Erik Arvstedt
b4b607dfa5
netns: simplify firewall setup
2020-10-29 22:36:20 +01:00
Erik Arvstedt
25639cec42
netns: fix error msg when starting netns
...
Previously, the failing initial `netns delete` resulted in a
"Cannot remove namespace file ..." error visible in the journal
and status output.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
67068afd6b
netns: fix error when stopping netns
...
A short time after `netns delete` finishes, the peer link in the main
netns is automatically removed.
When `link del` is run before that, it fails with
`Cannot find device "nb-veth-br-*"` and the netns service enters a failed state.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
8da01fe8a6
lightning-loop: allow RPC access from main netns
...
Note that this also exposes the REST server, which is secured by
macaroon auth like the RPC server.
2020-10-29 21:21:29 +01:00
Erik Arvstedt
d76b080b74
lightning-loop: add RPC and REST server options
2020-10-29 21:21:29 +01:00
Erik Arvstedt
e66636ef0e
liquidd: use type str for rpcbind
2020-10-29 21:21:29 +01:00
Erik Arvstedt
de23fdd377
lnd: use type str for rpclisten, restlisten
2020-10-29 21:21:28 +01:00
Erik Arvstedt
8b053326cc
bitcoind: use type str for rpcbind
...
Extra RPC bind addresses can still be added via extraConfig.
2020-10-29 21:21:28 +01:00
Erik Arvstedt
6903e8afcc
netns-liquidd: allow RPC access from main netns
2020-10-29 21:21:28 +01:00
Erik Arvstedt
82f4901880
netns-lnd: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
58d24e735d
netns-bitcoind: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
...
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
0cc8caa737
lnd: only set tor.active on enforceTor
...
This also enables the test scenario 'netnsRegtest' introduced in a
later commit by fixing the following bug:
For unknown reasons, when tor.active=true and tor is not running, lnd
fails with a tor connection error on netns-isolation, but runs fine
without netns-isolation.
2020-10-29 21:21:26 +01:00
Erik Arvstedt
5e0e16529c
netns: fix default addressblock value type
...
Also remove redundant definition in secure-node.nix
2020-10-20 18:21:37 +02:00
Jonas Nick
6933b0ef47
Merge #251 : Services: Auto-enable dependencies
...
67e49fe415
services: auto-enable dependencies (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 67e49fe415
Tree-SHA512: 6e0f2e2ca4acdb7c5edd41eb3b56a9e95fc6d2ea9cfd08c1142429f88455c9d771f2f2be6339336448a289632f9768c4ae8f6c307038c5aa69c48b303043dda0
2020-10-20 11:17:10 +00:00
Erik Arvstedt
67e49fe415
services: auto-enable dependencies
2020-10-19 14:55:59 +02:00
nixbitcoin
486f385fdd
lightning-loop: 0.9.0 -> 0.10.0
...
Includes macaroon authentication
2020-10-19 08:59:14 +00:00
Jonas Nick
06cba7b519
Merge #249 : Add regtest support
...
