There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
- README: add matrix room
- examples/configuration.nix: explain why bitcoind is enabled by default
- btcpayserver: group lnd service settings
- clightning:
Use public onion port only when the onion service is public
This allows users to enable the onion service while announcing a
non-onion public address.
- netns-isolation: move `readOnly` attr to the top
- tests: use mkDefault to allow for easier overriding
- tests/btcpayserver: test web server response
This allows whitelisting local services without implicitly
whitelisting all inbound onion connections, which would happen when
setting bitcoind/liquidd option `whitelist=localhost`.
Used by electrs and nbxplorer, which requires the unsafe `mempool`
permission.
This removes the module-level dependency from onion-services to
bitcoind.
Due to the `or false` fallback, there's no dependency added in
the reverse direction.
In particular, this allows us to not add a dependency on liquidd in
the following commit.
Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.
Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.
After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
This re-enables onion tagging while still supporting untagged connections.
Onion sockets are not yet supported in the latest liquidd/elements
version 0.18.1.12 available on nixpkgs.
3781a85c9b joinmarket: enable Agora as a third IRC server (nixbitcoin)
ced1637d07 joinmarket: share IRC server definitions between jm and ob-watcher (Erik Arvstedt)
59fc003ebd joinmarket: 0.9.1 -> 0.9.2 (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 3781a85c9b
Tree-SHA512: 5ec919d2291ecf96fb4ca880f3dbeabff13f2bab71822db893ebbaba1b95463666b098ccc1412a1b56f327a231e10c1f2d47feb0f520fce349ab243d398bf7b4
- `waitfornewblock` was previously not included in the public RPC
whitelist because it's reserved for testing and marked as hidden
in bitcoind.
- electrs changed its verbosity settings. `-vv` is now the best choice
for normal usage.
- bitcoind option `dataDirReadableByGroup` is now unused.
Because it can be valuable for other use cases and implementing
it is intricate, we're keeping it for now.
- test: keep `nc` connection open because otherwise the electrs
RPC server would now close the connection before sending a response.
Previously, Tor was always enabled because `cfg` was always nonempty
(via definitions at `Set sensible defaults for some services`).
Now only enable Tor if there are active onion services.
Also rename var `services` -> `onionServices` to improve readability in
section `Set getPublicAddressCmd ...` where the same name is also used for
option `config.services`.
Previously, the glob (*) returned '*' when no files existed in the
secrets dir, leading to error `chown: cannot access '*'`.
Now `unprocessedFiles` is empty when there are no secrets.
Also remove the unneeded sorting of `unprocessedFiles` and
remove redundant leading zero in the default mode.
- `packages and dependencies are pinned`
Reworded and moved to `Integrity`
- `most packages are built from the NixOS stable channel...`
Removed because this is false
- `builds happen in a sandboxed environment`
Removed because this depends on the user's local nix configuration
and cannot be enforced by nix-bitcoin
- `discover` is automatically disabled by bitcoind because we're
setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype