Commit Graph

220 Commits

Author SHA1 Message Date
Erik Arvstedt
826245484e
make secrets dir location configurable
Users of the nix-bitcoin modules shouldn't be forced to add an extra
dir under root.
The secrets location is unchanged for the default node config.
2020-01-13 00:25:12 +01:00
Erik Arvstedt
b1e13e9415
simplify secrets file format
Each secret file to be deployed is now backed by one local file.
This simplifies 'setup-secrets' and the secret definitions.
Also, with the old format it was not possible to add new secrets
to secrets.nix in a simple way.

Old secrets are automatically converted to the new format when running
nix-shell.

Using the new option 'nix-bitcoin.secrets', secrets are now directly
defined by the services that use them.
2020-01-13 00:25:11 +01:00
Erik Arvstedt
314272a228
lnd, nanopos: move user and group definitions to the bottom
This is the default service formatting style in nixpkgs.
2020-01-13 00:25:11 +01:00
Erik Arvstedt
10d6b04ac8
support enabling clightning and lnd simultaneously
Needed for testing.
2020-01-12 20:02:04 +01:00
Erik Arvstedt
ad7a519284
bitcoind: wait until RPC port is open
This fixes rare failures in clightning which requires an open bitcoind
RPC port
2020-01-12 20:02:04 +01:00
Erik Arvstedt
5536b64fb3
lnd: wait until wallet is created 2020-01-12 20:02:04 +01:00
Erik Arvstedt
6f2a55d63c
lnd: wait until RPC port is open 2020-01-12 20:02:03 +01:00
Erik Arvstedt
1868bef462
lnd: add option 'rpcPort'
10009 is lnd's default port.
Needed for the following commit.
2020-01-12 20:02:03 +01:00
Erik Arvstedt
120e3e8cfe
lnd postStart: suppress curl response output
Errors are still shown
2020-01-12 20:02:03 +01:00
Erik Arvstedt
3e86637327
lnd postStart: poll for REST service availability
Improves service startup time compared to just sleeping
2020-01-12 20:02:03 +01:00
Erik Arvstedt
795c51dc01
lnd postStart: make more idiomatic
- [[]]-style tests
- indent all multi-line statements the same way
2020-01-12 20:02:03 +01:00
Erik Arvstedt
6e58beae8a
lnd: use postStart option for script
- set -e is implicit
- coreutils are in PATH and don't have to be explicitly referenced (echo is a shell builtin anyways)
- exit 0 is unneeded ('if' statements never fail)
2020-01-12 20:02:03 +01:00
Erik Arvstedt
86167c6e6d
clightning: wait until the RPC socket appears
This fixes failures with spark-wallet which requires clightning RPC
2020-01-12 20:02:02 +01:00
Erik Arvstedt
60c732a6a1
onion-chef: set RemainAfterExit, fix tor dependency
This better fits the semantics of this unit and allows for easier
automated testing whether the service is active.

wantedBy = bindsTo = after = tor.service is the simplest way to ensure
that this unit is always running/restarted in lockstep with tor.
Previously, onion-chef would have stayed inactive in the case
that tor was stopped and then later restarted.
2020-01-12 20:02:02 +01:00
Erik Arvstedt
2b9b3ba1c5
systemPackages: improve readability with shorter service references 2020-01-12 20:02:02 +01:00
Erik Arvstedt
14ecb5511a
liquid: add cli option 2020-01-12 20:02:02 +01:00
Erik Arvstedt
cd5ed39b9c
lnd: add cli option 2020-01-12 20:02:02 +01:00
Erik Arvstedt
1833b15888
clightning: add cli option
An executable is more robust to use than shell aliases.

This is also a preparation for commit 'add module test' because the
NixOS testing framework makes interactive aliases hard to use: It
unsets 'PS1' which is used by programs/bash/bash.nix to detect
interactive shells.
2020-01-12 20:02:02 +01:00
Erik Arvstedt
b90bf6691b
add generate-secrets.service 2020-01-12 20:02:01 +01:00
Erik Arvstedt
e3b47ce18a
add setup-secrets.service 2020-01-12 20:02:01 +01:00
Erik Arvstedt
437b268433
extract make-secrets.nix
Needed by the next commit.
2020-01-12 20:02:00 +01:00
Erik Arvstedt
f0a36fe0c7
add 'nix-bitcoin-services' option
1. Makes the content easily accessible for module users
2. Avoids needlessly recalculating the attrset in every client module
2020-01-12 20:02:00 +01:00
Erik Arvstedt
7aaf30501c
nix-bitcoin-services: simplify formatting 2020-01-09 10:43:30 +01:00
Erik Arvstedt
760da232e0
add nix-bitcoin pkgs namespace
Not polluting the main pkgs namespace with internal pkgs makes it
easier to integrate the nix-bitcoin modules into a larger config.

