Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
services
- Removes torsocks dependency in favor of `curl --socks-hostname`
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
services
- Adds charged-url option to allow using nanopos with network
namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
services
- Adds extraArgs option to allow using lightning-charge with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
hiddenService.
- Amends hardcoded lnd ip to lnd-cert
WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
enabled or not.
From the clightning manpage:
autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or announce-addr options are
specified. Setting this to false disables that.
We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.
For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
systems.
- Adds security wrapper for netns-exec which allows operator to exec
with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
addresses
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
db48ab9b69 services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b69
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.