9951f10e74
test: add scenario 'regtest' (Erik Arvstedt)
1f96ca67c5
electrs test: make service shutdown optional (Erik Arvstedt)
eb42fc8e06
test: extract test 'joinmarket-yieldgenerator' (Erik Arvstedt)
06b2ec5b02
joinmarket: add regtest support (Erik Arvstedt)
975b30c90e
joinmarket: don't hardcode bitcoind rpc port (Erik Arvstedt)
031df4231f
joinmarket: move comment out of config file (Erik Arvstedt)
848c4c6eda
joinmarket: add variable 'bitcoind' (Erik Arvstedt)
96b08f5d60
btcpayserver: add regtest support (Erik Arvstedt)
bd2145dc77
btcpayserver: add 'port' option (Erik Arvstedt)
001f8fe8d3
btcpayserver: use option bitcoind.rpc.port (Erik Arvstedt)
6f4715ac2a
electrs: add regtest support (Erik Arvstedt)
46efd141a1
lightning-loop: add regtest support (Erik Arvstedt)
75ec85bea2
lnd: add regtest support (Erik Arvstedt)
1935c252ec
lnd: remove redundant option 'bitcoind-host' (Erik Arvstedt)
b1a8629223
lnd: add variable 'bitcoind' (Erik Arvstedt)
937aee0062
spark-wallet: add regtest support (Erik Arvstedt)
47d611b5ef
spark-wallet: use tor rate provider only when enforceTor (Erik Arvstedt)
127b186c3c
spark-wallet: simplify start script (Erik Arvstedt)
0f32f3c99e
clightning: add regtest support (Erik Arvstedt)
c24ac5d363
clightning: remove redundant option 'bitcoin-rpcconnect' (Erik Arvstedt)
abd32cde30
clightning: enable config file read access for group (Erik Arvstedt)
ddadaed3da
clightning: always use bind-addr in config (Erik Arvstedt)
9e928e2097
bitcoind: add regtest support (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 9951f10e74
Tree-SHA512: 42e2d95755a16b59044e400bc4c9d891bfc22eb73b920fdcf29e607f7df88de599bec99677cf49be7c275c0113a2224a45b1f47f40c029878421eae1a44f3254
2020-10-17 13:04:27 +00:00
Erik Arvstedt
d3ece59919
add module 'versioning'
2020-10-16 23:23:00 +02:00
Erik Arvstedt
06b2ec5b02
joinmarket: add regtest support
2020-10-16 18:01:52 +02:00
Erik Arvstedt
975b30c90e
joinmarket: don't hardcode bitcoind rpc port
2020-10-16 18:01:52 +02:00
Erik Arvstedt
031df4231f
joinmarket: move comment out of config file
2020-10-16 18:01:52 +02:00
Erik Arvstedt
848c4c6eda
joinmarket: add variable 'bitcoind'
2020-10-16 18:01:52 +02:00
Erik Arvstedt
96b08f5d60
btcpayserver: add regtest support
2020-10-16 18:01:52 +02:00
Erik Arvstedt
bd2145dc77
btcpayserver: add 'port' option
2020-10-16 18:01:51 +02:00
Erik Arvstedt
001f8fe8d3
btcpayserver: use option bitcoind.rpc.port
2020-10-16 18:01:51 +02:00
Erik Arvstedt
6f4715ac2a
electrs: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
46efd141a1
lightning-loop: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
75ec85bea2
lnd: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
1935c252ec
lnd: remove redundant option 'bitcoind-host'
...
Also set bitcoind rpc port.
2020-10-16 18:01:51 +02:00
Erik Arvstedt
b1a8629223
lnd: add variable 'bitcoind'
2020-10-16 18:01:51 +02:00
Erik Arvstedt
937aee0062
spark-wallet: add regtest support
2020-10-16 18:01:50 +02:00
Erik Arvstedt
47d611b5ef
spark-wallet: use tor rate provider only when enforceTor
2020-10-16 18:01:50 +02:00
Erik Arvstedt
127b186c3c
spark-wallet: simplify start script
...
Also:
- quote paths
- use long form args
2020-10-16 18:01:50 +02:00
Erik Arvstedt
0f32f3c99e
clightning: add regtest support
2020-10-16 18:01:50 +02:00
Erik Arvstedt
c24ac5d363
clightning: remove redundant option 'bitcoin-rpcconnect'
2020-10-16 18:01:50 +02:00
Erik Arvstedt
abd32cde30
clightning: enable config file read access for group
...
Enables lightning-cli group access when nonstandard config options are set.
2020-10-16 18:01:50 +02:00
Erik Arvstedt
ddadaed3da
clightning: always use bind-addr in config
...
bind-addr can't be null.
2020-10-16 18:01:50 +02:00
Erik Arvstedt
9e928e2097
bitcoind: add regtest support
...
Remove unsupported option 'testnet'.
2020-10-16 18:01:49 +02:00
Erik Arvstedt
7d1797cec7
clightning: add option 'extraConfig'
2020-10-16 16:46:56 +02:00
Erik Arvstedt
e0117d56d1
spark-wallet: fix always-on onion-chef setting
...