Also, by overriding the nix-bitcoin namespace, users can now easily set the
packages used by services that offer no explicit `package` option, like `clightning`.
2020-01-09 10:43:30 +01:00
Erik Arvstedt
6def181dbc
add modules.nix
Importing modules.nix enables the stand-alone use of the modules, without the
config presets of nix-bitcoin.nix.
2020-01-09 10:43:29 +01:00
Erik Arvstedt
3b842e5fe7
add nix-bitcoin-secrets.target
Remove use of nixops-specific 'keys' group and key services.
Instead:
- Add nix-bitcoin-secrets.target, which should be required by all
  units that depend on secrets. (To keep it simple, it's okay to meet
  the secrets dependency indirectly by e.g. depending on bitcoind.)

  Various secret deployment methods can use this target by
  setting up the secrets before activating the target.
  In case of nixops we just specify that nixops' keys.target comes
  before nix-bitcoin-secrets.target.

  If the target is left undefined in the case of manual secrets
  deployment, systemd will simply ignore unit dependencies on
  the target.

- Allow all users to access the secrets dir.
  The access protection for the individual secret files is unchanged.
  This allows us to drop the unit dependency on the nixops 'keys' group.
2020-01-09 10:43:29 +01:00
Erik Arvstedt
07dc3e04ac
move bitcoinrpc group definition to bitcoind
services.bitcoind has a strict dependency on the 'bitcoinrpc' group
via the 'bitcoin-rpcpassword' secret.
2019-11-27 14:05:19 +01:00
Erik Arvstedt
d61b185c3a
simplify user and group definitions 2019-11-27 14:05:19 +01:00
Jonas Nick
43507a7ce5
Update assumevalid to block 605181 2019-11-24 05:19:19 +00:00
Erik Arvstedt
c36c496507
banlist: fail on unexpected errors
Also, don't output the 'already banned' error message
2019-11-14 13:06:21 +01:00
Erik Arvstedt
e0276503ed
fixup! ignore banlist errors (like in master) 2019-11-14 13:04:42 +01:00
Erik Arvstedt
d64156e485
banlist: don't wait in preStart until bitcoind is ready
preStart is meant for short-run scripts, but bitcoind can take a long
time until it accepts commands, especially on low-powered systems.

Fixes #122
2019-11-12 19:59:06 +01:00
Erik Arvstedt
d87c50a305
banlist: simplify unit, bind to bitcoind, fix wantedBy
Type = "simple" is the default unit type.

Being wanted by bitcoind instead of a system target is more appropriate.

By binding to bitcoind, the service is automatically stopped when
bitcoind exits. This eliminates the bitcoind liveness check in preStart.
2019-11-12 19:44:44 +01:00
Erik Arvstedt
39885d37c1
banlist: simplify script, remove package
We're now directly using Greg's unmodified banlist which
simplifies the update process.

The banlist package with its dependency on the bitcoin datadir path is only
relevant for internal use within nix-bitcoin, so we can safely remove
it.

We're now using the bitcoin-cli from `services.bitcoind.package`.

Fixes #129
2019-11-12 19:42:33 +01:00
Erik Arvstedt
55e73f32e3
bitcoind: add cli option 2019-11-12 19:41:29 +01:00
Erik Arvstedt
8807b9f6b2
bitcoind: remove 'StateDirectory'
This option is useless because we're doing our own state dir management
via 'dataDir'.
2019-11-12 19:41:29 +01:00
Jonas Nick
6157a79956
Merge #118: Move zmq options from nix-bitcoin.nix to bitcoind module
0c22af03b7 Allow AnyProtocol for bitcoin if zmq options are set (and not if lnd is enabled) (Jonas Nick)
cf39d88c63 Move zmq options from nix-bitcoin.nix to bitcoind module (Jonas Nick)

Pull request description:

  ... which is a better place for this. CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: 47d1b95fef78ee31711b5ad5a59000adfb0fcd3bbfe82c7321d87f5a6d7c998646d3428a1c86ff9b0103b167501c8cf3b16e00d4e2b5c09425ab09f732f75a57
2019-11-09 19:47:47 +00:00
Jonas Nick
0c22af03b7
Allow AnyProtocol for bitcoin if zmq options are set (and not if lnd is enabled) 2019-11-09 19:44:06 +00:00
Jonas Nick
664c5c6762
Switch from python 3.5 to python 3.x for trezor 2019-10-28 20:59:15 +00:00
Jonas Nick
8dd27b6334
Use types.str instead of types.string to avoid warning 2019-10-28 20:59:15 +00:00
Jonas Nick
09d2df1a81
Use stable tor module instead of unstable which we had to use because stable didn't support v3 onion services 2019-10-28 20:59:15 +00:00
Jonas Nick
b2fb83c910
Use our own bitcoind module instead of nixpkgs' 2019-10-28 20:59:07 +00:00
Jonas Nick
c1d67c4cee
Update nixpkgs 2019-10-07 11:53:05 +00:00
Jonas Nick
cf39d88c63
Move zmq options from nix-bitcoin.nix to bitcoind module 2019-09-30 07:18:02 +00:00
Jonas Nick
e4d2aab561
Merge #107: Add LND support
9d029fd1af Remove lnd explicit tor onion service config (Ștefan D. Mihăilă)
1f407ef22c Remove lnd user from onion-chef (Ștefan D. Mihăilă)
5880023158 Increase xxd column size (Ștefan D. Mihăilă)
101ae3c370 Instruct user to backup channel.backup (Ștefan D. Mihăilă)
fccd91972a Fix "value is a list [...]" error when lnd is not enabled (Ștefan D. Mihăilă)
700fdf6feb Add logdir and tor.privatekeypath to lnd.conf (Ștefan D. Mihăilă)
5a2517b926 Check for existing secrets and create them  more granularly (Ștefan D. Mihăilă)
d6f961db89 Reuse lnd seed (Ștefan D. Mihăilă)
9b0753135c Add LND support (Ștefan D. Mihăilă)
4acf5cd32c Remove unused nginx.csr file (Ștefan D. Mihăilă)
19b971f21f Rename nginx certificate files (Ștefan D. Mihăilă)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 9d029fd1af

Tree-SHA512: 58ee80bcab6c3a1c4642a5d40b94e10d28311557ae7c69539fee90d6f252a6afc70b8066cc7d7ddc0a45e2675978718a369b0341c518f8ce7590cbde1403eaeb
2019-08-31 15:21:38 +00:00
Ștefan D. Mihăilă
9d029fd1af
Remove lnd explicit tor onion service config 2019-08-25 02:25:35 +02:00
Ștefan D. Mihăilă
1f407ef22c
Remove lnd user from onion-chef 2019-08-25 02:11:45 +02:00
Ștefan D. Mihăilă
5880023158
Increase xxd column size 2019-08-25 02:01:05 +02:00
Ștefan D. Mihăilă
fccd91972a
Fix "value is a list [...]" error when lnd is not enabled 2019-08-24 22:05:41 +02:00
Ștefan D. Mihăilă
700fdf6feb
Add logdir and tor.privatekeypath to lnd.conf
This will put the logs dir and tor priv keys directly in the
datadir of lnd. Before this commit, they were stored in a .lnd
dir inside the datadir.
2019-08-23 03:45:32 +02:00
Ștefan D. Mihăilă
d6f961db89
Reuse lnd seed 2019-08-22 17:03:39 +02:00
Jonas Nick
5f567ee1ed
Merge #113: Simplify clightning preStart
67a464d097 Mention problems with hardened kernel and NUCs in README (Jonas Nick)
7771a4c931 Refer to systemd man pages for hardening options (Jonas Nick)
a5e10a82d8 Simplify clightning preStart (Jonas Nick)

Pull request description:

  CC @cypherpunk2140

Top commit has no ACKs.

