Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.
Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052)
is ineffective on 20.09.
As a workaround, add a custom 'hardened' preset that uses the default allocator.
- Remove redundant option mainchainrpchost.
This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
Enables use without secure-node.
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
services
- Removes torsocks dependency in favor of `curl --socks-hostname`
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
services
- Adds charged-url option to allow using nanopos with network
namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
services
- Adds extraArgs option to allow using lightning-charge with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
hiddenService.
- Amends hardcoded lnd ip to lnd-cert
WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
Erik Arvstedt
Jonas Nick
nixbitcoin