Compare commits
108 Commits
master
...
moneta-ove
Author | SHA1 | Date | |
---|---|---|---|
|
ed567d67f2 | ||
|
9538c63a76 | ||
|
479e21a122 | ||
|
475af2d6cb | ||
|
addfa8ec6b | ||
|
ae733d887e | ||
|
6cbd0d93ae | ||
|
85310b533a | ||
|
bc2f66d4f1 | ||
|
519ae31202 | ||
|
a1023696e6 | ||
|
34fe8675bd | ||
|
a3bdecb10b | ||
|
397d2bab9b | ||
|
0e4af28df0 | ||
|
6291d4fbea | ||
|
690a8f6256 | ||
|
2af642f56a | ||
|
56c2abd91a | ||
|
86dc7e2669 | ||
|
c948af2e18 | ||
|
5634f08873 | ||
|
b76728a1ec | ||
|
84fc4d48d3 | ||
|
b4d7e1aa8f | ||
|
b35d08d3f2 | ||
|
4d76eb9183 | ||
|
dc0710f3f4 | ||
|
dfeff7b17b | ||
|
9019a17bfc | ||
|
aae4b6bfc5 | ||
|
9e30d2728b | ||
|
c6d85c6fe3 | ||
|
a51f7b419e | ||
|
da612fe84f | ||
|
4b5b4eac58 | ||
|
8d476cfeaf | ||
|
700b6d8c90 | ||
|
1b4c5749f6 | ||
|
a6ab131e7d | ||
|
314020b246 | ||
|
00cceca861 | ||
|
e4b8e14d3a | ||
|
d1ef2a6e1e | ||
|
74c8593407 | ||
|
109dccca27 | ||
|
a9c1995ed9 | ||
|
9e456ea3a9 | ||
|
77d58162e7 | ||
|
142cbcfb37 | ||
|
c9b1e59f20 | ||
|
62515a5696 | ||
|
932e4c93bc | ||
|
84382e3338 | ||
|
d1b3a4617d | ||
|
81166a012e | ||
|
875fac6862 | ||
|
5cafafd027 | ||
|
d9fdc49e9a | ||
|
8b091eb661 | ||
|
c5493717b7 | ||
|
81350a03c9 | ||
|
4a533d90ea | ||
|
1800ed7cb3 | ||
|
a333989ca8 | ||
|
313e374774 | ||
|
0447c5bacb | ||
|
0de16095e1 | ||
|
d332177d3e | ||
|
1b5e51b7fe | ||
|
565deb770a | ||
|
a576fa3afe | ||
|
edbaeb9813 | ||
|
90e942e5ae | ||
|
8eaa4cce30 | ||
|
47a09ec214 | ||
|
b0dfa69e84 | ||
|
d428755399 | ||
|
a12b701e75 | ||
|
450de19803 | ||
|
5f1bb2a8fc | ||
|
a87a59a86b | ||
|
b616d7ac1b | ||
|
73d2fbb448 | ||
|
3c816b862c | ||
|
1d3f49f8da | ||
|
b840548d40 | ||
|
dcca4fb262 | ||
|
b412de3ad7 | ||
|
a174dc8093 | ||
|
57b76d4461 | ||
|
7c16fc5865 | ||
|
a7357c1176 | ||
|
67949a002a | ||
|
49303be2e0 | ||
|
46f17fe313 | ||
|
277510c7ee | ||
|
9d074e1985 | ||
|
c88acbb1bb | ||
|
13a835e88f | ||
|
3549725b51 | ||
|
61c539d5b6 | ||
|
9fc05e384c | ||
|
cf836b5d3b | ||
|
d3b7e8c432 | ||
|
34f6eb90d7 | ||
|
261f7a043f | ||
|
09c765368f |
@ -27,7 +27,6 @@ task:
|
|||||||
- scenario: default
|
- scenario: default
|
||||||
- scenario: netns
|
- scenario: netns
|
||||||
- scenario: netnsRegtest
|
- scenario: netnsRegtest
|
||||||
- scenario: trustedcoin
|
|
||||||
# This script is run as root
|
# This script is run as root
|
||||||
build_script:
|
build_script:
|
||||||
- echo "sandbox = true" >> /etc/nix/nix.conf
|
- echo "sandbox = true" >> /etc/nix/nix.conf
|
||||||
|
19
README.md
19
README.md
@ -79,22 +79,19 @@ NixOS modules ([src](modules/modules.nix))
|
|||||||
* [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
|
* [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
|
||||||
* [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
|
* [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
|
||||||
* [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
|
* [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
|
||||||
* [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
|
|
||||||
* [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
|
* [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
|
||||||
* [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
|
* [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
|
||||||
* [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
|
* [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
|
||||||
* [Lightning Loop](https://github.com/lightninglabs/loop)
|
* [Lightning Loop](https://github.com/lightninglabs/loop)
|
||||||
* [Lightning Pool](https://github.com/lightninglabs/pool)
|
* [Lightning Pool](https://github.com/lightninglabs/pool)
|
||||||
* [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
|
* [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
|
||||||
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or
|
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
|
||||||
clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
|
|
||||||
[Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
|
|
||||||
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
|
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
|
||||||
* [spark-wallet](https://github.com/shesek/spark-wallet)
|
* [spark-wallet](https://github.com/shesek/spark-wallet)
|
||||||
* [electrs](https://github.com/romanz/electrs): Electrum server
|
* [electrs](https://github.com/romanz/electrs)
|
||||||
* [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
|
* [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
|
||||||
* [btcpayserver](https://github.com/btcpayserver/btcpayserver)
|
* [btcpayserver](https://github.com/btcpayserver/btcpayserver)
|
||||||
* [liquid](https://github.com/elementsproject/elements): federated sidechain
|
* [liquid](https://github.com/elementsproject/elements)
|
||||||
* [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
|
* [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
|
||||||
* [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
|
* [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
|
||||||
* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
|
* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
|
||||||
@ -102,13 +99,7 @@ NixOS modules ([src](modules/modules.nix))
|
|||||||
* [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
|
* [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
|
||||||
* [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
|
* [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
|
||||||
* [backups](modules/backups.nix): duplicity backups of all your node's important files
|
* [backups](modules/backups.nix): duplicity backups of all your node's important files
|
||||||
* [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
|
* [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
|
||||||
|
|
||||||
### Extension modules
|
|
||||||
Extension modules are maintained in separate repositories and have their own review
|
|
||||||
and release process.
|
|
||||||
|
|
||||||
* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
|
|
||||||
|
|
||||||
Security
|
Security
|
||||||
---
|
---
|
||||||
|
@ -56,10 +56,9 @@ ls -al /var/lib/containers/nb-test
|
|||||||
# Start a shell in the context of a service process.
|
# Start a shell in the context of a service process.
|
||||||
# Must be run inside the container (enter with cmd `c`).
|
# Must be run inside the container (enter with cmd `c`).
|
||||||
enter_service() {
|
enter_service() {
|
||||||
name=$1
|
local name=$1
|
||||||
pid=$(systemctl show -p MainPID --value "$name")
|
nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
|
||||||
IFS=- read -r uid gid < <(stat -c "%u-%g" "/proc/$pid")
|
--setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
|
||||||
nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
|
|
||||||
}
|
}
|
||||||
enter_service clightning
|
enter_service clightning
|
||||||
|
|
||||||
|
@ -9,9 +9,6 @@ with lib;
|
|||||||
services.btcpayserver.enable = true;
|
services.btcpayserver.enable = true;
|
||||||
test.container.exposeLocalhost = true;
|
test.container.exposeLocalhost = true;
|
||||||
# services.btcpayserver.lbtc = false;
|
# services.btcpayserver.lbtc = false;
|
||||||
|
|
||||||
# Required for testing interactive plugin installation
|
|
||||||
test.container.enableWAN = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# A node with internet access to test joinmarket-ob-watcher
|
# A node with internet access to test joinmarket-ob-watcher
|
||||||
@ -45,34 +42,4 @@ with lib;
|
|||||||
nix-bitcoin.nodeinfo.enable = true;
|
nix-bitcoin.nodeinfo.enable = true;
|
||||||
# test.container.enableWAN = true;
|
# test.container.enableWAN = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
|
|
||||||
imports = [
|
|
||||||
../modules/presets/wireguard.nix
|
|
||||||
scenarios.regtestBase
|
|
||||||
];
|
|
||||||
|
|
||||||
# 51820 (default wg port) + 1
|
|
||||||
networking.wireguard.interfaces.wg-nb.listenPort = 51821;
|
|
||||||
test.container.enableWAN = true;
|
|
||||||
# test.container.exposeLocalhost = true;
|
|
||||||
|
|
||||||
services.clightning.extraConfig = "disable-dns";
|
|
||||||
|
|
||||||
services.lnd = {
|
|
||||||
enable = true;
|
|
||||||
lndconnect = {
|
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.clightning-rest = {
|
|
||||||
enable = true;
|
|
||||||
lndconnect = {
|
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
nix-bitcoin.nodeinfo.enable = true;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -1,64 +0,0 @@