Tree-SHA512: aa726f29e499cc268b21cac8cd07617be591cfdaa89dd0495cb979ebd3e49cc01164af25924c554429a1d35d14167dea276f7d61877452b69f027143cc3eee97
2019-08-21 14:58:22 +00:00
Ștefan D. Mihăilă
9b0753135c
Add LND support 2019-08-20 23:54:47 +02:00
Ștefan D. Mihăilă
19b971f21f
Rename nginx certificate files 2019-08-20 16:26:35 +02:00
Jonas Nick
1c8dadd876
Add allowAnyProtocol option to nix-bitcoin-services 2019-08-19 21:11:08 +00:00
Jonas Nick
7771a4c931
Refer to systemd man pages for hardening options 2019-08-19 20:44:10 +00:00
Jonas Nick
a5e10a82d8
Simplify clightning preStart 2019-08-19 20:39:13 +00:00
Ștefan D. Mihăilă
161ee02550
style: remove extra space 2019-08-18 12:53:09 +02:00
Ștefan D. Mihăilă
4e6e05a4a8
Improve electrs ports descriptions 2019-08-18 12:53:08 +02:00
Ștefan D. Mihăilă
cd722cac1a
Fix identation 2019-08-18 12:53:08 +02:00
Ștefan D. Mihăilă
df784b341e
Expose electrs high-memory option in configuration.nix 2019-08-18 12:53:08 +02:00
Jonas Nick
b9f51e3f70
Add liquid-swap tool 2019-08-07 14:51:15 +00:00
Jonas Nick
923939fe57
Clarify liquid/elements relation 2019-08-05 20:37:29 +00:00
Jonas Nick
5edf0d7240
Replace liquidd with elementsd package 2019-08-03 14:26:31 +00:00
Jonas Nick
f58a2e62e3
Fix liquid data directory permission 2019-08-01 15:19:02 +00:00
Jonas Nick
30b04d075f
Merge remote-tracking branch 'upstream-pull/99/head' 2019-08-01 12:53:51 +00:00
nixbitcoin
8f9082f893
Enable validatepegin for Liquid 2019-08-01 10:38:05 +02:00
Jonas Nick
684a57211c
Merge remote-tracking branch 'upstream-pull/96/head' 2019-07-29 09:52:05 +00:00
nixbitcoin
d9fbb9aff2
Move electrs startscript to tempdir and fix nits 2019-07-28 17:29:52 +02:00
Jonas Nick
f707d970ae
Always chown bitcoin/liquid data directories 2019-07-12 15:32:34 +00:00
Jonas Nick
5fd3875646
Fix spark-wallet rate lookup 2019-06-16 22:27:31 +00:00
Jonas Nick
0cca1d4df8
Merge branch 'hwi-better' 2019-05-21 22:59:33 +00:00
Jonas Nick
9e913263df
Merge branch 'fix-packages' 2019-05-21 22:55:28 +00:00
Jonas Nick
2554cde92a
Add qrencode package 2019-05-18 00:00:35 +00:00
Jonas Nick
7b4cf2c450
bech32 by default 2019-05-17 23:59:15 +00:00
Jonas Nick
4ecb77250f
Merge remote-tracking branch 'upstream-pull/59/head' 2019-05-17 23:09:29 +00:00
Jonas Nick
f1445c396e
Use bitcoind consistently without GUI. The 'bitcoin' package includes the GUI. 2019-05-17 22:39:00 +00:00
Jonas Nick
3f9a2aec68
Disable miniupnpc. It's only useful for introducing vulnerabilities. 2019-05-17 22:30:16 +00:00
Jonas Nick
2a4e5fb16f
Merge branch 'hwi' 2019-05-12 18:09:17 +00:00
nixbitcoin
48f6bc5f81
Fix clightning port typo (9375 instead of 9735) 2019-05-12 18:29:22 +02:00
nixbitcoin
7416ec4a29
Limit syscalls with Docker whitelist 2019-05-10 12:42:06 +02:00
Jonas Nick
c2f8bf8067
Add support for ledger and trezor with bitcoin-core/HWI 2019-05-05 20:49:31 +00:00
Jonas Nick
54a6a3363e
Merge branch 'service-hardening' 2019-05-03 15:51:38 +00:00
Jonas Nick
e1ee5023e2
Rename service settings for 'node' to 'nodejs' to avoid confusion 2019-05-03 10:44:16 +00:00
Jonas Nick
469c1de6a9
Fix electrum after disallowing anything but localhost by adding ipv6 local address 2019-04-28 18:54:13 +00:00
Jonas Nick
7fb1cc1e93
Add security section to README 2019-04-28 13:15:17 +00:00
Jonas Nick
6f8dac6e07
Restrict namespaces for systemd services by default 2019-04-28 13:15:17 +00:00
Jonas Nick
eaaf8e9aab
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-28 13:15:17 +00:00
Jonas Nick
d9533edad1
Fix memory deny write execute for nodejs services 2019-04-28 13:15:16 +00:00
Jonas Nick
a089d65d25
Move service hardening flags into separate file 2019-04-28 13:15:12 +00:00
0xB10C
a79c4db7a9
added missing semicolon to recurring-donations 2019-04-28 12:30:59 +02:00
nixbitcoin
37b71d87b8
electrs ssl 2019-04-26 23:41:55 +02:00
Jonas Nick
bb9aa8fb29
Fix invoice amount check in recurring-donations 2019-04-22 00:37:45 +00:00
Jonas Nick
492eab0e26
Add recurring donations module 2019-04-17 22:11:55 +00:00
Jonas Nick
c9e6397763
Merge branch 'user-config' of https://github.com/nixbitcoin/nix-bitcoin into nixbitcoin-user-config 2019-04-12 09:03:59 +00:00
Jonas Nick
58ba467ffd
Stop assuming that clightning is always enabled 2019-04-10 15:48:55 +00:00
nixbitcoin
6d723e896f
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-10 11:13:39 +02:00
Jonas Nick
0b364718d3
Make deployment faster by importing banlist in background instead of waiting for it to finish 2019-04-08 08:36:28 +00:00
nixbitcoin
8b9972f078
Fix typo "ngninx" in nix-bitcoin.nix services.onion-chef.access.operator 2019-04-06 18:56:58 +02:00
Jonas Nick
c440dfba9f
Merge branch 'electrum-server' of https://github.com/nixbitcoin/nix-bitcoin into nixbitcoin-electrum-server 2019-04-02 15:35:09 +00:00