Under normal circumstances, service-specific netns should never exist
before the netns setup service starts.
An existing netns is a genuine error that should not be silently ignored.
A short time after `netns delete` finishes, the peer link in the main
netns is automatically removed.
When `link del` is run before that, it fails with
`Cannot find device "nb-veth-br-*"` and the netns service enters a failed state.
This also enables the test scenario 'netnsRegtest' introduced in a
later commit by fixing the following bug:
For unknown reasons, when tor.active=true and tor is not running, lnd
fails with a tor connection error on netns-isolation, but runs fine
without netns-isolation.
- Remove redundant option mainchainrpchost.
This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
Enables use without secure-node.
a89a3e934f test: increase diskSize (nixbitcoin)
24b506ff8a tests: simplify lightning-loop test (nixbitcoin)
e7c5f956ea lightning-loop: update module (nixbitcoin)
4a503f57bd lightning-loop: v0.8.1 -> v0.9.0 (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
reACK a89a3e934f
erikarvstedt:
I think it's okay if you would just merge 24b506ff8a, which is the direct parent of the ACK'd a89a3e934f, and removing a89a3e934f itself is totally uncontroversial.
Tree-SHA512: cee2a2714c714a22c35cea0fa829b42a371540983609cda6609f4d063d849f2e725643bd77cfe78eb71665725164d63f83b6c2589be9e72ba30aaecd7c8dee6c
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
This yields no noticable functional changes for now, but it's
conceptually cleaner to finish the network setup before network.target
becomes active.
- Add 'nb-' prefix to service name
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.
Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.
Also, add some comments.
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
services
- Removes torsocks dependency in favor of `curl --socks-hostname`
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
services
- Adds charged-url option to allow using nanopos with network
namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
services
- Adds extraArgs option to allow using lightning-charge with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
hiddenService.
- Amends hardcoded lnd ip to lnd-cert
WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
enabled or not.
From the clightning manpage:
autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or announce-addr options are
specified. Setting this to false disables that.
We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.
For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
systems.
- Adds security wrapper for netns-exec which allows operator to exec
with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
addresses
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
db48ab9b69 services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b69
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.