Commit Graph

79 Commits

Author SHA1 Message Date
Erik Arvstedt
f6b883a9ac
remove webindex
This module is outdated and incomplete. We can readd an improved version in
the future.

Move nanopos nginx proxy tests to the nanopos test.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver
In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
2021-01-14 13:25:09 +01:00
Erik Arvstedt
bd2a46cb73
spark-wallet: use onionServices
Also remove the unneeded definition of ReadWritePaths because the
service doesn't need write access to onion files.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
87fb9f246b
add 'enable-tor' preset
Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.

Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
93562f76dd
onionAddresses: remove redundant option 'enable'
The service can be disabled via `onion-addresses.access = mkForce {};`

Also remove redundant description.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses
This clarifies its function.
2021-01-14 13:25:05 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options 2021-01-14 13:25:05 +01:00
Erik Arvstedt
b5d76ba1b3
electrs: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
8fa32b7f91
btcpayserver: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
e78a609687
clightning: add consistent address options
Also remove option 'autolisten'. This option has no effect because
option 'bind-addr' is always set.
2021-01-14 13:25:04 +01:00
Erik Arvstedt
b41a720c28
lnd: add consistent address options
Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address.
2021-01-14 13:25:03 +01:00
Erik Arvstedt
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc' 2021-01-14 13:25:03 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options 2021-01-14 13:25:03 +01:00
Jonas Nick
79f4723cda
lightning-charge: remove package and module 2021-01-01 19:16:46 +00:00
Jonas Nick
58de79d401
nanopos: remove package and module 2021-01-01 17:37:30 +00:00
Erik Arvstedt
c8e73c959e
fix 'hardened' profile for NixOS 20.09
The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052)
is ineffective on 20.09.

As a workaround, add a custom 'hardened' preset that uses the default allocator.
2020-12-18 19:56:56 +01:00
nixbitcoin
f29f04c0c4
secure-node: LND no longer requires ControlPort
Onion service is now generated through mkHiddenService function.
2020-11-06 08:51:23 +00:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
5e0e16529c
netns: fix default addressblock value type
Also remove redundant definition in secure-node.nix
2020-10-20 18:21:37 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
- Remove redundant option mainchainrpchost.
  This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
  Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module 2020-10-16 16:46:55 +02:00
nixbitcoin
173891fa5b
joinmarket: add module 2020-09-22 13:50:37 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion 2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module 2020-09-15 12:09:12 +00:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).

To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users 2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
nixbitcoin
e4fb7a52de
backups: add module 2020-08-04 15:25:37 +00:00
nixbitcoin
e650df30d5
bitcoind: bump rpcthread count 2020-08-04 14:46:57 +00:00
nixbitcoin
716e98789c
lnd: add listenPort option 2020-08-04 14:07:06 +00:00
nixbitcoin
43da15557d
clightning: refactor bind-addr to be IP address only
With typecheck
2020-08-04 14:07:02 +00:00
nixbitcoin
d99ccc8445
clightning: add bindport option 2020-08-04 12:42:57 +00:00
Jonas Nick
0baeb2acce
Merge #209: Lightning loop
e9204946d4 lightning-loop: add tests (nixbitcoin)
491d83a658 lightning-loop: add module (nixbitcoin)
8f3588b13f lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b lightning-loop: add pkg (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e9204946d4

Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
nixbitcoin
491d83a658
lightning-loop: add module 2020-07-28 15:55:52 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled 2020-07-21 09:38:55 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
  services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00
nixbitcoin
582cb86d74
nanopos: add netns
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
  services
- Adds charged-url option to allow using nanopos with network
  namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
2020-07-21 09:38:49 +00:00
nixbitcoin
7369f0a7ec
lightning-charge: add netns
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
  services
- Adds extraArgs option to allow using lightning-charge with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:47 +00:00
nixbitcoin
c4ab73d51f
spark-wallet: add netns
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
2020-07-21 09:38:45 +00:00
nixbitcoin
d6296acaba
electrs: add netns
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
  electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:43 +00:00
nixbitcoin
672a416ede
liquidd: add netns
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
nixbitcoin
c55296433d
lnd: add netns
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00