Previously, the service failed when onion-service was disabled.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
...
- Remove redundant option mainchainrpchost.
This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module
2020-10-16 16:46:55 +02:00
Erik Arvstedt
2dd1a741f7
modules: group imports
2020-10-16 16:46:55 +02:00
Erik Arvstedt
36358066e4
spark-wallet: don't disable tor when onion-service is disabled
...
This fixes modules-only usage.
We can leave enabling tor and tor.client to secure-node.nix, on which
spark-wallet has a strict dependency.
2020-10-16 15:53:33 +02:00
Erik Arvstedt
24069aa2c6
electrs: add option 'monitoringPort'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
611cfe5a28
electrs: remove redundant daemonrpc option
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a19d3b07c2
electrs: add variable 'bitcoind'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a6dde36b87
electrs: use consistent args formatting
...
One line per arg.
2020-09-30 11:26:40 +02:00
Jonas Nick
c051544d46
Merge #234 : loop: v0.8.1 -> v0.9.0
...
a89a3e934f
test: increase diskSize (nixbitcoin)
24b506ff8a
tests: simplify lightning-loop test (nixbitcoin)
e7c5f956ea
lightning-loop: update module (nixbitcoin)
4a503f57bd
lightning-loop: v0.8.1 -> v0.9.0 (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
reACK a89a3e934f
erikarvstedt:
I think it's okay if you would just merge 24b506ff8a
, which is the direct parent of the ACK'd a89a3e934f
, and removing a89a3e934f
itself is totally uncontroversial.
Tree-SHA512: cee2a2714c714a22c35cea0fa829b42a371540983609cda6609f4d063d849f2e725643bd77cfe78eb71665725164d63f83b6c2589be9e72ba30aaecd7c8dee6c
2020-09-29 17:53:09 +00:00
nixbitcoin
73f4275d2a
backups: add btcpayserver database
2020-09-24 17:12:08 +00:00
nixbitcoin
e7c5f956ea
lightning-loop: update module
...
* commandlineArgs -> configFile
* introduce tls certs
* loop dataDir
* fix formatting and descriptions
Warning: Manual migration of existing loop data directory necessary
2020-09-24 16:40:11 +00:00
Jonas Nick
4cf31f8612
Merge #164 : Add JoinMarket Clientserver
...
dd882753e6
joinmarket: add usage documentation (nixbitcoin)
d0701f518c
joinmarket: automatically generate wallet (nixbitcoin)
d6d3e8ff62
joinmarket: add tests (nixbitcoin)
cce27da2ec
backups: add joinmarket datadir to includelist (nixbitcoin)
173891fa5b
joinmarket: add module (nixbitcoin)
263525d724
nix-bitcoin-services: add nb-services.privileged helper (nixbitcoin)
f00d1d24c5
joinmarket: add pkg and local dependencies (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK dd882753e6
Tree-SHA512: ad7bf56314877045bc8dc6037f966535dc3607d9e941cd03d19b610ee789307eac07447df7f93569dfa3e7553e8fc6d9757bdf8542fb123c5a2e2adec8f907a2
2020-09-22 17:16:08 +00:00
Jonas Nick
36c9c39d80
Deprecate lightning-charge and nanopos
...
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
2020-09-22 14:05:51 +00:00
nixbitcoin
d0701f518c
joinmarket: automatically generate wallet
2020-09-22 13:50:49 +00:00
nixbitcoin
cce27da2ec
backups: add joinmarket datadir to includelist
2020-09-22 13:50:43 +00:00
nixbitcoin
173891fa5b
joinmarket: add module
2020-09-22 13:50:37 +00:00
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper
2020-09-22 13:43:15 +00:00
nixbitcoin
3cfb9d074b
btcpayserver: sqlite -> postgresql
2020-09-17 10:17:33 +00:00
nixbitcoin
f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist
2020-09-15 12:09:33 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion
2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module
2020-09-15 12:09:12 +00:00
nixbitcoin
46d681a17e
lnd: generate custom macaroons
...
Create new `macaroon` option that allows any module to place its own
custom macaroon in the lnd RuntimeDirectory `/run/lnd`.
2020-09-15 12:09:02 +00:00
Erik Arvstedt
6f032e3c40
lnd: fix mnemonic file access vulnerability
...
Previously, the file was readable by 'other' for a short time after
creation.
2020-09-15 12:09:00 +00:00
nixbitcoin
b97584f5cb
netns: allow return traffic to outgoing connections
2020-09-15 12:08:58 +00:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
...
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
...
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
...
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
...
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config
2020-08-26 21:16:32 +02:00
Erik Arvstedt
205829b91f
bitcoind: remove whitespace
2020-08-26 21:16:32 +02:00
Erik Arvstedt
91ebc2d517
netns-exec: simplify installation
2020-08-25 14:53:12 +02:00
Erik Arvstedt
809e754851
netns: improve bridge setup
...
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
This yields no noticable functional changes for now, but it's
conceptually cleaner to finish the network setup before network.target
becomes active.
- Add 'nb-' prefix to service name
2020-08-25 14:53:12 +02:00
Erik Arvstedt
b7450877a0
netns: rename bridge peer devices br-nb-veth* -> nb-veth-br*
...
This ensures a consistent 'nb-' namespace and simplifies the
dhcpcd.denyInterfaces rules.
Also rename vethName -> veth.
2020-08-25 14:53:12 +02:00
Erik Arvstedt
8bfb7bb2f8
netns: rename bridge br0 -> nb-br
...
br0 has a high risk of name clashes when nix-bitcoin used as part of a
larger config.
Use a more specific name.
2020-08-25 14:53:08 +02:00
Erik Arvstedt
32e70a7516
netns: move webindex config for modules-only usage
...
webindex is only available in secure-node.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
...
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
...
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
e385c73256
netns: separate implementation and service configs
...
This greatly improves clarity.
Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
...
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
0f0f6ddbb9
netns: add comment about undesirable algorithmic complexity
...
We don't want to be Accidentally Quadratic™
2020-08-25 11:40:26 +02:00
Erik Arvstedt
a3ae8668e6
netns: use map instead of concatMap
2020-08-25 11:40:26 +02:00
Erik Arvstedt
b7fc819be5
netns: consistent var naming
...
n is used elsewhere in similar contexts.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
5a81693ef3
netns: add range check for netns ids
2020-08-25 11:40:26 +02:00
Erik Arvstedt
74f1610668
netns: clarify addressblock description
2020-08-25 11:40:26 +02:00
Erik Arvstedt
4eb92df08c
netns: remove redundant filter
...
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
50de54aef1
netns: remove empty connections defs
...
Like in the netns defintion for bitcoind.
2020-08-25 11:40:26 +02:00
Jonas Nick
0f1f105948
Merge #225 : Fix process info restriction
...
44de5064cd
security: don't restrict process info by default for module users (Erik Arvstedt)
a36789b468
test: move security tests to separate function (Erik Arvstedt)
588a0b2405
security: enable full systemd-status for group 'proc' (Erik Arvstedt)
96ea2e671c
security: simplify and fix dbus configuration (Erik Arvstedt)
343e026030
rename dbus.nix -> security.nix (Erik Arvstedt)
7367446761
test: rename assert_matches_exactly -> assert_full_match (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 44de5064cd
Tree-SHA512: f782cfdc81b5d6b3da968d0221bd54420791a9f5cd89cde9e62d6d04882d921b5efe9046d975133587b5c2d711c47133b3a5a2351940899a90a28bf16218a7ad
2020-08-24 14:56:05 +00:00
Jonas Nick
322ba5bfff
Add nix-bitcoin.lib for utility functions and types
2020-08-20 21:31:24 +00:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users
2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
...
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
...
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.
Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.
Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
...
