nixbitcoin
f1064761d7
nixops: remove libvirtd plugin
...
Fix "Package 'libvirt-5.9.0' is marked as insecure, refusing to
evaluate."
2021-02-23 10:36:30 +00:00
Jonas Nick
e160e17dca
Merge #325 : bitcoind: enable cookie-based authentication
...
4e9059dc07
bitcoind: rename group bitcoinrpc -> bitcoinrpc-public (nixbitcoin)
19e401b028
bitcoind: enable cookie-based authentication (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 4e9059dc07
Tree-SHA512: 9795a0fe7fdd84bc3ae94b882b106f7169205e3196ecdfc6dad01c4f2d62380711b6504f221a90f21e8cc34cda2e12df05a245d5c54f9ed7846d74835cac5e19
2021-02-18 12:08:44 +00:00
nixbitcoin
4e9059dc07
bitcoind: rename group bitcoinrpc -> bitcoinrpc-public
...
This makes it clear that services with this group can only use
public RPC calls.
2021-02-18 10:42:21 +00:00
nixbitcoin
19e401b028
bitcoind: enable cookie-based authentication
2021-02-18 10:40:09 +00:00
Jonas Nick
bcad047757
Merge #324 : Fix lnd onion
...
ecc601a6d6
onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior (nixbitcoin)
e873326bfe
modules: use user & group options (nixbitcoin)
ccef870b74
spark-wallet: add user & group options (nixbitcoin)
85a1722545
lnd: add user & group options (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ecc601a6d6
Tree-SHA512: 39da5f8e01b98a676af8a073c11df64df487b5c3ab01327a227d16f215826f5bf15ca9ac21b59934edc5e2bbb87e397c53fcbf7130bd10b00f1df359ab3328ba
2021-02-17 19:08:06 +00:00
nixbitcoin
ecc601a6d6
onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior
...
This commit fixes an issue with LND, in which if both
nix-bitcoin.onionServices.lnd.public &
services.lnd.restOnionService.enable were enabled, one would try to
create a file named `lnd` and the other would try to create a directory
named `lnd` with a file named `lnd-rest` inside it. This would obiously
cause an error and fail the LND service.
2021-02-17 11:50:47 +00:00
nixbitcoin
e873326bfe
modules: use user & group options
...
I've tried my best to locate all uses of hardcoded usernames, but its
not guaranteed that all have been found/fixed.
2021-02-17 11:50:25 +00:00
nixbitcoin
ccef870b74
spark-wallet: add user & group options
2021-02-17 11:50:07 +00:00
nixbitcoin
85a1722545
lnd: add user & group options
2021-02-17 11:49:51 +00:00
Jonas Nick
eddc48ee62
Merge #322 : run-tests: Fix interrupt handling for --copy-src
...
8e3feece67
run-tests: fix interrupt handling for --copy-src (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 8e3feece67
Tree-SHA512: ec4916facedb1f5988dccd0e80e08fcf1788a8425320676e6c48350aa69f29d302bb102408c52c748ac5a794735c0c00d7a95dbea91d735add40b5690817d272
2021-02-14 19:48:09 +00:00
Jonas Nick
14f81b403a
Merge #319 : joinmarket: 0.8.0-a5e8879 -> 0.8.1
...
42f7e9f874
joinmarket: 0.8.0-a5e8879 -> 0.8.1 (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 42f7e9f874
Tree-SHA512: 92dc19d0147a2a9fdcdaa20a78b7168e503149c1ca4bde084240628f6e09bf59f728232072eabdc8cd14146724e4b5bbf3ee2a668f27154a7169e7a9e53b94c4
2021-02-14 19:44:05 +00:00
nixbitcoin
42f7e9f874
joinmarket: 0.8.0-a5e8879 -> 0.8.1
...
- Update joinmarket package
- Revert unofficial release settings
- Move Yield Generator config to configFile
- Add new config option max_sweep_fee_change
2021-02-14 16:23:53 +00:00
Jonas Nick
1302f87c70
Merge #321 : Update nixpkgs
...