|
|||||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
|
||||||
# Test Tor and WireGuard connections on a mobile device
|
|
||||||
|
|
||||||
# 1. Run container
|
|
||||||
run-tests.sh -s wireguard-lndconnect-online container
|
|
||||||
|
|
||||||
# 2. Test connecting via Tor
|
|
||||||
# Print QR codes for lnd, clightning-rest connections via Tor
|
|
||||||
c lndconnect
|
|
||||||
c lndconnect-clightning
|
|
||||||
# Add these to Zeus >= 0.7.1.
|
|
||||||
# To explicitly check if the connection is successful, press the node logo in the top
|
|
||||||
# left corner, and then "Node Info".
|
|
||||||
|
|
||||||
# Debug
|
|
||||||
c lndconnect --url
|
|
||||||
c lndconnect-clightning --url
|
|
||||||
|
|
||||||
# 3. Test connecting via WireGuard
|
|
||||||
|
|
||||||
# 3.1 Forward WireGuard port from the container host to the container
|
|
||||||
iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
|
|
||||||
|
|
||||||
# 3.2. Optional: When your container host has an external firewall,
|
|
||||||
# forward the WireGuard port to the container host:
|
|
||||||
# - Port: 51821
|
|
||||||
# - Protocol: UDP
|
|
||||||
# - Destination: IPv4 of the container host
|
|
||||||
|
|
||||||
# 3.2 Print QR code and setup wireguard on the mobile device
|
|
||||||
c nix-bitcoin-wg-connect
|
|
||||||
c nix-bitcoin-wg-connect --text
|
|
||||||
|
|
||||||
# Print QR codes for lnd, clightning-rest connections via WireGuard
|
|
||||||
c lndconnect-wg
|
|
||||||
c lndconnect-clightning-wg
|
|
||||||
# Add these to Zeus >= 0.7.1.
|
|
||||||
# To explicitly check if the connection is successful, press the node logo in the top
|
|
||||||
# left corner, and then "Node Info".
|
|
||||||
|
|
||||||
# Debug
|
|
||||||
c lndconnect-wg --url
|
|
||||||
c lndconnect-clightning-wg --url
|
|
||||||
|
|
||||||
# 3.3.remove external firewall port forward, remove local port forward:
|
|
||||||
iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
|
|
||||||
# Now exit the container shell
|
|
||||||
|
|
||||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
|
||||||
# Debug lndconnect
|
|
||||||
|
|
||||||
run-tests.sh -s wireguard-lndconnect-online container
|
|
||||||
|
|
||||||
c nodeinfo
|
|
||||||
|
|
||||||
c lndconnect --url
|
|
||||||
c lndconnect-wg --url
|
|
||||||
c lndconnect-clightning --url
|
|
||||||
c lndconnect-clightning-wg --url
|
|
||||||
|
|
||||||
c lndconnect
|
|
||||||
c lndconnect-wg
|
|
||||||
c lndconnect-clightning
|
|
||||||
c lndconnect-clightning-wg
|
|
160
docs/services.md
160
docs/services.md
@ -142,154 +142,60 @@ You can find the `<onion-address>` with command `nodeinfo`.
|
|||||||
The default password location is `$secretsDir/rtl-password`.
|
The default password location is `$secretsDir/rtl-password`.
|
||||||
See: [Secrets dir](./configuration.md#secrets-dir)
|
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||||
|
|
||||||
# Use Zeus (mobile lightning wallet) via Tor
|
# Use LND or clightning with Zeus (mobile wallet) via Tor
|
||||||
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1)
|
1. Install [Zeus](https://zeusln.app)
|
||||||
|
|
||||||
2. Edit your `configuration.nix`
|
2. Edit your `configuration.nix`
|
||||||
|
|
||||||
##### For lnd
|
##### For lnd
|
||||||
|
|
||||||
Add the following config:
|
Add the following config:
|
||||||
```nix
|
```
|
||||||
services.lnd.lndconnect = {
|
services.lnd.lndconnectOnion.enable = true;
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
};
|
|
||||||
```
|
```
|
||||||
|
|
||||||
##### For clightning
|
##### For clightning
|
||||||
|
|
||||||
Add the following config:
|
Add the following config:
|
||||||
```nix
|
```
|
||||||
services.clightning-rest = {
|
services.clightning-rest = {
|
||||||
enable = true;
|
enable = true;
|
||||||
lndconnect = {
|
lndconnectOnion.enable = true;
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Deploy your configuration
|
3. Deploy your configuration
|
||||||
|
|
||||||
4. Run the following command on your node (as user `operator`) to create a QR code
|
3. Run the following command on your node (as user `operator`) to create a QR code
|
||||||
with address and authentication information:
|
with address and authentication information:
|
||||||
|
|
||||||
##### For lnd
|
##### For lnd
|
||||||
```
|
```
|
||||||
lndconnect
|
lndconnect-onion
|
||||||
```
|
```
|
||||||
|
|
||||||
##### For clightning
|
##### For clightning
|
||||||
```
|
```
|
||||||
lndconnect-clightning
|
lndconnect-onion-clightning
|
||||||
```
|
```
|
||||||
|
|
||||||
5. Configure Zeus
|
4. Configure Zeus
|
||||||
- Add a new node and scan the QR code
|
- Add a new node
|
||||||
|
- Select `Scan lndconnect config` (at the bottom) and scan the QR code
|
||||||
|
- For clightning: Set `Node interface` to `c-lightning-REST`
|
||||||
- Click `Save node config`
|
- Click `Save node config`
|
||||||
- Start sending and stacking sats privately
|
- Start sending and stacking sats privately
|
||||||
|
|
||||||
### Additional lndconnect features
|
### Additional lndconnect features
|
||||||
- Create a plain text URL:
|
Create plain text URLs or QR code images:
|
||||||
```bash
|
```
|
||||||
lndconnect --url
|
lndconnect-onion --url
|
||||||
```
|
lndconnect-onion --image
|
||||||
- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
|
|
||||||
```bash
|
|
||||||
lndconnect --host myhost
|
|
||||||
```
|
|
||||||
|
|
||||||
# Use Zeus (mobile lightning wallet) via WireGuard
|
|
||||||
|
|
||||||
Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
|
|
||||||
|
|
||||||
There are two ways to establish a secure, direct connection:
|
|
||||||
|
|
||||||
- Connecting via TLS. This requires installing your lightning app's
|
|
||||||
TLS Certificate on your mobile device.
|
|
||||||
|
|
||||||
- Connecting via WireGuard. This approach is simpler and more versatile, and is
|
|
||||||
described in this guide.
|
|
||||||
|
|
||||||
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
|
|
||||||
[WireGuard](https://www.wireguard.com/install/) on your mobile device.
|
|
||||||
|
|
||||||
2. Add the following to your `configuration.nix`:
|
|
||||||
```nix
|
|
||||||
imports = [
|
|
||||||
# Use this line when using the default deployment method
|
|
||||||
<nix-bitcoin/modules/presets/wireguard.nix>
|
|
||||||
|
|
||||||
# Use this line when using Flakes
|
|
||||||
(nix-bitcoin + /modules/presets/wireguard.nix)
|
|
||||||
]
|
|
||||||
|
|
||||||
# For lnd
|
|
||||||
services.lnd.lndconnect.enable = true;
|
|
||||||
|
|
||||||
# For clightning
|
|
||||||
services.clightning-rest = {
|
|
||||||
enable = true;
|
|
||||||
lndconnect.enable = true;
|
|
||||||
};
|
|
||||||
```
|
|
||||||
3. Deploy your configuration.
|
|
||||||
|
|
||||||
4. If your node is behind an external firewall or NAT, add the following port forwarding
|
|
||||||
rule to the external device:
|
|
||||||
- Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
|
|
||||||
- Protocol: UDP
|
|
||||||
- Destination: IP of your node
|
|
||||||
|
|
||||||
5. Setup WireGuard on your mobile device.
|
|
||||||
|
|
||||||
Run the following command on your node (as user `operator`) to create a QR code
|
|
||||||
for WireGuard:
|
|
||||||
```bash
|
|
||||||
nix-bitcoin-wg-connect
|
|
||||||
|
|
||||||
# For debugging: Show the WireGuard config as text
|
|
||||||
nix-bitcoin-wg-connect --text
|
|
||||||
```
|
|
||||||
The above commands automatically detect your node's external IP.\
|
|
||||||
To set a custom IP or hostname, run the following:
|
|
||||||
```
|
|
||||||
nix-bitcoin-wg-connect 93.184.216.34
|
|
||||||
nix-bitcoin-wg-connect mynode.org
|
|
||||||
```
|
|
||||||
|
|
||||||
Configure WireGuard:
|
|
||||||
- Press the `+` button in the bottom right corner
|
|
||||||
- Scan the QR code
|
|
||||||
- Add the tunnel
|
|
||||||
|
|
||||||
6. Setup Zeus
|
|
||||||
|
|
||||||
Run the following command on your node (as user `operator`) to create a QR code for Zeus:
|
|
||||||
|
|
||||||
##### For lnd
|
|
||||||
```
|
|
||||||
lndconnect-wg
|
|
||||||
```
|
|
||||||
|
|
||||||
##### For clightning
|
|
||||||
```
|
|
||||||
lndconnect-clightning-wg
|
|
||||||
```
|
|
||||||
|
|
||||||
Configure Zeus:
|
|
||||||
- Add a new node and scan the QR code
|
|
||||||
- Click `Save node config`
|
|
||||||
- On the certificate warning screen, click `I understand, save node config`.\
|
|
||||||
Certificates are not needed when connecting via WireGuard.
|
|
||||||
- Start sending and stacking sats privately
|
|
||||||
|
|
||||||
### Additional lndconnect features
|
|
||||||
Create a plain text URL:
|
|
||||||
```bash
|
|
||||||
lndconnect-wg --url
|
|
||||||
``````
|
``````
|
||||||
|
Create a QR code for a custom hostname:
|
||||||
|
```
|
||||||
|
lndconnect-onion --host=mynode.org
|
||||||
|
```
|
||||||
|
|
||||||
# Connect to spark-wallet
|
# Connect to spark-wallet
|
||||||
### Requirements
|
### Requirements
|
||||||
@ -621,27 +527,3 @@ services.clightning = {
|
|||||||
```
|
```
|
||||||
|
|
||||||
Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
|
Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
|
||||||
|
|
||||||
### Trustedcoin hints
|
|
||||||
The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
|
|
||||||
proxy for all of its external connections by default. That's why you can
|
|
||||||
sometimes face issues with your connections to esploras getting blocked.