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00
nixbitcoin
e4fb7a52de
backups: add module
2020-08-04 15:25:37 +00:00
Jonas Nick
62f83a71b8
Merge #218 : Fix typos
...
df89ceed39
Fix typos (practicalswift)
Pull request description:
ACKs for top commit:
jonasnick:
ACK df89ceed39
Tree-SHA512: 8cd04469dd0c46259790f00f380a840c22f10424c2504a7667e70cfdb03f30801e34f3c53aeffc9259a971484d4a12f1dbe5ceade493c8559e8c00ec011e7c73
2020-08-04 15:13:09 +00:00
nixbitcoin
e650df30d5
bitcoind: bump rpcthread count
2020-08-04 14:46:57 +00:00
nixbitcoin
ac96fd59db
assertions: make lnd.enable depend on !clightning.enable or port != 9735
2020-08-04 14:07:10 +00:00
nixbitcoin
3ed564ea06
lnd: make listen IP address only
2020-08-04 14:07:08 +00:00
nixbitcoin
716e98789c
lnd: add listenPort option
2020-08-04 14:07:06 +00:00
nixbitcoin
43da15557d
clightning: refactor bind-addr to be IP address only
...
With typecheck
2020-08-04 14:07:02 +00:00
practicalswift
df89ceed39
Fix typos
2020-08-04 13:32:06 +00:00
nixbitcoin
d99ccc8445
clightning: add bindport option
2020-08-04 12:42:57 +00:00
Jonas Nick
0baeb2acce
Merge #209 : Lightning loop
...
e9204946d4
lightning-loop: add tests (nixbitcoin)
491d83a658
lightning-loop: add module (nixbitcoin)
8f3588b13f
lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b
lightning-loop: add pkg (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK e9204946d4
Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
nixbitcoin
491d83a658
lightning-loop: add module
2020-07-28 15:55:52 +00:00
nixbitcoin
8f3588b13f
lnd: higher attempt limit for less-powerful machines
...
Opening main database sometimes takes longer than 50 ExecStartPost
restPort connection attempts.
2020-07-28 15:55:50 +00:00
nixbitcoin
5086fc3234
bitcoin: drive-by prune fix
2020-07-28 14:32:54 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
...
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
...
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
...
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
...
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
nixbitcoin
02853067a1
bitcoind: postStart wait until bitcoind can receive rpc calls
2020-07-21 13:23:07 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled
2020-07-21 09:38:55 +00:00
nixbitcoin
c542b92e55
nginx: add netns
...
- Adds nginx to netns-isolation.services
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:53 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
...
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00
nixbitcoin
582cb86d74
nanopos: add netns
...
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
services
- Adds charged-url option to allow using nanopos with network
namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
2020-07-21 09:38:49 +00:00
nixbitcoin
7369f0a7ec
lightning-charge: add netns
...
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
services
- Adds extraArgs option to allow using lightning-charge with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:47 +00:00
nixbitcoin
c4ab73d51f
spark-wallet: add netns
...
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
2020-07-21 09:38:45 +00:00
nixbitcoin
d6296acaba
electrs: add netns
...
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:43 +00:00
nixbitcoin
c0b02ac93a
liquid: add netns cli script
2020-07-21 09:38:41 +00:00
nixbitcoin
672a416ede
liquidd: add netns
...
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
nixbitcoin
4b8ca52647
lnd: add netns cli script
2020-07-21 09:38:37 +00:00
nixbitcoin
c55296433d
lnd: add netns
...
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
hiddenService.
- Amends hardcoded lnd ip to lnd-cert
WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
...
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00
nixbitcoin
3c0c446547
clightning: add netns
...
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
enabled or not.
2020-07-21 09:38:30 +00:00
nixbitcoin
ae1230e13b
clightning: remove bitcoin-rpcuser option
...
Simplifies the clightning module.
2020-07-21 09:38:28 +00:00
nixbitcoin
65b5dab3d4
clightning: add announce-tor
...
From the clightning manpage:
autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or announce-addr options are
specified. Setting this to false disables that.
We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.