47e5442910
Update nixpkgs (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 47e5442910
Tree-SHA512: 4bbcd7711ca3fdf3b8cca36c22b60ceed79a965b3d844dffd44299357ddedd0522c1b5835c53ac0d07b8c0c9456b390d3414017b6d98c8eff469c0039114b471
2021-02-12 22:24:39 +00:00
Jonas Nick
fbcf367c3d
Merge #320 : lightning-loop: 0.11.2-beta -> 0.11.3-beta
...
b6f6b5e372
lightning-loop: 0.11.2-beta -> 0.11.3-beta (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK b6f6b5e372
Tree-SHA512: 1f0b83032f021af12223edb7487f1bebd4555f73223a567c09c6a0f50bcaae3b1fdf12c5dc10dd81292dfe7c0c3d9d8c2066918017ab3aaa691bc39269f2ea6a
2021-02-12 22:20:53 +00:00
Erik Arvstedt
8e3feece67
run-tests: fix interrupt handling for --copy-src
...
Previously, `run-tests.sh --copy-src ...` exited with status 0 (success) when interrupted (SIGINT).
It now exits with an error status.
2021-02-12 21:39:46 +01:00
nixbitcoin
47e5442910
Update nixpkgs
...
Includes CVE-2019-25016 patch
2021-02-12 09:59:55 +00:00
Jonas Nick
81503ebc83
Merge #315 : Use doas instead of sudo
...
47d257ad3a
docs: add rationale for doas to README and FAQ (nixbitcoin)
b0039d68a0
docs: discourage users from ssh'ing into the root user (nixbitcoin)
2ca92a34a5
services: use doas if enabled (nixbitcoin)
ce2b445777
treewide: use runuser for dropping privileges (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 47d257ad3a
Tree-SHA512: 84bab7de1cc6fb3d405a4fc4589f2be825275f69e48dede6ff62d1a27e3a386fea530c91a234d006ec6305a46d0ec54ca836f52f197541a3df215369c9b7c1e2
2021-02-11 21:28:59 +00:00
nixbitcoin
b6f6b5e372
lightning-loop: 0.11.2-beta -> 0.11.3-beta
2021-02-10 15:37:29 +00:00
nixbitcoin
47d257ad3a
docs: add rationale for doas to README and FAQ
2021-02-09 12:44:08 +00:00
nixbitcoin
b0039d68a0
docs: discourage users from ssh'ing into the root user
...
Instead recommend using the operator user for all normal system
management tasks.
2021-02-09 12:44:06 +00:00
nixbitcoin
2ca92a34a5
services: use doas if enabled
...
- Remove sudo from recurring-donations path because it's not used by
the service
- Use doas instead of sudo in secure-node.nix
2021-02-09 12:44:04 +00:00
Erik Arvstedt
ce2b445777
treewide: use runuser for dropping privileges
...
When running as root, use runuser instead of sudo.
As opposed to sudo or doas, runuser is a standalone
binary that needs no external configuration.
Also, it's a bit faster.
2021-02-09 12:44:01 +00:00
Jonas Nick
f9683889d9
Merge #312 : Refactorings, cleanups
...
