Commit Graph

219 Commits

Author SHA1 Message Date
Erik Arvstedt
d60a5aa4db
define rpc.users submodule inline
Improves readability.
2020-04-12 22:32:37 +02:00
Erik Arvstedt
1a2271fb14
remove unused variable 'hexStr' 2020-04-12 22:32:36 +02:00
Erik Arvstedt
4e92b1c818
remove redundant hardening options
These are already defined in nix-bitcoin-services.defaultHardening.
2020-04-12 22:32:36 +02:00
Erik Arvstedt
47fd6cd0f3
simplify ExecStart 2020-04-12 22:32:36 +02:00
Erik Arvstedt
64fc63cc40
remove pidFile
- service type "simple" is the default
- pidFile is not needed for service type "simple"
2020-04-12 22:32:36 +02:00
Erik Arvstedt
bceaa361ca
operator: allow reading systemd journal 2020-04-09 11:02:06 +02:00
Erik Arvstedt
145961c2de
fix operator authorized keys setup
This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
  file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
2020-04-09 11:02:06 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
These are generally useful and shouldn't be limited to secure-node.nix.

Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
6c22e13b7f
copy-root-authorized-keys: use inline script definition 2020-04-08 17:35:14 +02:00
Erik Arvstedt
63c6fe3213
fixup! use '' for multi-line string 2020-04-08 17:35:14 +02:00
Erik Arvstedt
ab617946a9
extract variable 'cfg' 2020-04-08 17:35:13 +02:00
Erik Arvstedt
36c84d8360
add option clightning.onionport
Analogous to electrs.onionport
2020-04-08 17:35:13 +02:00
Erik Arvstedt
681dbaf328
move electrs.onionport option
Only used in secure-node.nix
2020-04-08 17:35:13 +02:00
Erik Arvstedt
74fbfa3a5d
use lib.optionals 2020-04-08 17:35:13 +02:00
Erik Arvstedt
ec6d33fbb6
rearrange code sections
Move services to the top, operator account setup to the bottom.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
e16ddc9c77
extract 'mkHiddenService'
toPort equals port by default.
2020-04-08 17:35:13 +02:00
Erik Arvstedt
89d3d58850
use mkIf 2020-04-08 17:35:13 +02:00
Erik Arvstedt
85e52a06cb
improve grouping of suboptions 2020-04-08 17:35:12 +02:00
Erik Arvstedt
1a63f0ca6a
remove option 'services.nix-bitcoin.enable'
Users can enable the node config just by importing secure-node.nix
2020-04-08 17:35:12 +02:00
Erik Arvstedt
0f8b2e91fd
add nix-bitcoin.nix for backwards compatibility 2020-04-08 17:35:12 +02:00
Erik Arvstedt
28792f79dc
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-08 17:35:12 +02:00
Jonas Nick
9239268ab6
Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module
b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
2020-04-08 15:03:08 +00:00
Erik Arvstedt
b07c77f4a4
secrets.nix: remove obsolete comment 2020-03-29 18:51:34 +02:00
Erik Arvstedt
0c0978c007
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-03-24 21:43:21 +00:00
Jonas Nick
106dcacb61
lnd: add package option 2020-03-09 08:22:00 +00:00
Erik Arvstedt
5596bcf4fb
bitcoind: set default rpcuser
We're already setting a default rpcpassword, so we should set an
accompanying rpcuser so that rpc clients like electrs work out of the box.
2020-03-04 18:09:52 +01:00
Erik Arvstedt
c4cf323873
electrs: add option 'extraArgs'
Electrs allows defining settings multiple times via cmdline args, but
not via config files.
So 'extraArgs' is the only way to implement overridable settings,
'extraOptions' wouldn't work.
2020-03-04 18:09:52 +01:00
Erik Arvstedt
e731d71232
electrs: add option 'address' 2020-03-04 18:09:52 +01:00
Erik Arvstedt
0be67c325e
electrs: use cfg.user, cfg.group 2020-03-04 18:09:51 +01:00
Erik Arvstedt
48be5a79fa
electrs.enable: use mkEnableOption 2020-03-04 18:09:51 +01:00
Erik Arvstedt
b75b2a1626
electrs: improve description 2020-03-04 18:09:51 +01:00
Erik Arvstedt
fa3455d01f
electrs: don't leak bitcoinrpc secret through process ARGV
Supply secret via private config file instead.
2020-03-04 18:09:51 +01:00
Erik Arvstedt
47481b2642
electrs: quote dataDir in shell cmd 2020-03-04 18:09:50 +01:00
Erik Arvstedt
8fb33d1099
electrs: use bitcoind.dataDir option 2020-03-04 18:09:50 +01:00
Erik Arvstedt
45ba1f1fb3
electrs: don't print timestamps to log
Already provided by journald.
2020-03-04 18:09:49 +01:00
Erik Arvstedt
88080a58bf
electrs: wrap long lines in preStart 2020-03-04 18:09:49 +01:00
Erik Arvstedt
301bb91ae5
simplify setting high-memory options 2020-03-04 18:09:49 +01:00
Erik Arvstedt
93fd2329b8
electrs: make nginx TLS proxy optional
Electrs users shouldn't be forced to run a TLS proxy.
2020-03-04 18:09:48 +01:00
Erik Arvstedt
acde24ce43
electrs: move user/group definitions to bottom
Consistent with other service defs.
2020-03-04 18:09:48 +01:00
Erik Arvstedt
148327326b
electrs: formatting 2020-03-04 18:09:48 +01:00
Erik Arvstedt
cce9932b62
make pinned pkgs accessible through pkgs/default.nix
Useful for developing and for importing pinned pkgs via config.nix.
2020-03-04 18:09:48 +01:00
Jonas Nick
ea8d29d96f
Merge #141: Fix secrets setup
ad23b508e3 {generate,setup}-secrets: remove process hardening (Erik Arvstedt)
89f9bedb9d generate-secrets.nix: fix indentation (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ad23b508e3