For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
2020-07-21 09:38:26 +00:00
nixbitcoin
515aae2825
bitcoind: add netns and nonetns cli scripts
...
nonetns script needed for bitcoind-import-banlist
2020-07-21 09:38:24 +00:00
nixbitcoin
75ca6f186c
bitcoind: add netns
...
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
2020-07-21 09:38:22 +00:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture
...
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
systems.
- Adds security wrapper for netns-exec which allows operator to exec
with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
addresses
2020-07-21 09:38:20 +00:00
Jonas Nick
a03597ae8e
Merge #189 : Update configuration.nix
...
f280d54bb8
add module assertions (nixbitcoin)
23cd323ad1
assertions: add lnd, clightning exclusivity (nixbitcoin)
0ad524ca2d
example config: clarify nix-bitcoin will auto-detect invalid settings (nixbitcoin)
c16924b850
example config: change hwi excluding dependency to high-memory (nixbitcoin)
0fd99c4cc0
bitcoind: simplify pruning (nixbitcoin)
b9a7a71873
example config: document enabling pruning (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK f280d54bb8
Tree-SHA512: a900dc2b95cdc01b457c65853930cb1c31b5288fab06d665207ffb2bcd1d54d75add73113ccaacd98e882d4e6674eb8393fec1ae0a01688de1b56250d5d3d3d6
2020-06-17 09:27:46 +00:00
nixbitcoin
f280d54bb8
add module assertions
2020-06-17 09:23:17 +00:00
nixbitcoin
23cd323ad1
assertions: add lnd, clightning exclusivity
2020-06-15 13:02:58 +00:00
nixbitcoin
0fd99c4cc0
bitcoind: simplify pruning
...
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
2020-06-15 10:55:57 +00:00
nixbitcoin
12adabe407
banlist: update to newest version
...
Received by E-Mail from gmaxwell
2020-06-11 09:23:26 +00:00
Jonas Nick
94672e8f34
Merge #188 : lnd: add option for configuring REST port
...
03a627a06f
lnd: add option for configuring REST port (Martin Milata)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 03a627a06f
Tree-SHA512: b184d5ee825382d1f104e17a091ff49fa170230e4e690323cdfd570a0c7f0bf11e57da84f39fda9169fcbead75f0c0597268f728665135e743fa7fee73a1b66c
2020-06-07 14:40:54 +00:00
Jonas Nick
16e602e2b5
Merge #190 : services: use 'port' option type
...
db48ab9b69
services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b69
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
2020-06-05 20:40:57 +00:00
Martin Milata
03a627a06f
lnd: add option for configuring REST port
2020-06-03 12:07:04 +02:00
Erik Arvstedt
db48ab9b69
services: use 'port' option type
2020-06-02 17:31:28 +02:00
nixbitcoin
ccc3a70344
service hardening: add more restrictions
...
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
2020-05-24 11:14:45 +00:00
nixbitcoin
3fbfa98635
service hardening: replace obtuse SystemCallFilter with @system-service
...
@system-service whitelist and additional
https://docs-stage.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile
blacklist.
2020-05-24 11:14:37 +00:00
nixbitcoin
e34d1c884e
service hardening: Add PrivateUsers
...
Exceptions in webindex & onion-chef
2020-05-22 16:16:19 +00:00
nixbitcoin
1c75543f2f
clightning: add user and group options
2020-05-22 16:16:17 +00:00
Erik Arvstedt
5f3f362451
lnd: add strict hardening
...
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
2020-05-22 16:13:58 +00:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict
...
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
2020-05-22 15:47:01 +00:00
nixbitcoin
adc71b892e
Remove PermissionStartOnly where possible and replace with bitcoinrpc
...
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-22 15:04:49 +00:00
nixbitcoin
91b6b2c370
All modules with preStart: Use systemd.tmpfiles.rules
...
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265 . This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
2020-05-22 14:54:39 +00:00
nixbitcoin
423ebf862b
lnd: only enable bitcoind zmqpub if lnd.enable
...
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
2020-05-22 14:53:33 +00:00
nixbitcoin
81a1c3f908
service hardening: Add CapabilityBoundingSets
...