0a2c8e4864
run-tests: add option --copy-src (Erik Arvstedt)
803584a288
backups: don't use hardcoded secrets dir (Erik Arvstedt)
c29d44b49a
ci: use 'cachix watch-exec' (Erik Arvstedt)
6a32812412
services: add names for systemd helper scripts (Erik Arvstedt)
6982699613
services: use consistent layout (Erik Arvstedt)
a43534dda0
services: improve config file setup (Erik Arvstedt)
18f2002cf0
joinmarket-yieldgenerator: improve systemd journal output (Erik Arvstedt)
9d0b8c8f6f
joinmarket-ob-watcher: use DynamicUser (Erik Arvstedt)
e9c98f415c
joinmarket: explain need for tor control socket (Erik Arvstedt)
d9c87b6a8f
joinmarket: fix wallet creation (Erik Arvstedt)
7458350108
treewide: remove deprecated types.loaOf (Erik Arvstedt)
9cf038939c
treewide: use mkEnableOption (Erik Arvstedt)
7a97304f13
treewide: remove unit descriptions (Erik Arvstedt)
a942177ecf
treewide: remove user descriptions (Erik Arvstedt)
4f6ff408ef
treewide: remove unneeded string literals (Erik Arvstedt)
e6a6c721c1
treewide: streamline 'extraConfig' descriptions (Erik Arvstedt)
e774c045de
treewide: fix formatting (Erik Arvstedt)
0b5b29a2a3
netns-isolation: simplify permission definition for netns-exec (Erik Arvstedt)
a587a2b02a
defaultHardening: explain where @system-service is defined (Erik Arvstedt)
bb3a69797e
README: minor improvements (Erik Arvstedt)
13fc9dfabf
examples: improve introductory comments (Erik Arvstedt)
af2040f4c4
netns-isolation: use 'true' for systemd option (Erik Arvstedt)
c246bbb36e
bitcoind, clightning, lnd: improve descriptions (Erik Arvstedt)
7533f12ef1
bitcoind, clightning, run-tests: minor refactoring (Erik Arvstedt)
41fe9b0c1d
elementsd: minor refactoring (Erik Arvstedt)
f0850d3f23
btcpayserver: reorder config settings (Erik Arvstedt)
d1c0ea9f85
btcpayserver: add missing systemd postgresql dependency (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 0a2c8e4864
Tree-SHA512: 5c81b36042fbb2f016c8e58ba9e05ef3389d5376b8df713d3258d2cd0b6a9239904531171aca8e49bea7039341d5fa91aa9474c6d98de849c25ede52deccc5a3
2021-02-08 20:32:03 +00:00
Erik Arvstedt
0a2c8e4864
run-tests: add option --copy-src
2021-02-08 12:20:20 +01:00
Erik Arvstedt
803584a288
backups: don't use hardcoded secrets dir
2021-02-07 22:45:38 +01:00
Erik Arvstedt
c29d44b49a
ci: use 'cachix watch-exec'
...
Simplifies the build script.
This feature appeared in a recent cachix update.
2021-02-07 22:45:37 +01:00
Erik Arvstedt
6a32812412
services: add names for systemd helper scripts
...
The systemd journal now shows a specific script name instead of
the generic name "script" before script output.
2021-02-07 22:45:36 +01:00
Jonas Nick
2ebd1129a5
Merge #317 : Pkg updates
...
a0f48c9de9
examples: fix deploy-container interactive flag (nixbitcoin)
a2f265cd35
secp256k1: move to top-level packages (Erik Arvstedt)
d41a843167
jmbitcoin: remove secp256k1 from propagatedBuildInputs (Erik Arvstedt)
c22adb03af
extra-container: 0.5 -> 0.6 (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK a0f48c9de9
jonasnick:
ACK a0f48c9de9
Tree-SHA512: 29fa58a960673df407831dd41594c66b26dad1de1e792f4fcc8e35641f39dd873d77b725651be5e01c875bf42284fa78903bab0ea677ec5a0e7eccf98816845d
2021-02-07 21:44:10 +00:00
Erik Arvstedt
6982699613
services: use consistent layout
...
Use the following order of definitions for all services:
- assertions
- configuration of other services
- environment.systemPackages
- tmpfiles
- own service
- users
- secrets
2021-02-07 22:42:23 +01:00
Erik Arvstedt
a43534dda0
services: improve config file setup
...
- btcpayserver, nbxplorer: Add quotes to the
dataDir arg. (dataDir can contain spaces.)
- clightning, liquidd: use 'install'
2021-02-07 22:42:22 +01:00
Erik Arvstedt
18f2002cf0
joinmarket-yieldgenerator: improve systemd journal output
...
Journal entries now look like
`joinmarket-yieldgenerator[9795]: User data location: /var/lib/joinmarket`
instead of
`bash[9795]: User data location: /var/lib/joinmarket`
2021-02-07 22:41:46 +01:00
Erik Arvstedt
9d0b8c8f6f
joinmarket-ob-watcher: use DynamicUser
...