Tree-SHA512: 1cb031f9dbfd3150316e4d4f365d37cb7f591910412ee3c70e01beda3498dbf514d4b620f257f32f64c6dcc4845659f45f69f5839e0b7401997320140530d2a0
2020-02-26 21:40:14 +00:00
Jonas Nick
323b2a7f17
Allow adding multiple nodes to bitcoind with the addnodes option and improve bitcoin module option descriptions 2020-02-26 21:34:18 +00:00
Erik Arvstedt
ad23b508e3
{generate,setup}-secrets: remove process hardening
ProtectSystem=full disables writing to /etc which is the default
secrets location.

Besides that, hardening is pointless for {generate,setup}-secrets which
don't read external input and are fully under our control.
2020-02-26 20:38:46 +01:00
Erik Arvstedt
89f9bedb9d
generate-secrets.nix: fix indentation 2020-02-26 20:38:46 +01:00
Jonas Nick
9d3588e1de
Convert nix-bitcoin extraConfig options to regular options 2020-02-23 19:22:07 +00:00
Erik Arvstedt
6fe647ecc4
spark-wallet, lightning-charge: specify mainchain network in clightning data dir
This fixes warnings in each service.
2020-01-15 23:13:48 +00:00
Erik Arvstedt
eaaa6b8701
clightning: update to v0.8.0
To continue using inotify would be too complicated because we would also need to
monitor the creation of the 'bitcoin' subdirectory.
2020-01-15 23:13:19 +00:00
Jonas Nick
a985abcd21
Merge #133: Improve modularity, remove dependency on nixops, add modules test
187ff884db add modules test (Erik Arvstedt)
826245484e make secrets dir location configurable (Erik Arvstedt)
b1e13e9415 simplify secrets file format (Erik Arvstedt)
314272a228 lnd, nanopos: move user and group definitions to the bottom (Erik Arvstedt)
766fa4f300 travis: cache all build outputs with cachix (Erik Arvstedt)
b0e759160d travis: set NIX_PATH as early as possible (Erik Arvstedt)
c51bbcf104 travis: move comment (Erik Arvstedt)
7092dce0c7 travis: remove use of deprecated statements (Erik Arvstedt)
190a92507c travis: split up scripts into statements (Erik Arvstedt)
10d6b04ac8 support enabling clightning and lnd simultaneously (Erik Arvstedt)
ad7a519284 bitcoind: wait until RPC port is open (Erik Arvstedt)
5536b64fb3 lnd: wait until wallet is created (Erik Arvstedt)
6f2a55d63c lnd: wait until RPC port is open (Erik Arvstedt)
1868bef462 lnd: add option 'rpcPort' (Erik Arvstedt)
120e3e8cfe lnd postStart: suppress curl response output (Erik Arvstedt)
3e86637327 lnd postStart: poll for REST service availability (Erik Arvstedt)
795c51dc01 lnd postStart: make more idiomatic (Erik Arvstedt)
6e58beae8a lnd: use postStart option for script (Erik Arvstedt)
86167c6e6d clightning: wait until the RPC socket appears (Erik Arvstedt)
60c732a6a1 onion-chef: set RemainAfterExit, fix tor dependency (Erik Arvstedt)
2b9b3ba1c5 systemPackages: improve readability with shorter service references (Erik Arvstedt)
14ecb5511a liquid: add cli option (Erik Arvstedt)
cd5ed39b9c lnd: add cli option (Erik Arvstedt)
1833b15888 clightning: add cli option (Erik Arvstedt)
b90bf6691b add generate-secrets.service (Erik Arvstedt)
6447694214 add generate-secrets pkg (Erik Arvstedt)
e34093a8ac generate_secrets.sh: add opensslConf option (Erik Arvstedt)
9d14d5ba64 generate_secrets.sh: write secrets to working directory (Erik Arvstedt)
51fb054001 generate_secrets.sh: extract makepw command (Erik Arvstedt)
e3b47ce18a add setup-secrets.service (Erik Arvstedt)
437b268433 extract make-secrets.nix (Erik Arvstedt)
f9c29b9318 simplify secret definitions (Erik Arvstedt)
cd0fd6926b don't copy secret files to store during nixops deployment (Erik Arvstedt)
f0a36fe0c7 add 'nix-bitcoin-services' option (Erik Arvstedt)
7aaf30501c nix-bitcoin-services: simplify formatting (Erik Arvstedt)
760da232e0 add nix-bitcoin pkgs namespace (Erik Arvstedt)
6def181dbc add modules.nix (Erik Arvstedt)
3b842e5fe7 add nix-bitcoin-secrets.target (Erik Arvstedt)
bbf2bbc04a network.nix: simplify import of main config (Erik Arvstedt)
7e021a2629 simplify overlay.nix (Erik Arvstedt)
07dc3e04ac move bitcoinrpc group definition to bitcoind (Erik Arvstedt)
d61b185c3a simplify user and group definitions (Erik Arvstedt)

