Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
db48ab9b6946c0222810e7e516c2271803a0c5ab services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b6946c0222810e7e516c2271803a0c5ab
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
ccc3a70344d6beb6eba5b9e13efcda721f244f7c service hardening: add more restrictions (nixbitcoin)
3fbfa986354054493a0770f25cd3792b83031edd service hardening: replace obtuse SystemCallFilter with @system-service (nixbitcoin)
e34d1c884ed6a26ffbab523087ad57f59688b9c8 service hardening: Add PrivateUsers (nixbitcoin)
1c75543f2f6683f72c550d09bb81418be124c73e clightning: add user and group options (nixbitcoin)
5f3f36245150ad0cb79c2ed3858d13839c7037dd lnd: add strict hardening (Erik Arvstedt)
a040e5285432452af613b4b72a65e852e63c31b6 All modules: ProtectSystem = strict (nixbitcoin)
adc71b892e07ee71cece4205068d8fedbc1e4612 Remove PermissionStartOnly where possible and replace with bitcoinrpc (nixbitcoin)
91b6b2c370f5a5c4ff711b345447decb7c5e3333 All modules with preStart: Use systemd.tmpfiles.rules (nixbitcoin)
423ebf862b2cf0731ee7602fe8a26697e06fbdb4 lnd: only enable bitcoind zmqpub if lnd.enable (nixbitcoin)
81a1c3f9088f57ae9125fa6e32a04240cafb9dd3 service hardening: Add CapabilityBoundingSets (nixbitcoin)
3cd61506e021df2df3f1a170724c6f11f0d54a88 webindex & onion-chef: Run non-network-facing services in PrivateNetwork (nixbitcoin)
7c70dd43acb1fdb75d43d0bcef570e3daffeb1e4 All modules: Give service config precedence over defaultHardening (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ccc3a70344d6beb6eba5b9e13efcda721f244f7c
jonasnick:
ACK ccc3a70344d6beb6eba5b9e13efcda721f244f7c very nice
Tree-SHA512: 069f74b11b46b17fd180e9da5328a3b9952aa90100b5077251d1e56a4d64f03ba64587adf153ddc6cf42f750c13a168f9f0fe43bc379bcd4a9f6709e635e512a
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
b8e10afe1846548075136d953b7f01cf1fb0a45b recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101a94a4ceb8bdcaabe60f66652253a5a nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6a64b27fa834748b6fc695b7e8f4cec Remove bitcoinrpc group remnants (nixbitcoin)
563b2108356323e99d757a95ce50aca5fa2f45af spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca357677c3b186658379618c9eb2655f6167 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef14f27f196d519ff482f0d6a225f02b0 lightning-charge: add dedicated user (nixbitcoin)
e67a81829722bd6c16b1450371d13b681f6de532 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8027da906f84a1330bd11fc3ae1f0f0 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba6a128c21ebba20d83298c2c9cecbc8 clightning: remove config group read access (nixbitcoin)
04c6936ce9030e7e99aa9bfedf0a73810f550ac1 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c160adfdf64786d5e9e360967dfb678 electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db491b8eb2f128b85f69ede64bcb1531e electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d7778abf0957cbcaca443bdddb42dcce7 electrs: Make TLSProxy truly optional (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK b8e10afe1846548075136d953b7f01cf1fb0a45b
Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
Previously, the sessions contained only explicitly exported variables
and functions.
This was fragile and in part buggy due to lacking exports.
Interactive features like user-defined aliases and functions are still
working as before.
Download shesek's github spark-npm.tgz, verify signature, unpack
spark-npm.tgz, patch package.json to include qrcode-terminal in
dependencies, run node2nix with tmpdir as local source, replace tmpdir
spark-wallet source with shesek's github spark-npm.tgz in
node-packages.nix.
spark-wallet: erikarvstedt fixups