Whitelist with exceptions in webindex and onion-chef
2020-05-22 11:29:54 +00:00
nixbitcoin
3cd61506e0
webindex & onion-chef: Run non-network-facing services in PrivateNetwork
2020-05-22 11:29:07 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
...
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
nixbitcoin
b8e10afe18
recurring-donations: Run under recurring-donations user
2020-05-19 11:13:26 +00:00
nixbitcoin
5d01ea7101
nodeinfo: Convert to module and allow alternative operator username
...
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
2020-05-19 11:13:24 +00:00
nixbitcoin
95d230d1d6
Remove bitcoinrpc group remnants
2020-05-19 11:13:22 +00:00
nixbitcoin
563b210835
spark-wallet: Run under spark-wallet user
2020-05-19 11:13:20 +00:00
nixbitcoin
205fca3576
bitcoind: only make blocksdir group-readable when dataDirReadableByGroup
2020-05-19 11:13:18 +00:00
nixbitcoin
81a04a4ef1
lightning-charge: add dedicated user
2020-05-19 11:13:16 +00:00
nixbitcoin
0ba55757f8
clightning: allow group access to RPC socket
2020-05-19 11:13:12 +00:00
nixbitcoin
304dd297ba
clightning: remove config group read access
2020-05-19 11:13:05 +00:00
nixbitcoin
04c6936ce9
clightning: Remove clightning "bitcoinrpc" membership
...
Secrets are written to clightning config file during preStart with root
permissions because of PermissionsStartOnly.
2020-05-19 11:09:13 +00:00
nixbitcoin
393ab0fb3c
electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes
...
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
2020-05-19 11:08:59 +00:00
nixbitcoin
7cfae66db4
electrs: Drop insecure TLS ciphers
2020-05-19 11:08:52 +00:00
nixbitcoin
4c139a6d77
electrs: Make TLSProxy truly optional
...
If TLSProxy is disabled, bypass nginx by forwarding Tor HS traffic
directly to electrs.
2020-05-19 11:08:48 +00:00
Erik Arvstedt
509fca5328
fix syntax error
...
Fixes #172
2020-05-06 12:13:32 +02:00
nixbitcoin
159f551b93
Remove bitcoin, clightning, electrs, liquid user home directory
2020-04-26 14:08:08 +02:00
nixbitcoin
742aef1e0f
Only set dataDirReadableByGroup if cfg.high-memory is enabled
2020-04-24 16:21:12 +02:00
Erik Arvstedt
4dc6c3ba5d
add option 'dataDirReadableByGroup'
...
These settings are now more accessible for users that don't use
nix-bitcoin's default node config.
Additionally, remove 'other' permissions via umask.
2020-04-16 15:55:34 +02:00
Erik Arvstedt
3e188238d0
only update bitcoin.conf when changed
2020-04-12 22:32:37 +02:00
Erik Arvstedt
08322eed9b
use [[ test
2020-04-12 22:32:37 +02:00
Erik Arvstedt
201fc33782
move line to relevant code section (blocks dir setup)
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1f8fe310d0
remove option 'configFileOption'
...
It doesn't make sense for bitcoind users to completely redefine their
config file. Also, it's poorly named and the description is faulty.
This is a breaking change, but this option has probably no actual users.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
4e5c1d7551
disable redundant logfile
2020-04-12 22:32:37 +02:00
Erik Arvstedt
a05551fd1c
improve config file formatting
2020-04-12 22:32:37 +02:00
Erik Arvstedt
5e81d60d63
improve formatting
2020-04-12 22:32:37 +02:00
Erik Arvstedt
d60a5aa4db
define rpc.users submodule inline
...
Improves readability.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1a2271fb14
remove unused variable 'hexStr'
2020-04-12 22:32:36 +02:00
Erik Arvstedt
4e92b1c818
remove redundant hardening options
...
These are already defined in nix-bitcoin-services.defaultHardening.
2020-04-12 22:32:36 +02:00
Erik Arvstedt
47fd6cd0f3
simplify ExecStart
2020-04-12 22:32:36 +02:00
Erik Arvstedt
64fc63cc40
remove pidFile
...
