Commit Graph

133 Commits

Author SHA1 Message Date
Erik Arvstedt
bbebd0b383
treewide: remove invalid docbook XML from option descriptions
NixOS will soon use CommonMark Markdown for option descriptions.
We can then switch back the old, slightly clearer bracket syntax.
2021-12-12 16:20:40 +01:00
Erik Arvstedt
3681f118f7
nix-bitcoin.nix: add defaultText (automatic)
This enables generating module option documentation.

This commit was genereated by running the following script inside the
repo root dir:

def add_default_text(file)
  src = File.read(file)
  src2 = src.gsub(/( = mkOption\s+\{[^{]*?)(\n\s+default = )(.*?);$(.*?\})/m) do |str|
    pre, defaultVar, default, post = Regexp.last_match.captures
    replacement =
      if !post.include?('defaultText =')
        if default =~ /\bpkgs\b/
          defaultText = default.lines.length == 1 ? default : "(See source)"
          "#{pre}#{defaultVar}#{default};#{defaultVar.sub('default', 'defaultText')}#{defaultText.inspect};#{post}"
        end
      end
    replacement or str
  end
  File.write(file, src2) if src2 != src
end

Dir["modules/**/*.nix"].each do |f|
  next if File.basename(f) == "nix-bitcoin.nix"
  add_default_text f
end
2021-12-12 16:20:39 +01:00
Erik Arvstedt
1596b3a5d2
minor fixes
- README: fix uppercase

- bitcoind: add whitespace

- hardware-wallets: remove unused variables
2021-12-07 15:35:33 +01:00
Erik Arvstedt
9e4f4d6b0f
bitcoind: add option txindex 2021-11-29 13:22:44 +01:00
Erik Arvstedt
9bda7305fd
services: add tor.* options
Split `enforceTor` into `tor.proxy` and `tor.enforce`.
By enabling `tor.proxy` without `tor.enforce`, a service can accept
incoming clearnet connections.
E.g., this allows setting up a Tor-proxied bitcoind node that accepts
RPC connections from LAN.
2021-11-29 13:22:43 +01:00
Erik Arvstedt
1da23cd933
bitcoind, liquidd: add whitelisted socket
This allows whitelisting local services without implicitly
whitelisting all inbound onion connections, which would happen when
setting bitcoind/liquidd option `whitelist=localhost`.

Used by electrs and nbxplorer, which requires the unsafe `mempool`
permission.
2021-10-29 18:28:31 +02:00
Erik Arvstedt
cc3d43f4e9
bitcoind: set onionPort in bitcoind module
This removes the module-level dependency from onion-services to
bitcoind.
Due to the `or false` fallback, there's no dependency added in
the reverse direction.

In particular, this allows us to not add a dependency on liquidd in
the following commit.
2021-10-28 22:24:24 +02:00
Jonas Nick
bfe8ac972c
Merge fort-nix/nix-bitcoin#405: bitcoind: add separate p2p socket for tor connections
ec4a4dbe41 btcpayserver: fix whitelist security issue (Erik Arvstedt)
df2070b44a bitcoind: add separate p2p socket for tor connections (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ec4a4dbe41

Tree-SHA512: 457bfb5806dca65507261c1868ca89c86a39f63bd10833b7531fd74dd779816083270c8ccc95ad08a5306e9b31c440904e3cba35464d47c0d87418d0be3e732d
2021-10-21 12:17:17 +00:00
Erik Arvstedt
df2070b44a
bitcoind: add separate p2p socket for tor connections
This re-enables onion tagging while still supporting untagged connections.

Onion sockets are not yet supported in the latest liquidd/elements
version 0.18.1.12 available on nixpkgs.
2021-10-21 11:40:40 +02:00
nixbitcoin
63836127c9
bitcoind: one-option i2p support 2021-10-12 10:22:09 +00:00
Erik Arvstedt
8938eadf0c
bitcoind: don't tag all incoming connections as 'Tor'
We're also accepting local, non-Tor connections.
2021-10-06 16:55:41 +02:00
Erik Arvstedt
e561637600
minor fixes
- bitcoind: Remove obsolete defaultText
- clightning: Fix description
  Option `address` can't be used to specify a socket path because it's
  used explicitly as an IP address in many places.
- lnd: Break up overlong line
  This is required by commit `services: support 0.0.0.0/:: in `address` options`
- nix-bitcoin.nix: Formatting
- secrets: Improve descriptions
2021-10-01 11:52:56 +02:00
Erik Arvstedt
ad97c268c6
modules: move user/group options to bottom
These are insignificant, generic options; place them above readonly options.
We already do this in other services.

Also move user/group config to bottom in spark-wallet.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
27c45b82cc
modules: move options to the top
This greatly improves readability and makes it easier to discover options.