|
|
||||||
|
|
||||||
An example of clightning log error output in a case your connections are getting blocked:
|
|
||||||
|
|
||||||
```
|
|
||||||
lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
|
|
||||||
lightningd[4933]: <meta http-equiv="content-type" content="text/html;
|
|
||||||
```
|
|
||||||
|
|
||||||
If you face these issues and you still need to use trustedcoin, use can disable
|
|
||||||
clightning's tor hardening by setting this option in your `configuration.nix`
|
|
||||||
file:
|
|
||||||
|
|
||||||
```
|
|
||||||
services.clightning.tor.enforce = false;
|
|
||||||
```
|
|
||||||
|
@ -56,18 +56,13 @@
|
|||||||
#
|
#
|
||||||
# == REST server
|
# == REST server
|
||||||
# Set this to create a clightning REST onion service.
|
# Set this to create a clightning REST onion service.
|
||||||
# This also adds binary `lndconnect-clightning` to the system environment.
|
# This also adds binary `lndconnect-onion-clightning` to the system environment.
|
||||||
# This binary creates QR codes or URLs for connecting applications to clightning
|
# This binary creates QR codes or URLs for connecting applications to clightning
|
||||||
# via the REST onion service.
|
# via the REST onion service (see ../docs/services.md).
|
||||||
# You can also connect via WireGuard instead of Tor.
|
|
||||||
# See ../docs/services.md for details.
|
|
||||||
#
|
#
|
||||||
# services.clightning-rest = {
|
# services.clightning-rest = {
|
||||||
# enable = true;
|
# enable = true;
|
||||||
# lndconnect = {
|
# lndconnectOnion.enable = true;
|
||||||
# enable = true;
|
|
||||||
# onion = true;
|
|
||||||
# };
|
|
||||||
# };
|
# };
|
||||||
|
|
||||||
### LND
|
### LND
|
||||||
@ -83,17 +78,11 @@
|
|||||||
# The onion service is automatically announced to peers.
|
# The onion service is automatically announced to peers.
|
||||||
# nix-bitcoin.onionServices.lnd.public = true;
|
# nix-bitcoin.onionServices.lnd.public = true;
|
||||||
#
|
#
|
||||||
# Set this to create a lnd REST onion service.
|
# Set this to create an lnd REST onion service.
|
||||||
# This also adds binary `lndconnect` to the system environment.
|
# This also adds binary `lndconnect-onion` to the system environment.
|
||||||
# This binary generates QR codes or URLs for connecting applications to lnd via the
|
# This binary generates QR codes or URLs for connecting applications to lnd via the
|
||||||
# REST onion service.
|
# REST onion service (see ../docs/services.md).
|
||||||
# You can also connect via WireGuard instead of Tor.
|
# services.lnd.lndconnectOnion.enable = true;
|
||||||
# See ../docs/services.md for details.
|
|
||||||
#
|
|
||||||
# services.lnd.lndconnect = {
|
|
||||||
# enable = true;
|
|
||||||
# onion = true;
|
|
||||||
# };
|
|
||||||
#
|
#
|
||||||
## WARNING
|
## WARNING
|
||||||
# If you use lnd, you should manually backup your wallet mnemonic
|
# If you use lnd, you should manually backup your wallet mnemonic
|
||||||
|
42
flake.lock
42
flake.lock
@ -10,11 +10,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1679648217,
|
"lastModified": 1671802034,
|
||||||
"narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
|
"narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
|
||||||
"owner": "erikarvstedt",
|
"owner": "erikarvstedt",
|
||||||
"repo": "extra-container",
|
"repo": "extra-container",
|
||||||
"rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
|
"rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -24,15 +24,12 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"inputs": {
|
|
||||||
"systems": "systems"
|
|
||||||
},
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681202837,
|
"lastModified": 1667395993,
|
||||||
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
|
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
|
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -43,11 +40,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1683207485,
|
"lastModified": 1674407282,
|
||||||
"narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
|
"narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
|
"rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -59,11 +56,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1683353485,
|
"lastModified": 1674487464,
|
||||||
"narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
|
"narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
|
"rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -80,21 +77,6 @@
|
|||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
}
|
}
|
||||||
},
|
|
||||||
"systems": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1681028828,
|
|
||||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-systems",
|
|
||||||
"repo": "default",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
Binary file not shown.
@ -427,8 +427,7 @@ in {
|
|||||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||||
#ReadWritePaths = [ cfg.dataDir ];
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
ReadWritePaths = [ "/dummy" ];
|
|
||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||||
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
||||||
};
|
};
|
||||||
|
@ -236,16 +236,11 @@ in {
|
|||||||
--datadir='${cfg.btcpayserver.dataDir}'
|
--datadir='${cfg.btcpayserver.dataDir}'
|
||||||
'';
|
'';
|
||||||
User = cfg.btcpayserver.user;
|
User = cfg.btcpayserver.user;
|
||||||
# Also restart after the program has exited successfully.
|
Restart = "on-failure";
|
||||||
# This is required to support restarting from the web interface after
|
RestartSec = "10s";
|
||||||
# interactive plugin installation.
|
|
||||||
# Restart rate limiting is implemented via the `startLimit*` options below.
|
|
||||||
Restart = "always";
|
|
||||||
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
||||||
MemoryDenyWriteExecute = false;
|
MemoryDenyWriteExecute = false;
|
||||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
||||||
startLimitIntervalSec = 30;
|
|
||||||
startLimitBurst = 10;
|
|
||||||
}; in self;
|
}; in self;
|
||||||
|
|
||||||
users.users.${cfg.nbxplorer.user} = {
|
users.users.${cfg.nbxplorer.user} = {
|
||||||
|
@ -17,7 +17,6 @@ in {
|
|||||||
./feeadjuster.nix
|
./feeadjuster.nix
|
||||||
./prometheus.nix
|
./prometheus.nix
|
||||||
./summary.nix
|
./summary.nix
|
||||||
./trustedcoin.nix
|
|
||||||
./zmq.nix
|
./zmq.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -1,28 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let cfg = config.services.clightning.plugins.trustedcoin; in
|
|
||||||
{
|
|
||||||
options.services.clightning.plugins.trustedcoin = {
|
|
||||||
enable = mkEnableOption "Trustedcoin (clightning plugin)";
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = config.nix-bitcoin.pkgs.trustedcoin;
|
|
||||||
defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
|
|
||||||
description = mdDoc "The package providing trustedcoin binaries.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
services.clightning.extraConfig = ''
|
|
||||||
plugin=${cfg.package}/bin/trustedcoin
|
|
||||||
disable-plugin=bcli
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Trustedcoin does not honor the clightning's proxy configuration.
|
|
||||||
# Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
|
|
||||||
systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
|
|
||||||
HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -107,15 +107,13 @@ let
|
|||||||
network = bitcoind.makeNetworkName "bitcoin" "regtest";
|
network = bitcoind.makeNetworkName "bitcoin" "regtest";
|
||||||
configFile = pkgs.writeText "config" ''
|
configFile = pkgs.writeText "config" ''
|
||||||
network=${network}
|
network=${network}
|
||||||
${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
|
bitcoin-datadir=${bitcoind.dataDir}
|
||||||
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
||||||
always-use-proxy=${boolToString cfg.always-use-proxy}
|
always-use-proxy=${boolToString cfg.always-use-proxy}
|
||||||
bind-addr=${cfg.address}:${toString cfg.port}
|
bind-addr=${cfg.address}:${toString cfg.port}
|
||||||
|
|
||||||
bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
|
bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
|
||||||
bitcoin-rpcport=${toString bitcoind.rpc.port}
|
bitcoin-rpcport=${toString bitcoind.rpc.port}
|
||||||
bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
|
bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
|
||||||
|
|
||||||
rpc-file-mode=0660
|
rpc-file-mode=0660
|
||||||
log-timestamps=false
|
log-timestamps=false
|
||||||
${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
|
${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
|
||||||
@ -163,7 +161,6 @@ in {
|
|||||||
{
|
{
|
||||||
cat ${configFile}
|
cat ${configFile}
|
||||||
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
|
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
|
||||||
|
|
||||||
${optionalString (cfg.getPublicAddressCmd != "") ''
|
${optionalString (cfg.getPublicAddressCmd != "") ''
|
||||||
echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
|
echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
|
||||||
''}
|
''}
|
||||||
|
@ -61,9 +61,10 @@ in {
|
|||||||
listenWhitelisted = true;
|
listenWhitelisted = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
# Commented out to allow nfs mounts
|
||||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
# systemd.tmpfiles.rules = [
|
||||||
];
|
# "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||||
|
# ];
|
||||||
|
|
||||||
systemd.services.electrs = {
|
systemd.services.electrs = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
@ -158,7 +158,7 @@ let
|
|||||||
onion_serving_host = ${cfg.messagingAddress}
|
onion_serving_host = ${cfg.messagingAddress}
|
||||||
onion_serving_port = ${toString cfg.messagingPort}
|
onion_serving_port = ${toString cfg.messagingPort}
|
||||||
hidden_service_dir =
|
hidden_service_dir =
|
||||||
directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
|
directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
|
||||||
|
|
||||||
# irc.darkscience.net
|
# irc.darkscience.net
|
||||||
[MESSAGING:server1]
|
[MESSAGING:server1]
|
||||||
|
126
modules/lndconnect-onion.nix
Normal file
126
modules/lndconnect-onion.nix
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
options = {
|
||||||
|
services.lnd.lndconnectOnion.enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = mdDoc ''
|
||||||
|
Create an onion service for the lnd REST server.
|
||||||
|
Add a `lndconnect-onion` binary to the system environment.
|
||||||
|
See: https://github.com/LN-Zap/lndconnect
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
```bash
|
||||||
|
# Print QR code
|
||||||
|
lndconnect-onion
|
||||||
|
|
||||||
|
# Print URL
|
||||||
|
lndconnect-onion --url
|
||||||
|
```
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.clightning-rest.lndconnectOnion.enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = mdDoc ''
|
||||||
|
Create an onion service for clightning-rest.
|
||||||
|
Add a `lndconnect-onion-clightning` binary to the system environment.