DynamicUser simplifies services that don't need a persistent uid/gid,
like joinmarket-ob-watcher.
For existing installations the data dir migration to dynamic users
is automatically handled by systemd.
2021-02-07 22:41:44 +01:00
Erik Arvstedt
e9c98f415c
joinmarket: explain need for tor control socket
2021-02-07 22:41:31 +01:00
Erik Arvstedt
d9c87b6a8f
joinmarket: fix wallet creation
...
- Fix jm-wallet-seed being globally readable.
- Handle seed extraction failures.
If seed extraction fails, remove the newly created wallet.
This guarantees that wallets always have an accompanying seed.
2021-02-07 22:41:31 +01:00
Erik Arvstedt
7458350108
treewide: remove deprecated types.loaOf
2021-02-07 22:41:31 +01:00
Erik Arvstedt
9cf038939c
treewide: use mkEnableOption
2021-02-07 22:41:31 +01:00
Erik Arvstedt
7a97304f13
treewide: remove unit descriptions
...
Systemd's `Description` option is a misnomer (as confessed by `man systemd.unit`):
Its value is used by user-facing tools in place of the unit file name, so this option
could have been more aptly named `label` or `name`.
`Description` should only be set if the unit file name is not sufficient for naming a unit.
This is not the case for our services, except for `systemd.services.nb-netns-bridge`
whose description has been kept.
As an example how this affects users, weird journal lines like
```
nb-test systemd[1]: Starting Run clightningd...
```
are now replaced by
```
nb-test systemd[1]: Starting clightning.service...
```
2021-02-07 22:41:31 +01:00
Erik Arvstedt
a942177ecf
treewide: remove user descriptions
...
User descriptions are stored in the `comment` field in /etc/passwd.
In our case, these are completely redundant and don't add any useful information.
2021-02-07 22:41:30 +01:00
Erik Arvstedt
4f6ff408ef
treewide: remove unneeded string literals
2021-02-07 22:41:29 +01:00
Erik Arvstedt
e6a6c721c1
treewide: streamline 'extraConfig' descriptions
2021-02-07 22:40:11 +01:00
Erik Arvstedt
e774c045de
treewide: fix formatting
2021-02-07 22:40:10 +01:00
Erik Arvstedt
0b5b29a2a3
netns-isolation: simplify permission definition for netns-exec
...
The new definition is equivalent to the old one.
2021-02-07 22:39:06 +01:00
Erik Arvstedt
a587a2b02a
defaultHardening: explain where @system-service is defined
2021-02-07 22:39:06 +01:00
Erik Arvstedt
bb3a69797e
README: minor improvements
...
- Simplify examples link text.
That the examples README is located in a subdirectory is not relevant here.
- The backup frequency is freely configurable.
It's set to 'daily' only by secure-node.nix.
2021-02-07 22:39:06 +01:00
Erik Arvstedt
13fc9dfabf
examples: improve introductory comments
2021-02-07 22:39:05 +01:00
Erik Arvstedt
af2040f4c4
netns-isolation: use 'true' for systemd option
2021-02-07 22:39:05 +01:00
Erik Arvstedt
c246bbb36e
bitcoind, clightning, lnd: improve descriptions
...
bitcoind: The previous description of 'prune' didn't match the int-only
values supported by our option.
2021-02-07 22:39:05 +01:00
Erik Arvstedt
7533f12ef1
bitcoind, clightning, run-tests: minor refactoring
...
bitcoind: use builtins.toFile
clightning: use boolToString
run-tests: remove leftover var
2021-02-07 22:39:05 +01:00
Erik Arvstedt
41fe9b0c1d
elementsd: minor refactoring
...
- Use pname
- urls -> url
2021-02-07 22:39:05 +01:00
Erik Arvstedt
f0850d3f23
btcpayserver: reorder config settings
...
Move 'bind' and 'port' next to each other and to the top.
2021-02-07 22:39:05 +01:00