Pull request description:

  The nix-bitcoin modules consist of three fundamental components:
  1. a set of bitcoin-related modules for general use.
  2. an opinionated configuration of these modules (`nix-bitcoin.nix`), to be deployed on a
     dedicated machine.
  3. machinery for nixops deployment.

  This PR removes dependencies that reach from top to bottom in the list.
  This means that 1. is now usable on its own and that 2. can be used without 3.

  Besides improving nix-bitcoin's general usefulness, this
  - simplifies testing. This PR includes a Travis-enabled modules test using the NixOS testing framework.
  - paves the way for krops deployment.
  - unlocks direct deployment in NixOS containers which allows for super fast experimentation.

  ### Details
  Here are the unnecessary inter-component dependencies and how they're resolved by the commits. I'm using the numbering from the list above.

  - `1. -> 3.` The modules (1.) use the nixops-specific (3.) `keys` group.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 3.` 1. requires nixops-specific key services.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 2.` bitcoind needs the bitcoinrpc group which is defined in `nix-bitcoin.nix` (2.).
    Resolved by `move bitcoinrpc group definition to bitcoind`.

  Further obstacles for standalone usage of 1.:

  - We can't easily import 1. as a standalone module set.
    Resolved by `add modules.nix`.

  - Users of 1. shouldn't be forced to import nix-bitcoin's packages as top-level items in the pkgs namespace.
    Resolved by `add nix-bitcoin pkgs namespace`.

  ### Non-nixops deployments
  Commit `add setup-secrets.service` simplifies non-nixops deployment methods like containers, NixOS VMs or krops.

  Secrets can now deployed as follows:
  1. create local secrets.
  2. transfer secrets to machine.
  3. on the machine, `setup-secrets.service` creates extra secrets from `secrets.nix` and sets owner and
     permissions for all secrets.

  As krops integrates step 2. we now have all ingredients for automatic krops deployment.

  The service is complicated by the creation of secrets like `bitcoin-rpcpassword` that are composed of attrs from `secrets.nix` instead of being simply backed by a file like `lnd_key`. We could simplify this by creating all secret files locally.

  Running nix-bitcoin in NixOS containers gives you faster rebuild cycles when developing. [Here's](https://gist.github.com/5db4fa7dd3f1137920b58e39647116f6) an example.

  ### Test
  The last commits starting with `clightning: add cli option` are testing-related and mostly fix non-critical bugs that were exposed by the test.

  All `STABLE=1` builds from the Travis build matrix are implicit in the modules test.
  Should we remove these individual builds?

  Regarding commit `travis: cache all build outputs with cachix`:
  To replace my cache with a cache that's owned by you (maybe named `nix-bitcoin-ci`), run
  ```
  nix-shell -p travis --run 'travis encrypt CACHIX_SIGNING_KEY=... -r fort-nix/nix-bitcoin'
  ```
  where `...` is the value of `secretKey` in `~/.config/cachix/cachix.dhall`. Let me know the travis secret and I'll fixup the commit.

  ### Docs
  If you like the proposed changes, I'll add another PR with updates to the docs regarding the project layout, non-nixops deployment, and how to use nix-bitcoin within a larger NixOS config.

ACKs for top commit:
  jonasnick:
    ACK 187ff884db

Tree-SHA512: f4be65215c592a4f41bb7fa991a6d8d7c463cf631b88bf53051ca57ba280e7a60b8b09d0d1521345d5b656f844daa2166fff5d00a3105077c9e263465eacfb0a
2020-01-13 08:22:17 +00:00
Erik Arvstedt
826245484e
make secrets dir location configurable
Users of the nix-bitcoin modules shouldn't be forced to add an extra
dir under root.
The secrets location is unchanged for the default node config.
2020-01-13 00:25:12 +01:00