|
||||||
|
See: https://github.com/LN-Zap/lndconnect
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
```bash
|
||||||
|
# Print QR code
|
||||||
|
lndconnect-onion-clightning
|
||||||
|
|
||||||
|
# Print URL
|
||||||
|
lndconnect-onion-clightning --url
|
||||||
|
```
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nbLib = config.nix-bitcoin.lib;
|
||||||
|
runAsUser = config.nix-bitcoin.runAsUserCmd;
|
||||||
|
|
||||||
|
inherit (config.services)
|
||||||
|
lnd
|
||||||
|
clightning
|
||||||
|
clightning-rest;
|
||||||
|
|
||||||
|
mkLndconnect = {
|
||||||
|
name,
|
||||||
|
shebang ? "#!${pkgs.stdenv.shell} -e",
|
||||||
|
onionService,
|
||||||
|
port,
|
||||||
|
certPath,
|
||||||
|
macaroonPath
|
||||||
|
}:
|
||||||
|
# TODO-EXTERNAL:
|
||||||
|
# lndconnect requires a --configfile argument, although it's unused
|
||||||
|
# https://github.com/LN-Zap/lndconnect/issues/25
|
||||||
|
pkgs.writeScriptBin name ''
|
||||||
|
${shebang}
|
||||||
|
exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
|
||||||
|
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
|
||||||
|
--port=${toString port} \
|
||||||
|
--tlscertpath='${certPath}' \
|
||||||
|
--adminmacaroonpath='${macaroonPath}' \
|
||||||
|
--configfile=/dev/null "$@"
|
||||||
|
'';
|
||||||
|
|
||||||
|
operatorName = config.nix-bitcoin.operator.name;
|
||||||
|
in {
|
||||||
|
inherit options;
|
||||||
|
|
||||||
|
config = mkMerge [
|
||||||
|
(mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
|
||||||
|
services.tor = {
|
||||||
|
enable = true;
|
||||||
|
relay.onionServices.lnd-rest = nbLib.mkOnionService {
|
||||||
|
target.addr = nbLib.address lnd.restAddress;
|
||||||
|
target.port = lnd.restPort;
|
||||||
|
port = lnd.restPort;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
|
||||||
|
|
||||||
|
environment.systemPackages = [(
|
||||||
|
mkLndconnect {
|
||||||
|
name = "lndconnect-onion";
|
||||||
|
# Run as lnd user because the macaroon and cert are not group-readable
|
||||||
|
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
|
||||||
|
onionService = "${lnd.user}/lnd-rest";
|
||||||
|
port = lnd.restPort;
|
||||||
|
certPath = lnd.certPath;
|
||||||
|
macaroonPath = "${lnd.networkDir}/admin.macaroon";
|
||||||
|
}
|
||||||
|
)];
|
||||||
|
})
|
||||||
|
|
||||||
|
(mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
|
||||||
|
services.tor = {
|
||||||
|
enable = true;
|
||||||
|
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
||||||
|
target.addr = nbLib.address clightning-rest.address;
|
||||||
|
target.port = clightning-rest.port;
|
||||||
|
port = clightning-rest.port;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# This also allows nodeinfo to show the clightning-rest onion address
|
||||||
|
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
|
||||||
|
|
||||||
|
environment.systemPackages = [(
|
||||||
|
mkLndconnect {
|
||||||
|
name = "lndconnect-onion-clightning";
|
||||||
|
onionService = "${operatorName}/clightning-rest";
|
||||||
|
port = clightning-rest.port;
|
||||||
|
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
||||||
|
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
||||||
|
}
|
||||||
|
)];
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
@ -1,205 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
options = {
|
|
||||||
services.lnd.lndconnect = {
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = mdDoc ''
|
|
||||||
Add a `lndconnect` binary to the system environment which prints
|
|
||||||
connection info for lnd clients.
|
|
||||||
See: https://github.com/LN-Zap/lndconnect
|
|
||||||
|
|
||||||
Usage:
|
|
||||||
```bash
|
|
||||||
# Print QR code
|
|
||||||
lndconnect
|
|
||||||
|
|
||||||
# Print URL
|
|
||||||
lndconnect --url
|
|
||||||
```
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
onion = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = mdDoc ''
|
|
||||||
Create an onion service for the lnd REST server,
|
|
||||||
which is used by lndconnect.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
services.clightning-rest.lndconnect = {
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = mdDoc ''
|
|
||||||
Add a `lndconnect-clightning` binary to the system environment which prints
|
|
||||||
connection info for clightning clients.
|
|
||||||
See: https://github.com/LN-Zap/lndconnect
|
|
||||||
|
|
||||||
Usage:
|
|
||||||
```bash
|
|
||||||
# Print QR code
|
|
||||||
lndconnect-clightning
|
|
||||||
|
|
||||||
# Print URL
|
|
||||||
lndconnect-clightning --url
|
|
||||||
```
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
onion = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = mdDoc ''
|
|
||||||
Create an onion service for the clightning REST server,
|
|
||||||
which is used by lndconnect.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
nix-bitcoin.mkLndconnect = mkOption {
|
|
||||||
readOnly = true;
|
|
||||||
default = mkLndconnect;
|
|
||||||
description = mdDoc ''
|
|
||||||
A function to create a lndconnect binary.
|
|
||||||
See the source for further details.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
nbLib = config.nix-bitcoin.lib;
|
|
||||||
runAsUser = config.nix-bitcoin.runAsUserCmd;
|
|
||||||
|
|
||||||
inherit (config.services)
|
|
||||||
lnd
|
|
||||||
clightning-rest;
|
|
||||||
|
|
||||||
mkLndconnect = {
|
|
||||||
name,
|
|
||||||
shebang ? "#!${pkgs.stdenv.shell} -e",
|
|
||||||
isClightning ? false,
|
|
||||||
port,
|
|
||||||
macaroonPath,
|
|
||||||
enableOnion,
|
|
||||||
onionService ? null,
|
|
||||||
certPath ? null
|
|
||||||
}:
|
|
||||||
# TODO-EXTERNAL:
|
|
||||||
# lndconnect requires a --configfile argument, although it's unused
|
|
||||||
# https://github.com/LN-Zap/lndconnect/issues/25
|
|
||||||
pkgs.hiPrio (pkgs.writeScriptBin name ''
|
|
||||||
${shebang}
|
|
||||||
url=$(
|
|
||||||
${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
|
|
||||||
${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
|
|
||||||
--port=${toString port} \
|
|
||||||
${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
|
|
||||||
--adminmacaroonpath='${macaroonPath}' \
|
|
||||||
--configfile=/dev/null "$@"
|
|
||||||
)
|
|
||||||
|
|
||||||
${optionalString isClightning
|
|
||||||
# - Change URL procotcol to c-lightning-rest
|
|
||||||
# - Encode macaroon as hex (in uppercase) instead of base 64.
|
|
||||||
# Because `macaroon` is always the last URL fragment, the
|
|
||||||
# sed replacement below works correctly.
|
|
||||||
''
|
|
||||||
macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
|
|
||||||
url=$(
|
|
||||||
echo "$url" | ${getExe pkgs.gnused} "
|
|
||||||
s|^lndconnect|c-lightning-rest|
|
|
||||||
s|macaroon=.*|macaroon=$macaroonHex|
|
|
||||||
";
|
|
||||||
)
|
|
||||||
''
|
|
||||||
}
|
|
||||||
|
|
||||||
# If --url is in args
|
|
||||||
if [[ " $* " =~ " --url " ]]; then
|
|
||||||
echo "$url"
|
|
||||||
else
|
|
||||||
# This UTF-8 encoding yields a smaller, more convenient output format
|
|
||||||
# compared to the native lndconnect output
|
|
||||||
echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
|
|
||||||
fi
|
|
||||||
'');
|
|
||||||
|
|
||||||
operatorName = config.nix-bitcoin.operator.name;
|
|
||||||
in {
|
|
||||||
inherit options;
|
|
||||||
|
|
||||||
config = mkMerge [
|
|
||||||
(mkIf (lnd.enable && lnd.lndconnect.enable)
|
|
||||||
(mkMerge [
|
|
||||||
{
|
|
||||||
environment.systemPackages = [(
|
|
||||||
mkLndconnect {
|
|
||||||
name = "lndconnect";
|
|
||||||
# Run as lnd user because the macaroon and cert are not group-readable
|
|
||||||
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
|
|
||||||
enableOnion = lnd.lndconnect.onion;
|
|
||||||
onionService = "${lnd.user}/lnd-rest";
|
|
||||||
port = lnd.restPort;
|
|
||||||
certPath = lnd.certPath;
|
|
||||||
macaroonPath = "${lnd.networkDir}/admin.macaroon";
|
|
||||||
}
|
|
||||||
)];
|
|
||||||
|
|
||||||
services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
|
|
||||||
}
|
|
||||||
|
|
||||||
(mkIf lnd.lndconnect.onion {
|
|
||||||
services.tor = {
|
|
||||||
enable = true;
|
|
||||||
relay.onionServices.lnd-rest = nbLib.mkOnionService {
|
|
||||||
target.addr = nbLib.address lnd.restAddress;
|
|
||||||
target.port = lnd.restPort;
|
|
||||||
port = lnd.restPort;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
nix-bitcoin.onionAddresses.access = {
|
|
||||||
${lnd.user} = [ "lnd-rest" ];
|
|
||||||
${operatorName} = [ "lnd-rest" ];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
]))
|
|
||||||
|
|
||||||
(mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
|
|
||||||
(mkMerge [
|
|
||||||
{
|
|
||||||
environment.systemPackages = [(
|
|
||||||
mkLndconnect {
|
|
||||||
name = "lndconnect-clightning";
|
|
||||||
isClightning = true;
|
|
||||||
enableOnion = clightning-rest.lndconnect.onion;
|
|
||||||
onionService = "${operatorName}/clightning-rest";
|
|
||||||
port = clightning-rest.port;
|
|
||||||
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
|
||||||
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
|
||||||
}
|
|
||||||
)];
|
|
||||||
|
|
||||||
# clightning-rest always binds to all interfaces
|
|
||||||
}
|
|
||||||
|
|
||||||
(mkIf clightning-rest.lndconnect.onion {
|
|
||||||
services.tor = {
|
|
||||||
enable = true;
|
|
||||||
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
|
||||||
target.addr = nbLib.address clightning-rest.address;
|
|
||||||
target.port = clightning-rest.port;
|
|
||||||
port = clightning-rest.port;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
# This also allows nodeinfo to show the clightning-rest onion address
|
|
||||||
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
|
|
||||||
})
|
|
||||||
])
|
|
||||||
)
|
|
||||||
];
|
|
||||||
}
|
|
@ -19,7 +19,7 @@
|
|||||||
./lightning-loop.nix
|
./lightning-loop.nix
|
||||||
./lightning-pool.nix
|
./lightning-pool.nix
|
||||||
./charge-lnd.nix
|
./charge-lnd.nix
|
||||||
./lndconnect.nix # Requires onion-addresses.nix
|
./lndconnect-onion.nix # Requires onion-addresses.nix
|
||||||
./rtl.nix
|
./rtl.nix
|
||||||
./electrs.nix
|
./electrs.nix
|
||||||
./fulcrum.nix
|
./fulcrum.nix
|
||||||
|
@ -63,7 +63,7 @@ let
|
|||||||
infos = OrderedDict()
|
infos = OrderedDict()
|
||||||
operator = "${config.nix-bitcoin.operator.name}"
|
operator = "${config.nix-bitcoin.operator.name}"
|
||||||
|
|
||||||
def get_onion_address(name, port):
|
def set_onion_address(info, name, port):
|
||||||
path = f"/var/lib/onion-addresses/{operator}/{name}"
|
path = f"/var/lib/onion-addresses/{operator}/{name}"
|
||||||
try:
|
try:
|
||||||
with open(path, "r") as f:
|
with open(path, "r") as f:
|
||||||
@ -71,7 +71,7 @@ let
|
|||||||
except OSError:
|
except OSError:
|
||||||