- service type "simple" is the default
- pidFile is not needed for service type "simple"
2020-04-12 22:32:36 +02:00
Erik Arvstedt
bceaa361ca
operator: allow reading systemd journal
2020-04-09 11:02:06 +02:00
Erik Arvstedt
145961c2de
fix operator authorized keys setup
...
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
2020-04-09 11:02:06 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
...
These are generally useful and shouldn't be limited to secure-node.nix.
Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
6c22e13b7f
copy-root-authorized-keys: use inline script definition
2020-04-08 17:35:14 +02:00
Erik Arvstedt
63c6fe3213
fixup! use '' for multi-line string
2020-04-08 17:35:14 +02:00
Erik Arvstedt
ab617946a9
extract variable 'cfg'
2020-04-08 17:35:13 +02:00
Erik Arvstedt
36c84d8360
add option clightning.onionport
...
Analogous to electrs.onionport
2020-04-08 17:35:13 +02:00
Erik Arvstedt
681dbaf328
move electrs.onionport option
...
Only used in secure-node.nix
2020-04-08 17:35:13 +02:00
Erik Arvstedt
74fbfa3a5d
use lib.optionals
2020-04-08 17:35:13 +02:00
Erik Arvstedt
ec6d33fbb6
rearrange code sections
...
Move services to the top, operator account setup to the bottom.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
e16ddc9c77
extract 'mkHiddenService'
...
toPort equals port by default.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
89d3d58850
use mkIf
2020-04-08 17:35:13 +02:00
Erik Arvstedt
85e52a06cb
improve grouping of suboptions
2020-04-08 17:35:12 +02:00
Erik Arvstedt
1a63f0ca6a
remove option 'services.nix-bitcoin.enable'
...
Users can enable the node config just by importing secure-node.nix
2020-04-08 17:35:12 +02:00
Erik Arvstedt
0f8b2e91fd
add nix-bitcoin.nix for backwards compatibility
2020-04-08 17:35:12 +02:00
Erik Arvstedt
28792f79dc
rename nix-bitcoin.nix -> presets/secure-node.nix
2020-04-08 17:35:12 +02:00
Jonas Nick
9239268ab6
Merge #136 : Change the nix-bitcoin deployment from forking this repo to importing the module
...
b2e15c17b8
docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9
Add fetch-release script (Jonas Nick)
c303cd47e4
Add push-release.sh helper (Jonas Nick)
705d187a35
examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656
docs: Remove duplicate instructions (Jonas Nick)
455c5664c9
docs: Replace tabs with spaces (Jonas Nick)
8aa4714979
docs: Update NixOS version (Jonas Nick)
9df22a2764
add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994
README: Add Example section (Jonas Nick)
44ccbb91d0
Clean up development shell.nix (Jonas Nick)
abcee651d3
add deploy-container.sh (Erik Arvstedt)
5dadea310c
add deploy-nixops.sh (Erik Arvstedt)
0c74c365de
mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef
move main module import to configuration.nix (Erik Arvstedt)
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498
Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)
Pull request description:
Top commit has no ACKs.
Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:08 +00:00
Erik Arvstedt
b07c77f4a4
secrets.nix: remove obsolete comment
2020-03-29 18:51:34 +02:00
Erik Arvstedt
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir'
2020-03-24 21:43:21 +00:00
Jonas Nick
106dcacb61
lnd: add package option
2020-03-09 08:22:00 +00:00
Erik Arvstedt
5596bcf4fb
bitcoind: set default rpcuser
...
We're already setting a default rpcpassword, so we should set an
accompanying rpcuser so that rpc clients like electrs work out of the box.
2020-03-04 18:09:52 +01:00
Erik Arvstedt
c4cf323873
electrs: add option 'extraArgs'
...
Electrs allows defining settings multiple times via cmdline args, but
not via config files.
So 'extraArgs' is the only way to implement overridable settings,
'extraOptions' wouldn't work.
2020-03-04 18:09:52 +01:00