This commit was genereated by running the following script inside the
repo root dir:

#!/usr/bin/env ruby

def transform(src)
  return false if src.include?('inherit options;')

  success = false

  options = nil
  src.sub!(/^  options.*?^  }.*?;/m) do |match|
    options = match
    "  inherit options;"
  end
  return false if !options

  src.sub!(/^with lib;\s*let\n+/m) do |match|
    success = true
    <<~EOF
      with lib;
      let
      #{options}

    EOF
  end

  success
end

Dir['modules/**/*.nix'].each do |f|
  src = File.read(f)
  if transform(src)
    puts "Changed file #{f}"
    File.write(f, src)
  end
end
2021-09-13 13:41:47 +02:00
Erik Arvstedt
a2466b1127
secrets: allow extending generate-secrets
`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.
2021-09-12 11:29:54 +02:00
Erik Arvstedt
b8043d3db5
treewide: use consistent bash script indentation
Always use two spaces.
2021-08-15 11:29:34 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options 2021-08-14 10:46:41 +02:00
Erik Arvstedt
e44f78ebb8
services: set isSystemUser for service users
'isSystemUser' has to be explicitly set in NixOS 21.05.
Previously, it was the implicit default.
2021-08-14 10:46:40 +02:00
Erik Arvstedt
08fe9ba84a
services: add finer-grained address family restrictions
Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.

bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.

lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.

lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
2021-03-22 14:35:29 +01:00
Erik Arvstedt
020433cec6
services: add helper fn setAllowedIPAddresses
Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
2021-03-22 13:20:45 +01:00
Erik Arvstedt
cdf27d9d0c
bitcoind: improve service timeouts
- Improve readability by using minutes
- set `TimeoutStopSec` like in bitcoin/contrib/init/bitcoind.service.
  Stopping bitcoind can exceed the default timeout during IBD.
2021-03-16 12:46:19 +01:00
Erik Arvstedt
b0c223e716
secrets: don't stop services when the secrets target stops
With krops or nixops the secrets target is always restarted during
the deployment process.
This previously caused unnecessary restarts of all nix-bitcoin services.
2021-03-15 12:42:52 +00:00
nixbitcoin
4e9059dc07
bitcoind: rename group bitcoinrpc -> bitcoinrpc-public
This makes it clear that services with this group can only use
public RPC calls.
2021-02-18 10:42:21 +00:00
nixbitcoin
19e401b028
bitcoind: enable cookie-based authentication 2021-02-18 10:40:09 +00:00
nixbitcoin
e873326bfe
modules: use user & group options
I've tried my best to locate all uses of hardcoded usernames, but its
not guaranteed that all have been found/fixed.
2021-02-17 11:50:25 +00:00
Erik Arvstedt
7458350108
treewide: remove deprecated types.loaOf 2021-02-07 22:41:31 +01:00
Erik Arvstedt
7a97304f13
treewide: remove unit descriptions
Systemd's `Description` option is a misnomer (as confessed by `man systemd.unit`):
Its value is used by user-facing tools in place of the unit file name, so this option
could have been more aptly named `label` or `name`.
`Description` should only be set if the unit file name is not sufficient for naming a unit.
This is not the case for our services, except for `systemd.services.nb-netns-bridge`
whose description has been kept.

As an example how this affects users, weird journal lines like
```
nb-test systemd[1]: Starting Run clightningd...
```
are now replaced by
```
nb-test systemd[1]: Starting clightning.service...
```
2021-02-07 22:41:31 +01:00
Erik Arvstedt
a942177ecf
treewide: remove user descriptions
User descriptions are stored in the `comment` field in /etc/passwd.
In our case, these are completely redundant and don't add any useful information.
2021-02-07 22:41:30 +01:00
Erik Arvstedt
4f6ff408ef
treewide: remove unneeded string literals 2021-02-07 22:41:29 +01:00
Erik Arvstedt
e6a6c721c1
treewide: streamline 'extraConfig' descriptions 2021-02-07 22:40:11 +01:00
Erik Arvstedt
e774c045de
treewide: fix formatting 2021-02-07 22:40:10 +01:00
Erik Arvstedt
c246bbb36e
bitcoind, clightning, lnd: improve descriptions
bitcoind: The previous description of 'prune' didn't match the int-only
values supported by our option.
2021-02-07 22:39:05 +01:00
Erik Arvstedt
7533f12ef1
bitcoind, clightning, run-tests: minor refactoring
bitcoind: use builtins.toFile
clightning: use boolToString
run-tests: remove leftover var
2021-02-07 22:39:05 +01:00
Erik Arvstedt
a26ed03d77
rename nix-bitcoin-services.nix -> lib.nix 2021-02-04 12:39:48 +00:00
Erik Arvstedt
b114d0c3b1
bitcoind: use systemd startup notification 2021-01-31 22:26:49 +01:00
Erik Arvstedt
332d0e70c8
bitcoind: support onion address announcing 2021-01-31 22:26:49 +01:00
Erik Arvstedt
5c09845e6f
bitcoind: tag incoming connections as onion on enforceTor 2021-01-31 22:26:49 +01:00
Erik Arvstedt
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc' 2021-01-14 13:25:03 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options 2021-01-14 13:25:03 +01:00
Erik Arvstedt
f1681f5b45
add option nix-bitcoin.pkgs, remove overlay
This works around a nixpkgs bug where overlays are ignored in containers.
2020-11-09 22:10:07 +01:00
Erik Arvstedt
8b053326cc
bitcoind: use type str for rpcbind
Extra RPC bind addresses can still be added via extraConfig.
2020-10-29 21:21:28 +01:00
Erik Arvstedt
58d24e735d
netns-bitcoind: allow RPC access from main netns 2020-10-29 21:21:27 +01:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
9e928e2097
bitcoind: add regtest support
Remove unsupported option 'testnet'.
2020-10-16 18:01:49 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module 2020-10-16 16:46:55 +02:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config 2020-08-26 21:16:32 +02:00