print(f"error reading file {path}", file=sys.stderr)
|
print(f"error reading file {path}", file=sys.stderr)
|
||||||
return
|
return
|
||||||
return f"{onion_address}:{port}"
|
info["onion_address"] = f"{onion_address}:{port}"
|
||||||
|
|
||||||
def add_service(service, make_info, systemd_service = None):
|
def add_service(service, make_info, systemd_service = None):
|
||||||
systemd_service = systemd_service or service
|
systemd_service = systemd_service or service
|
||||||
@ -106,7 +106,7 @@ let
|
|||||||
add_service("${name}", """
|
add_service("${name}", """
|
||||||
info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
|
info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
|
||||||
'' + mkIfOnionPort name (onionPort: ''
|
'' + mkIfOnionPort name (onionPort: ''
|
||||||
info["onion_address"] = get_onion_address("${name}", ${onionPort})
|
set_onion_address(info, "${name}", ${onionPort})
|
||||||
'') + extraCode + ''
|
'') + extraCode + ''
|
||||||
|
|
||||||
""", "${systemdServiceName}")
|
""", "${systemdServiceName}")
|
||||||
@ -123,10 +123,8 @@ let
|
|||||||
in {
|
in {
|
||||||
inherit options;
|
inherit options;
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = {
|
||||||
environment.systemPackages = [ script ];
|
environment.systemPackages = optional cfg.enable script;
|
||||||
|
|
||||||
nix-bitcoin.operator.enable = true;
|
|
||||||
|
|
||||||
nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
|
nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
|
||||||
bitcoind = mkInfo "";
|
bitcoind = mkInfo "";
|
||||||
@ -135,13 +133,9 @@ in {
|
|||||||
if 'onion_address' in info:
|
if 'onion_address' in info:
|
||||||
info["id"] = f"{info['nodeid']}@{info['onion_address']}"
|
info["id"] = f"{info['nodeid']}@{info['onion_address']}"
|
||||||
'';
|
'';
|
||||||
lnd = name: cfg: mkInfo (''
|
lnd = mkInfo ''
|
||||||
info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
|
|
||||||
'' + mkIfOnionPort "lnd-rest" (onionPort: ''
|
|
||||||
info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
|
|
||||||
'') + ''
|
|
||||||
info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
|
info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
|
||||||
'') name cfg;
|
'';
|
||||||
clightning-rest = mkInfo "";
|
clightning-rest = mkInfo "";
|
||||||
electrs = mkInfo "";
|
electrs = mkInfo "";
|
||||||
fulcrum = mkInfo "";
|
fulcrum = mkInfo "";
|
||||||
@ -152,7 +146,7 @@ in {
|
|||||||
rtl = mkInfo "";
|
rtl = mkInfo "";
|
||||||
# Only add sshd when it has an onion service
|
# Only add sshd when it has an onion service
|
||||||
sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
|
sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
|
||||||
add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
|
add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -33,6 +33,7 @@ in {
|
|||||||
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
|
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
|
||||||
# 0.0.70
|
# 0.0.70
|
||||||
(mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
|
(mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
|
||||||
|
(mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
|
||||||
|
|
||||||
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
|
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
|
||||||
|
|
||||||
@ -45,28 +46,6 @@ in {
|
|||||||
bitcoin peer connections for syncing blocks. This performs well on low and high
|
bitcoin peer connections for syncing blocks. This performs well on low and high
|
||||||
memory systems.
|
memory systems.
|
||||||
'')
|
'')
|
||||||
# 0.0.86
|
|
||||||
(mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
|
|
||||||
Set the following options instead:
|
|
||||||
services.lnd.lndconnect = {
|
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
}
|
|
||||||
'')
|
|
||||||
(mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
|
|
||||||
Set the following options instead:
|
|
||||||
services.lnd.lndconnect = {
|
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
}
|
|
||||||
'')
|
|
||||||
(mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
|
|
||||||
Set the following options instead:
|
|
||||||
services.clightning-rest.lndconnect = {
|
|
||||||
enable = true;
|
|
||||||
onion = true;
|
|
||||||
}
|
|
||||||
'')
|
|
||||||
] ++
|
] ++
|
||||||
# 0.0.59
|
# 0.0.59
|
||||||
(map mkSplitEnforceTorOption [
|
(map mkSplitEnforceTorOption [
|
||||||
|
@ -1,214 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
# Create a WireGuard server with a single peer.
|
|
||||||
# Private/public keys are created via the secrets system.
|
|
||||||
# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
|
|
||||||
|
|
||||||
# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
|
|
||||||
# for usage instructions.
|
|
||||||
|
|
||||||
# This is a rather opinionated implementation that lacks the flexibility offered by
|
|
||||||
# other nix-bitcoin modules, so ship this as a `preset`.
|
|
||||||
# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
options.nix-bitcoin.wireguard = {
|
|
||||||
subnet = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "10.10.0";
|
|
||||||
description = mdDoc "The /24 subnet of the wireguard network.";
|
|
||||||
};
|
|
||||||
restrictPeer = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = mdDoc ''
|
|
||||||
Prevent the peer from connecting to any addresses except for the WireGuard server address.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
cfg = config.nix-bitcoin.wireguard;
|
|
||||||
wgSubnet = cfg.subnet;
|
|
||||||
inherit (config.networking.wireguard.interfaces) wg-nb;
|
|
||||||
inherit (config.services)
|
|
||||||
lnd
|
|
||||||
clightning-rest;
|
|
||||||
|
|
||||||
lndconnect = lnd.enable && lnd.lndconnect.enable;
|
|
||||||
lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
|
|
||||||
|
|
||||||
serverAddress = "${wgSubnet}.1";
|
|
||||||
peerAddress = "${wgSubnet}.2";
|
|
||||||
|
|
||||||
secretsDir = config.nix-bitcoin.secretsDir;
|
|
||||||
|
|
||||||
wgConnectUser = if config.nix-bitcoin.operator.enable
|
|
||||||
then config.nix-bitcoin.operator.name
|
|
||||||
else "root";
|
|
||||||
|
|
||||||
# A script that prints a QR code to connect a peer to the server.
|
|
||||||
# The QR code encodes a wg-quick config that can be imported by the wireguard
|
|
||||||
# mobile app.
|
|
||||||
wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
|
|
||||||
set -euo pipefail
|
|
||||||
text=
|
|
||||||
host=
|
|
||||||
for arg in "$@"; do
|
|
||||||
case $arg in
|
|
||||||
--text)
|
|
||||||
text=1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
host=$arg
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ ! $host ]]; then
|
|
||||||
# Use lndconnect to fetch the external ip.
|
|
||||||
# This internally uses https://github.com/GlenDC/go-external-ip, which
|
|
||||||
# queries a set of external ip providers.
|
|
||||||
host=$(
|
|
||||||
${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
|
|
||||||
--configfile=/dev/null --adminmacaroonpath=/dev/null \
|
|
||||||
| sed -nE 's|.*?/(.*?):.*|\1|p'
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
|
|
||||||
config="[Interface]
|
|
||||||
PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
|
|
||||||
Address = ${peerAddress}/24
|
|
||||||
|
|
||||||
[Peer]
|
|
||||||
PublicKey = $(cat ${secretsDir}/wg-server-public-key)
|
|
||||||
AllowedIPs = ${wgSubnet}.0/24
|
|
||||||
Endpoint = $host:${toString wg-nb.listenPort}
|
|
||||||
PersistentKeepalive = 25
|
|
||||||
"
|
|
||||||
|
|
||||||
if [[ $text ]]; then
|
|
||||||
echo "$config"
|
|
||||||
else
|
|
||||||
echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
in {
|
|
||||||
inherit options;
|
|
||||||
|
|
||||||
config = {
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
# Don't support `netns-isolation` for now to keep things simple
|
|
||||||
assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
|
|
||||||
message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.wireguard.interfaces.wg-nb = {
|
|
||||||
ips = [ "${serverAddress}/24" ];
|
|
||||||
listenPort = mkDefault 51820;
|
|
||||||
privateKeyFile = "${secretsDir}/wg-server-private-key";
|
|
||||||
allowedIPsAsRoutes = false;
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
# To use the actual public key from the secrets file, use dummy pubkey
|
|
||||||
# `peer0` and replace it via `getPubkeyFromFile` (see further below)
|
|
||||||
# at peer service runtime.
|
|
||||||
publicKey = "peer0";
|
|
||||||
allowedIPs = [ "${peerAddress}/32" ];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services = {
|
|
||||||
wireguard-wg-nb = rec {
|
|
||||||
wants = [ "nix-bitcoin-secrets.target" ];
|
|
||||||
after = wants;
|
|
||||||
};
|
|
||||||
|
|
||||||
# HACK: Modify start/stop scripts of the peer setup service to read
|
|
||||||
# the pubkey from a secrets file.
|
|
||||||
wireguard-wg-nb-peer-peer0 = let
|
|
||||||
getPubkeyFromFile = mkBefore ''
|
|
||||||
if [[ ! -v inPatchedSrc ]]; then
|
|
||||||
export inPatchedSrc=1
|
|
||||||
publicKey=$(cat "${secretsDir}/wg-peer-public-key")
|
|
||||||
<"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
in {
|
|
||||||
script = getPubkeyFromFile;
|
|
||||||
postStop = getPubkeyFromFile;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = [
|
|
||||||
wgConnect
|
|
||||||
] ++ (optional lndconnect
|
|
||||||
(pkgs.writers.writeBashBin "lndconnect-wg" ''
|
|
||||||
exec lndconnect --host "${serverAddress}" --nocert "$@"
|
|
||||||
'')
|
|
||||||
) ++ (optional lndconnect-clightning
|
|
||||||
(pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
|
|
||||||
exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
|
|
||||||
'')
|
|
||||||
);
|
|
||||||
|
|
||||||
networking.firewall = let
|
|
||||||
restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
|
|
||||||
in {
|
|
||||||
allowedUDPPorts = [ wg-nb.listenPort ];
|
|
||||||
|
|
||||||
extraCommands =
|
|
||||||
optionalString lndconnect ''
|
|
||||||
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
|
|
||||||
''
|
|
||||||
+ optionalString lndconnect-clightning ''
|
|
||||||
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
|
|
||||||
''
|
|
||||||
+ optionalString cfg.restrictPeer ''
|
|
||||||
iptables -w -A nixos-fw ${restrictPeerRule}
|
|
||||||
iptables -w -A FORWARD ${restrictPeerRule}
|
|
||||||
'';
|
|
||||||
|
|
||||||
extraStopCommands =
|
|
||||||
# Rules added to chain `nixos-fw` are automatically removed when restarting
|
|
||||||
# the NixOS firewall service.
|
|
||||||
mkIf cfg.restrictPeer ''
|
|
||||||
iptables -w -D FORWARD ${restrictPeerRule} || :
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# Listen on all addresses, including `serverAddress`.
