-09 14:51:16 +00:00
Jonas Nick
5563a9e10b
Merge #205: Update jonasnick's gpg key
d63bbd07b7 Update jonasnick's gpg key (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK d63bbd07b7

Tree-SHA512: 67f8b8ce434cadb760745266b41eb1441487f4176b9d6b3f98ecfc3e2d059ffe709cc1c3c07a0641448c3c2faaf813352abcc35cd831f95abbf5899a92ee772d
2020-07-08 12:16:55 +00:00
Jonas Nick
d63bbd07b7
Update jonasnick's gpg key
The subkey used for signing releases recently expired (which is ignored when
verifying with gpg). The primary key would expire soon. Therefore this commit
adds a key with extended expiry date of both primary key and subkey.
2020-07-08 12:03:57 +00:00
Jonas Nick
c93d326cfc
Merge #204: electrs: 0.8.3 -> 0.8.5
a20807b8a3 travis: fix (nixbitcoin)
e81ccb6596 electrs: 0.8.3 -> 0.8.5 (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK a20807b8a3

Tree-SHA512: 0be617a32e7daf28c9cd14e7827f13fff0176edd2dd5da210533b5758610ed66ec58acbfb5f632fb72168cdc02c2cb57565038e643ae4c0169b4752d92520bfa
2020-07-08 10:17:04 +00:00
nixbitcoin
a20807b8a3
travis: fix
Simplify installing nix package manager. Issue 2733 is fixed in nix
2.3.3 and travis installs 2.3.6.
2020-07-08 09:26:33 +00:00
nixbitcoin
e81ccb6596
electrs: 0.8.3 -> 0.8.5 2020-07-07 10:54:40 +00:00
Jonas Nick
a03597ae8e
Merge #189: Update configuration.nix
f280d54bb8 add module assertions (nixbitcoin)
23cd323ad1 assertions: add lnd, clightning exclusivity (nixbitcoin)
0ad524ca2d example config: clarify nix-bitcoin will auto-detect invalid settings (nixbitcoin)
c16924b850 example config: change hwi excluding dependency to high-memory (nixbitcoin)
0fd99c4cc0 bitcoind: simplify pruning (nixbitcoin)
b9a7a71873 example config: document enabling pruning (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK f280d54bb8

Tree-SHA512: a900dc2b95cdc01b457c65853930cb1c31b5288fab06d665207ffb2bcd1d54d75add73113ccaacd98e882d4e6674eb8393fec1ae0a01688de1b56250d5d3d3d6
2020-06-17 09:27:46 +00:00
nixbitcoin
f280d54bb8
add module assertions 2020-06-17 09:23:17 +00:00
nixbitcoin
23cd323ad1
assertions: add lnd, clightning exclusivity 2020-06-15 13:02:58 +00:00
nixbitcoin
0ad524ca2d
example config: clarify nix-bitcoin will auto-detect invalid settings 2020-06-15 10:56:01 +00:00
nixbitcoin
c16924b850
example config: change hwi excluding dependency to high-memory
HWI can be enabled if electrs is enabled as long as electrs.high-memory
is disabled.
2020-06-15 10:55:59 +00:00
nixbitcoin
0fd99c4cc0
bitcoind: simplify pruning
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
2020-06-15 10:55:57 +00:00
nixbitcoin
b9a7a71873
example config: document enabling pruning 2020-06-15 10:55:55 +00:00
Jonas Nick
919ea334a3
Merge #199: banlist: update to newest version
12adabe407 banlist: update to newest version (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 12adabe407.
  jonasnick:
    ACK 12adabe407

Tree-SHA512: 9dc7816817f524d06f40f16fb73253d2623e32eee48f7d296fb3d0682c0f0c8fd166d7d818298ffbb87004a4ee06a314282a8cff21cd451e38267c1eb97e990e
2020-06-12 20:58:35 +00:00
nixbitcoin
12adabe407
banlist: update to newest version
Received by E-Mail from gmaxwell
2020-06-11 09:23:26 +00:00
Jonas Nick
94672e8f34
Merge #188: lnd: add option for configuring REST port
03a627a06f lnd: add option for configuring REST port (Martin Milata)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 03a627a06f

Tree-SHA512: b184d5ee825382d1f104e17a091ff49fa170230e4e690323cdfd570a0c7f0bf11e57da84f39fda9169fcbead75f0c0597268f728665135e743fa7fee73a1b66c
2020-06-07 14:40:54 +00:00
Jonas Nick
16e602e2b5
Merge #190: services: use 'port' option type
db48ab9b69 services: use 'port' option type (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK db48ab9b69

Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
2020-06-05 20:40:57 +00:00
Martin Milata
03a627a06f lnd: add option for configuring REST port 2020-06-03 12:07:04 +02:00
Erik Arvstedt
db48ab9b69
services: use 'port' option type 2020-06-02 17:31:28 +02:00
Jonas Nick
8cc0b30902
Merge #174: Hardening systemd
ccc3a70344 service hardening: add more restrictions (nixbitcoin)
3fbfa98635 service hardening: replace obtuse SystemCallFilter with @system-service (nixbitcoin)
e34d1c884e service hardening: Add PrivateUsers (nixbitcoin)
1c75543f2f clightning: add user and group options (nixbitcoin)
5f3f362451 lnd: add strict hardening (Erik Arvstedt)
a040e52854 All modules: ProtectSystem = strict (nixbitcoin)
adc71b892e Remove PermissionStartOnly where possible and replace with bitcoinrpc (nixbitcoin)
91b6b2c370 All modules with preStart: Use systemd.tmpfiles.rules (nixbitcoin)
423ebf862b lnd: only enable bitcoind zmqpub if lnd.enable (nixbitcoin)
81a1c3f908 service hardening: Add CapabilityBoundingSets (nixbitcoin)
3cd61506e0 webindex & onion-chef: Run non-network-facing services in PrivateNetwork (nixbitcoin)
7c70dd43ac All modules: Give service config precedence over defaultHardening (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK ccc3a70344
  jonasnick:
    ACK ccc3a70344 very nice

Tree-SHA512: 069f74b11b46b17fd180e9da5328a3b9952aa90100b5077251d1e56a4d64f03ba64587adf153ddc6cf42f750c13a168f9f0fe43bc379bcd4a9f6709e635e512a
2020-05-26 11:17:50 +00:00
nixbitcoin
ccc3a70344
service hardening: add more restrictions
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
2020-05-24 11:14:45 +00:00
nixbitcoin
3fbfa98635
service hardening: replace obtuse SystemCallFilter with @system-service
@system-service whitelist and additional
https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
blacklist.
2020-05-24 11:14:37 +00:00
nixbitcoin
e34d1c884e
service hardening: Add PrivateUsers
Exceptions in webindex & onion-chef
2020-05-22 16:16:19 +00:00
nixbitcoin
1c75543f2f
clightning: add user and group options 2020-05-22 16:16:17 +00:00
Erik Arvstedt
5f3f362451
lnd: add strict hardening
Add ProtectSystem=strict, remove PermissionStartOnly.

Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.

Simplify preStart and fix dataDir quoting.
2020-05-22 16:13:58 +00:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
2020-05-22 15:47:01 +00:00
nixbitcoin
adc71b892e
Remove PermissionStartOnly where possible and replace with bitcoinrpc
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)

Give reason for PermissionsStartOnly in lightning-charge

Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-22 15:04:49 +00:00
nixbitcoin
91b6b2c370
All modules with preStart: Use systemd.tmpfiles.rules
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
2020-05-22 14:54:39 +00:00
nixbitcoin
423ebf862b
lnd: only enable bitcoind zmqpub if lnd.enable
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.

However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
2020-05-22 14:53:33 +00:00
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork 2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
Jonas Nick
0ac1e496b2
Merge #171: Hardening DAC
b8e10afe18 recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101 nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6 Remove bitcoinrpc group remnants (nixbitcoin)
563b210835 spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca3576 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef1 lightning-charge: add dedicated user (nixbitcoin)
e67a818297 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba clightning: remove config group read access (nixbitcoin)
04c6936ce9 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db4 electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d77 electrs: Make TLSProxy truly optional (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b8e10afe18

Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
2020-05-19 12:25:00 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user 2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.

so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00