|
|
||||||
# This is safe because the listen ports are secured by the firewall.
|
|
||||||
services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
|
|
||||||
# clightning-rest always listens on "0.0.0.0"
|
|
||||||
|
|
||||||
nix-bitcoin.secrets = {
|
|
||||||
wg-server-private-key = {};
|
|
||||||
wg-server-public-key = { user = wgConnectUser; group = "root"; };
|
|
||||||
wg-peer-private-key = { user = wgConnectUser; group = "root"; };
|
|
||||||
wg-peer-public-key = {};
|
|
||||||
};
|
|
||||||
|
|
||||||
nix-bitcoin.generateSecretsCmds.wireguard = let
|
|
||||||
wg = "${pkgs.wireguard-tools}/bin/wg";
|
|
||||||
in ''
|
|
||||||
makeWireguardKey() {
|
|
||||||
local name=$1
|
|
||||||
local priv=wg-$name-private-key
|
|
||||||
local pub=wg-$name-public-key
|
|
||||||
if [[ ! -e $priv ]]; then
|
|
||||||
${wg} genkey > $priv
|
|
||||||
fi
|
|
||||||
if [[ $priv -nt $pub ]]; then
|
|
||||||
${wg} pubkey < $priv > $pub
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
makeWireguardKey server
|
|
||||||
makeWireguardKey peer
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
@ -191,7 +191,6 @@ in {
|
|||||||
optional cfg.nodes.lnd.enable "lnd.service";
|
optional cfg.nodes.lnd.enable "lnd.service";
|
||||||
after = requires;
|
after = requires;
|
||||||
environment.RTL_CONFIG_PATH = cfg.dataDir;
|
environment.RTL_CONFIG_PATH = cfg.dataDir;
|
||||||
environment.DB_DIRECTORY_PATH = cfg.dataDir;
|
|
||||||
serviceConfig = nbLib.defaultHardening // {
|
serviceConfig = nbLib.defaultHardening // {
|
||||||
ExecStartPre = [
|
ExecStartPre = [
|
||||||
(nbLib.script "rtl-setup-config" ''
|
(nbLib.script "rtl-setup-config" ''
|
||||||
|
@ -228,7 +228,7 @@ let
|
|||||||
version = "0.0.70";
|
version = "0.0.70";
|
||||||
condition = config.services.lnd.lndconnectOnion.enable;
|
condition = config.services.lnd.lndconnectOnion.enable;
|
||||||
message = ''
|
message = ''
|
||||||
The `lndconnect-rest-onion` binary has been renamed to `lndconnect`.
|
The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -32,7 +32,7 @@ let
|
|||||||
extraPkgs = [ prometheus_client ];
|
extraPkgs = [ prometheus_client ];
|
||||||
patchRequirements =
|
patchRequirements =
|
||||||
"--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
|
"--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
|
||||||
+ " --replace pyln-client~=0.9.3 pyln-client~=23.02";
|
+ " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
|
||||||
};
|
};
|
||||||
rebalance = {
|
rebalance = {
|
||||||
description = "Keeps your channels balanced";
|
description = "Keeps your channels balanced";
|
||||||
|
@ -20,12 +20,6 @@ let self = {
|
|||||||
# The secp256k1 version used by joinmarket
|
# The secp256k1 version used by joinmarket
|
||||||
secp256k1 = pkgs.callPackage ./secp256k1 { };
|
secp256k1 = pkgs.callPackage ./secp256k1 { };
|
||||||
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
||||||
trustedcoin = pkgs.callPackage ./trustedcoin { };
|
|
||||||
|
|
||||||
# TODO-EXTERNAL:
|
|
||||||
# Remove this when https://github.com/lightningnetwork/lnd/pull/7672
|
|
||||||
# has been resolved
|
|
||||||
lnd = pkgsUnstable.callPackage ./lnd { };
|
|
||||||
|
|
||||||
pyPkgs = import ./python-packages self pkgs.python3;
|
pyPkgs = import ./python-packages self pkgs.python3;
|
||||||
inherit (self.pyPkgs)
|
inherit (self.pyPkgs)
|
||||||
|
@ -1,12 +1,10 @@
|
|||||||
{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
|
{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
|
||||||
|
|
||||||
let
|
let
|
||||||
version = "0.9.9";
|
version = "0.9.8";
|
||||||
src = fetchFromGitHub {
|
src = fetchurl {
|
||||||
owner = "joinmarket-org";
|
url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
|
||||||
repo = "joinmarket-clientserver";
|
sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
|
||||||
rev = "v${version}";
|
|
||||||
sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
runtimePackages = with nbPython3PackagesJoinmarket; [
|
runtimePackages = with nbPython3PackagesJoinmarket; [
|
||||||
|
@ -1,23 +1,25 @@
|
|||||||
#!/usr/bin/env nix-shell
|
#!/usr/bin/env bash
|
||||||
#!nix-shell -i bash -p git gnupg jq
|
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
|
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
|
||||||
|
|
||||||
# Fetch release and GPG-verify the content hash
|
TMPDIR="$(mktemp -d -p /tmp)"
|
||||||
tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
|
trap 'rm -rf $TMPDIR' EXIT
|
||||||
repo=$tmpdir/repo
|
cd "$TMPDIR"
|
||||||
git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
|
|
||||||
export GNUPGHOME=$tmpdir
|
echo "Fetching latest release"
|
||||||
|
git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
|
||||||
|
cd joinmarket-clientserver
|
||||||
|
latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
|
||||||
|
echo "Latest release is $latest"
|
||||||
|
|
||||||
|
# GPG verification
|
||||||
|
export GNUPGHOME=$TMPDIR
|
||||||
echo "Fetching Adam Gibson's key"
|
echo "Fetching Adam Gibson's key"
|
||||||
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
|
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
|
||||||
echo
|
echo "Verifying latest release"
|
||||||
echo "Verifying commit"
|
git verify-tag "$latest"
|
||||||
git -C "$repo" verify-commit HEAD
|
|
||||||
rm -rf "$repo"/.git
|
|
||||||
newHash=$(nix hash path "$repo")
|
|
||||||
rm -rf "$tmpdir"
|
|
||||||
echo
|
|
||||||
|
|
||||||
echo "tag: $newVersion"
|
echo "tag: $latest"
|
||||||
echo "hash: $newHash"
|
# The prefix option is necessary because GitHub prefixes the archive contents in this format
|
||||||
|
echo "sha256: $(nix-hash --type sha256 --flat --base32 \
|
||||||
|
<(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
{ lnd, fetchpatch }:
|
|
||||||
|
|
||||||
lnd.overrideAttrs (_: {
|
|
||||||
patches = [
|
|
||||||
(fetchpatch {
|
|
||||||
# https://github.com/lightningnetwork/lnd/pull/7672
|
|
||||||
name = "fix-PKCS8-cert-key-support";
|
|
||||||
url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
|
|
||||||
hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
|
|
||||||
})
|
|
||||||
];
|
|
||||||
})
|
|
@ -4,20 +4,21 @@ pkgs: pkgsUnstable:
|
|||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
bitcoin
|
bitcoin
|
||||||
bitcoind
|
bitcoind
|
||||||
|
elementsd
|
||||||
extra-container
|
extra-container
|
||||||
|
lightning-loop
|
||||||
lightning-pool
|
lightning-pool
|
||||||
lndconnect;
|
lndconnect
|
||||||
|
nbxplorer;
|
||||||
|
|
||||||
inherit (pkgsUnstable)
|
inherit (pkgsUnstable)
|
||||||
btcpayserver
|
btcpayserver
|
||||||
charge-lnd
|
charge-lnd
|
||||||
clightning
|
clightning
|
||||||
electrs
|
electrs
|
||||||
elementsd
|
|
||||||
fulcrum
|
fulcrum
|
||||||
hwi
|
hwi
|
||||||
lightning-loop
|
lnd;
|
||||||
nbxplorer;
|
|
||||||
|
|
||||||
inherit pkgs pkgsUnstable;
|
inherit pkgs pkgsUnstable;
|
||||||
}
|
}
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "bencoder.pyx";
|
pname = "bencoder.pyx";
|
||||||
version = "3.0.1";
|
version = "2.0.1";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
|
url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
|
||||||
sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
|
sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeBuildInputs = [ cython ];
|
nativeBuildInputs = [ cython ];
|
||||||
|
@ -22,6 +22,7 @@ rec {
|
|||||||
};
|
};
|
||||||
runes = callPackage ./runes {};
|
runes = callPackage ./runes {};
|
||||||
sha256 = callPackage ./sha256 {};
|
sha256 = callPackage ./sha256 {};
|
||||||
|
urldecode = callPackage ./urldecode {};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Joinmarket requires a custom package set because it uses older versions of Python pkgs
|
# Joinmarket requires a custom package set because it uses older versions of Python pkgs
|
||||||
@ -46,10 +47,12 @@ rec {
|
|||||||
# autobahn 20.12.3, required by joinmarketclient
|
# autobahn 20.12.3, required by joinmarketclient
|
||||||
autobahn = callPackage ./specific-versions/autobahn.nix {};
|
autobahn = callPackage ./specific-versions/autobahn.nix {};
|
||||||
|
|
||||||
# pyopenssl 21.0.0, required by joinmarketdaemon
|
# pyopenssl 20.0.1, required by joinmarketdaemon
|
||||||
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
|
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
|
||||||
|
openssl = super.pkgs.openssl_1_1;
|
||||||
|
};
|
||||||
|
|
||||||
# twisted 22.4.0, required by joinmarketbase
|
# twisted 22.4.0, compatible with pyopenssl 20.0.1
|
||||||
twisted = callPackage ./specific-versions/twisted.nix {};
|
twisted = callPackage ./specific-versions/twisted.nix {};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
|
{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
|
||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "joinmarketbitcoin";
|
pname = "joinmarketbitcoin";
|
||||||
@ -6,7 +6,7 @@ buildPythonPackage rec {
|
|||||||
|
|
||||||
postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
|
postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
|
||||||
|
|
||||||
propagatedBuildInputs = [ pyaes python-bitcointx ];
|
propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
|
||||||
|
|
||||||
checkInputs = [ joinmarketbase ];
|
checkInputs = [ joinmarketbase ];
|
||||||
|
|
||||||
|
@ -8,12 +8,6 @@ buildPythonPackage rec {
|
|||||||
|
|
||||||
propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
|
propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
|
||||||
|
|
||||||
# libnacl 1.8.0 is not on github
|
|
||||||
patchPhase = ''
|
|
||||||
substituteInPlace setup.py \
|
|
||||||
--replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
description = "Client library for Bitcoin coinjoins";
|
description = "Client library for Bitcoin coinjoins";
|
||||||
homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
|
homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
|
||||||
|
@ -6,50 +6,17 @@
|
|||||||
, cryptography
|
, cryptography
|
||||||
, pyasn1
|
, pyasn1
|
||||||
, idna
|
, idna
|
||||||
, pytestCheckHook
|
, pytest
|
||||||
, pretend
|
, pretend
|
||||||
, flaky
|
, flaky
|
||||||
, glibcLocales
|
, glibcLocales
|
||||||
, six
|
, six
|
||||||
}:
|
}:
|
||||||
|
|
||||||
buildPythonPackage rec {
|
let
|
||||||
pname = "pyopenssl";
|
|
||||||
version = "21.0.0";
|
|
||||||
|
|
||||||
src = fetchPypi {
|
|
||||||
pname = "pyOpenSSL";
|
|
||||||
inherit version;
|
|
||||||
sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
|
|
||||||
};
|
|
||||||
|
|
||||||
outputs = [ "out" "dev" ];
|
|
||||||
|
|
||||||
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
|
|
||||||
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
|
|
||||||
doCheck = !stdenv.isDarwin;
|
|
||||||
|
|
||||||
nativeBuildInputs = [ openssl ];
|
|
||||||
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
|
|
||||||
|
|
||||||
checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
|
|
||||||
|
|
||||||
preCheck = ''
|
|
||||||
export LANG="en_US.UTF-8"
|
|
||||||
'';
|
|
||||||
|
|
||||||
disabledTests = [
|
|
||||||
# https://github.com/pyca/pyopenssl/issues/692
|
|
||||||
# These tests, we disable always.
|
|
||||||
"test_set_default_verify_paths"
|
|
||||||
"test_fallback_default_verify_paths"
|
|
||||||
# https://github.com/pyca/pyopenssl/issues/768
|
|
||||||
"test_wantWriteError"
|
|
||||||
# https://github.com/pyca/pyopenssl/issues/1043
|
|
||||||
"test_alpn_call_failure"
|
|
||||||
] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
|
|
||||||
# https://github.com/pyca/pyopenssl/issues/791
|
# https://github.com/pyca/pyopenssl/issues/791
|
||||||
# These tests, we disable in the case that libressl is passed in as openssl.
|
# These tests, we disable in the case that libressl is passed in as openssl.
|
||||||
|
failingLibresslTests = [
|
||||||
"test_op_no_compression"
|
"test_op_no_compression"
|
||||||
"test_npn_advertise_error"
|
"test_npn_advertise_error"
|
||||||
"test_npn_select_error"
|
"test_npn_select_error"
|
||||||
@ -62,21 +29,64 @@ buildPythonPackage rec {
|
|||||||
"test_verify_with_revoked"
|
"test_verify_with_revoked"
|
||||||
"test_set_notAfter"
|
"test_set_notAfter"
|
||||||
"test_set_notBefore"
|
"test_set_notBefore"
|
||||||
] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
|
];
|
||||||
# these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
|
|
||||||
|
# these tests are extremely tightly wed to the exact output of the openssl cli tool,
|
||||||
|
# including exact punctuation.
|
||||||
|
failingOpenSSL_1_1Tests = [
|
||||||
"test_dump_certificate"
|
"test_dump_certificate"
|
||||||
"test_dump_privatekey_text"
|
"test_dump_privatekey_text"
|
||||||
"test_dump_certificate_request"
|
"test_dump_certificate_request"
|
||||||
"test_export_text"
|
"test_export_text"
|
||||||
] ++ lib.optionals stdenv.is32bit [
|
|
||||||
# https://github.com/pyca/pyopenssl/issues/974
|
|
||||||
"test_verify_with_time"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
meta = with lib; {
|
disabledTests = [
|
||||||
description = "Python wrapper around the OpenSSL library";
|
# https://github.com/pyca/pyopenssl/issues/692
|
||||||
homepage = "https://github.com/pyca/pyopenssl";
|
# These tests, we disable always.
|
||||||
license = licenses.asl20;
|
"test_set_default_verify_paths"
|
||||||
maintainers = with maintainers; [ SuperSandro2000 ];
|
"test_fallback_default_verify_paths"
|
||||||
|
# https://github.com/pyca/pyopenssl/issues/768
|
||||||
|
"test_wantWriteError"
|
||||||
|
] ++ (
|
||||||
|
lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
|
||||||
|
) ++ (
|
||||||
|
lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
|
||||||
|
) ++ (
|
||||||
|
# https://github.com/pyca/pyopenssl/issues/974
|
||||||
|
lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
|
||||||
|
);
|
||||||
|
|
||||||
|
# Compose the final string expression, including the "-k" and the single quotes.
|
||||||
|
testExpression = lib.optionalString (disabledTests != [])
|
||||||
|
"-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
buildPythonPackage rec {
|
||||||
|
pname = "pyopenssl";
|
||||||
|
version = "20.0.1";
|
||||||
|
|
||||||
|
src = fetchPypi {
|
||||||
|
pname = "pyOpenSSL";
|
||||||
|
inherit version;
|
||||||
|
sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
outputs = [ "out" "dev" ];
|
||||||
|
|
||||||
|
checkPhase = ''
|
||||||
|
runHook preCheck
|
||||||
|
export LANG="en_US.UTF-8"
|
||||||
|
py.test tests ${testExpression}
|
||||||
|
runHook postCheck
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
|
||||||
|
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
|
||||||
|
doCheck = !stdenv.isDarwin;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ openssl ];
|
||||||
|
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
|
||||||
|
|
||||||
|
checkInputs = [ pytest pretend flaky glibcLocales ];
|
||||||
}
|
}
|
||||||
|
16
pkgs/python-packages/urldecode/default.nix
Normal file
16
pkgs/python-packages/urldecode/default.nix
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
{ lib, buildPythonPackage, fetchPypi }:
|
||||||
|
buildPythonPackage rec {
|
||||||
|
pname = "urldecode";
|
||||||
|
version = "0.1";
|
||||||
|
|
||||||
|
src = fetchPypi {
|
||||||
|
inherit pname version;
|
||||||
|
sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
|
||||||
|
};
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "A simple function to decode an encoded url";
|
||||||
|
homepage = "https://github.com/jennyq/urldecode";
|
||||||
|
maintainers = with maintainers; [ nixbitcoin ];
|
||||||
|
};
|
||||||
|
}
|
@ -10,11 +10,11 @@
|
|||||||
}:
|
}:
|
||||||
let self = stdenvNoCC.mkDerivation {
|
let self = stdenvNoCC.mkDerivation {
|
||||||
pname = "rtl";
|
pname = "rtl";
|
||||||
version = "0.13.6";
|
version = "0.13.4";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
|
url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
|
||||||
hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
|
hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
|
||||||
};
|
};
|
||||||
|
|
||||||
passthru = {
|
passthru = {
|
||||||
@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
|
|||||||
# TODO-EXTERNAL: Remove `npmFlags` when no longer required
|
# TODO-EXTERNAL: Remove `npmFlags` when no longer required
|
||||||
# See: https://github.com/Ride-The-Lightning/RTL/issues/1182
|
# See: https://github.com/Ride-The-Lightning/RTL/issues/1182
|
||||||
npmFlags = "--legacy-peer-deps";
|
npmFlags = "--legacy-peer-deps";
|
||||||
hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
|
hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
|
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
|
||||||
|
|
||||||
version="0.13.6"
|
version="0.13.4"
|
||||||
repo=https://github.com/Ride-The-Lightning/RTL
|
repo=https://github.com/Ride-The-Lightning/RTL
|
||||||
|
|
||||||
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||||
|
@ -1,23 +0,0 @@
|
|||||||
{ lib, buildGoModule, fetchFromGitHub }:
|
|
||||||
|
|
||||||
buildGoModule rec {
|
|
||||||
pname = "trustedcoin";
|
|
||||||
version = "0.6.1";
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "nbd-wtf";
|
|
||||||
repo = pname;
|
|
||||||
rev = "v${version}";
|
|
||||||
sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
|
|
||||||
};
|
|
||||||
|
|
||||||
vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
|
|
||||||
|
|
||||||
subPackages = [ "." ];
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "Light bitcoin node implementation";
|
|
||||||
homepage = "https://github.com/nbd-wtf/trustedcoin";
|
|
||||||
maintainers = with maintainers; [ seberm fort-nix ];
|
|
||||||
platforms = platforms.linux;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,20 +0,0 @@
|
|||||||
#! /usr/bin/env nix-shell
|
|
||||||
#! nix-shell -i bash -p git gnupg curl jq
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
|
|
||||||
TMPDIR="$(mktemp -d -p /tmp)"
|
|
||||||
trap 'rm -rf $TMPDIR' EXIT
|
|
||||||
cd "$TMPDIR"
|
|
||||||
|
|
||||||
echo "Fetching latest release"
|
|
||||||
repo='nbd-wtf/trustedcoin'
|
|
||||||
latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
|
|
||||||
echo "Latest release is $latest"
|
|
||||||
git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
|
|
||||||
cd trustedcoin
|
|
||||||
|
|
||||||
echo "tag: $latest"
|
|
||||||
git checkout -q "tags/$latest"
|
|
||||||
rm -rf .git
|
|
||||||
nix --extra-experimental-features nix-command hash path .
|
|
@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Running flake-info (nixos-search)"
|
echo "Running flake-info (nixos-search)"
|
||||||
flake-info --json flake ../.. >/dev/null
|
flake-info flake ../..
|
||||||
|
@ -41,4 +41,4 @@ bwrap \
|
|||||||
--ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
|
--ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
|
||||||
--ro-bind /usr /usr \
|
--ro-bind /usr /usr \
|
||||||
--ro-bind-try /run /run \
|
--ro-bind-try /run /run \
|
||||||
-- flake-info --json flake "$nbFlake" >/dev/null
|
-- flake-info flake "$nbFlake"
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
"nodes": {
|
"nodes": {
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1678901627,
|
"lastModified": 1667395993,
|
||||||
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
|
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
|
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -18,11 +18,11 @@
|
|||||||
"nixos-org-configurations": {
|
"nixos-org-configurations": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1679995724,
|
"lastModified": 1674564797,
|
||||||
"narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
|
"narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-org-configurations",
|
"repo": "nixos-org-configurations",
|
||||||
"rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
|
"rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -39,11 +39,11 @@
|
|||||||
"npmlock2nix": "npmlock2nix"
|
"npmlock2nix": "npmlock2nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1683204679,
|
"lastModified": 1674593115,
|
||||||
"narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
|
"narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixos-search",
|
"repo": "nixos-search",
|
||||||
"rev": "0498effc4137095938f16fd752cc81a96901554f",
|
"rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -54,11 +54,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1680213900,
|
"lastModified": 1667629849,
|
||||||
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
|
"narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
|
"rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -70,11 +70,11 @@
|
|||||||
"npmlock2nix": {
|
"npmlock2nix": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1673447413,
|
"lastModified": 1666460237,
|
||||||
"narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=",
|
"narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "npmlock2nix",
|
"repo": "npmlock2nix",
|
||||||
"rev": "9197bbf397d76059a76310523d45df10d2e4ca81",
|
"rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -274,7 +274,6 @@ buildable=(
|
|||||||
hardened
|
hardened
|
||||||
clightning-replication
|
clightning-replication
|
||||||
lndPruned
|
lndPruned
|
||||||
wireguard-lndconnect
|
|
||||||
)
|
)
|
||||||
buildable() { buildTests buildable "$@"; }
|
buildable() { buildTests buildable "$@"; }
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ let
|
|||||||
services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
|
services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
|
||||||
test.data.clightning-plugins = let
|
test.data.clightning-plugins = let
|
||||||
plugins = config.services.clightning.plugins;
|
plugins = config.services.clightning.plugins;
|
||||||
removed = [ "commando" "trustedcoin" ];
|
removed = [ "commando" ];
|
||||||
enabled = builtins.filter (plugin: plugins.${plugin}.enable)
|
enabled = builtins.filter (plugin: plugins.${plugin}.enable)
|
||||||
(subtractLists removed (builtins.attrNames plugins));
|
(subtractLists removed (builtins.attrNames plugins));
|
||||||
nbPkgs = config.nix-bitcoin.pkgs;
|
nbPkgs = config.nix-bitcoin.pkgs;
|
||||||
@ -86,8 +86,8 @@ let
|
|||||||
|
|
||||||
nix-bitcoin.onionServices.lnd.public = true;
|
nix-bitcoin.onionServices.lnd.public = true;
|
||||||
|
|
||||||
tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion;
|
tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
|
||||||
tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion;
|
tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
|
||||||
|
|
||||||
tests.lightning-loop = cfg.lightning-loop.enable;
|
tests.lightning-loop = cfg.lightning-loop.enable;
|
||||||
services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
|
services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
|
||||||
@ -187,9 +187,9 @@ let
|
|||||||
services.rtl.enable = true;
|
services.rtl.enable = true;
|
||||||
services.spark-wallet.enable = true;
|
services.spark-wallet.enable = true;
|
||||||
services.clightning-rest.enable = true;
|
services.clightning-rest.enable = true;
|
||||||
services.clightning-rest.lndconnect = { enable = true; onion = true; };
|
services.clightning-rest.lndconnectOnion.enable = true;
|
||||||
services.lnd.enable = true;
|
services.lnd.enable = true;
|
||||||
services.lnd.lndconnect = { enable = true; onion = true; };
|
services.lnd.lndconnectOnion.enable = true;
|
||||||
services.lightning-loop.enable = true;
|
services.lightning-loop.enable = true;
|
||||||
services.lightning-pool.enable = true;
|
services.lightning-pool.enable = true;
|
||||||
services.charge-lnd.enable = true;
|
services.charge-lnd.enable = true;
|
||||||
@ -315,15 +315,6 @@ let
|
|||||||
services.lnd.enable = true;
|
services.lnd.enable = true;
|
||||||
services.bitcoind.prune = 1000;
|
services.bitcoind.prune = 1000;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Test the special clightning setup where trustedcoin plugin is used
|
|
||||||
trustedcoin = {
|
|
||||||
tests.trustedcoin = true;
|
|
||||||
services.clightning = {
|
|
||||||
enable = true;
|
|
||||||
plugins.trustedcoin.enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
} // (import ../dev/dev-scenarios.nix {
|
} // (import ../dev/dev-scenarios.nix {
|
||||||
inherit lib scenarios;
|
inherit lib scenarios;
|
||||||
});
|
});
|
||||||
@ -414,7 +405,6 @@ in {
|
|||||||
in
|
in
|
||||||
{
|
{
|
||||||
clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
|
clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
|
||||||
wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
|
|
||||||
} // mainTests;
|
} // mainTests;
|
||||||
|
|
||||||
tests = makeTests scenarios;
|
tests = makeTests scenarios;
|
||||||
|
@ -177,12 +177,12 @@ def _():
|
|||||||
@test("lndconnect-onion-lnd")
|
@test("lndconnect-onion-lnd")
|
||||||
def _():
|
def _():
|
||||||
assert_running("lnd")
|
assert_running("lnd")
|
||||||
assert_matches("runuser -u operator -- lndconnect --url", ".onion")
|
assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
|
||||||
|
|
||||||
@test("lndconnect-onion-clightning")
|
@test("lndconnect-onion-clightning")
|
||||||
def _():
|
def _():
|
||||||
assert_running("clightning-rest")
|
assert_running("clightning-rest")
|
||||||
assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion")
|
assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
|
||||||
|
|
||||||
@test("lightning-loop")
|
@test("lightning-loop")
|
||||||
def _():
|
def _():
|
||||||
@ -433,18 +433,6 @@ def _():
|
|||||||
if enabled("btcpayserver"):
|
if enabled("btcpayserver"):
|
||||||
machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
|
machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
|
||||||
|
|
||||||
@test("trustedcoin")
|
|
||||||
def _():
|
|
||||||
machine.wait_for_unit("bitcoind")
|
|
||||||
machine.wait_for_unit("clightning")
|
|
||||||
|
|
||||||
# Let's check the trustedcoin plugin was correctly initialized
|
|
||||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
|
|
||||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
|
|
||||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
|
|
||||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
|
|
||||||
|
|
||||||
|
|
||||||
if "netns-isolation" in enabled_tests:
|
if "netns-isolation" in enabled_tests:
|
||||||
def ip(name):
|
def ip(name):
|
||||||
return test_data["netns"][name]["address"]
|
return test_data["netns"][name]["address"]
|
||||||
|
@ -1,103 +0,0 @@
|
|||||||
# You can run this test via `run-tests.sh -s wireguard-lndconnect`
|
|
||||||
|
|
||||||
makeTestVM: pkgs:
|
|
||||||
with pkgs.lib;
|
|
||||||
|
|
||||||
makeTestVM {
|
|
||||||
name = "wireguard-lndconnect";
|
|
||||||
|
|
||||||
nodes = {
|
|
||||||
server = {
|
|
||||||
imports = [
|
|
||||||
../modules/modules.nix
|
|
||||||
../modules/presets/wireguard.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
nixpkgs.pkgs = pkgs;
|
|
||||||
|
|
||||||
nix-bitcoin.generateSecrets = true;
|
|
||||||
nix-bitcoin.operator.enable = true;
|
|
||||||
|
|
||||||
services.clightning-rest = {
|
|
||||||
enable = true;
|
|
||||||
lndconnect.enable = true;
|
|
||||||
};
|
|
||||||
# TODO-EXTERNAL:
|
|
||||||
# When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
|
|
||||||
services.clightning.extraConfig = "disable-dns";
|
|
||||||
|
|
||||||
services.lnd = {
|
|
||||||
enable = true;
|
|
||||||
lndconnect.enable = true;
|
|
||||||
port = 9736;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
client = {
|
|
||||||
nixpkgs.pkgs = pkgs;
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
wireguard-tools
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
testScript = ''
|
|
||||||
import base64
|
|
||||||
import urllib.parse as Url
|
|
||||||
from types import SimpleNamespace
|
|
||||||
|
|
||||||
def parse_lndconnect_url(url):
|
|
||||||
u = Url.urlparse(url)
|
|
||||||
queries = Url.parse_qs(u.query)
|
|
||||||
macaroon = queries['macaroon'][0]
|
|
||||||
is_clightning = url.startswith("c-lightning-rest")
|
|
||||||
|
|
||||||
return SimpleNamespace(
|
|
||||||
host = u.hostname,
|
|
||||||
port = u.port,
|
|
||||||
macaroon_hex =
|
|
||||||
macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
|
|
||||||
)
|
|
||||||
|
|
||||||
client.start()
|
|
||||||
server.connect()
|
|
||||||
|
|
||||||
if not "is_interactive" in vars():
|
|
||||||
|
|
||||||
with subtest("connect client to server via WireGuard"):
|
|
||||||
server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
|
|
||||||
|
|
||||||
# Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
|
|
||||||
wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
|
|
||||||
# Encode to base64
|
|
||||||
b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
|
|
||||||
client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
|
|
||||||
|
|
||||||
# Connect to server via WireGuard
|
|
||||||
client.succeed("wg-quick up /tmp/wireguard.conf")
|
|
||||||
|
|
||||||
# Ping server from client
|
|
||||||
print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
|
|
||||||
|
|
||||||
with subtest("lndconnect-wg"):
|
|
||||||
server.wait_for_unit("lnd.service")
|
|
||||||
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
|
|
||||||
api = parse_lndconnect_url(lndconnect_url)
|
|
||||||
# Make lnd REST API call
|
|
||||||
client.succeed(
|
|
||||||
f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
|
|
||||||
f"-X GET https://{api.host}:{api.port}/v1/getinfo"
|
|
||||||
)
|
|
||||||
|
|
||||||
with subtest("lndconnect-clightning-wg"):
|
|
||||||
server.wait_for_unit("clightning-rest.service")
|
|
||||||
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
|
|
||||||
api = parse_lndconnect_url(lndconnect_url)
|
|
||||||
# Make clightning-rest API call
|
|
||||||
client.succeed(
|
|
||||||
f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
|
|
||||||
f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
|
|
||||||
)
|
|
||||||
'';
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user