Compare commits
117 Commits
moneta-ove
...
master
Author | SHA1 | Date | |
---|---|---|---|
|
f2529154d4 | ||
|
376b344b90 | ||
|
d04549c0dc | ||
|
de4bd2fb6f | ||
|
82b2a95ccb | ||
|
a0f2839817 | ||
|
fd000e7a14 | ||
|
bf6f9f8fae | ||
|
e99937991c | ||
|
60bf5fb8de | ||
|
925492fc70 | ||
|
0c4ec63231 | ||
|
cf10fbb74f | ||
|
fbe8f7c6cb | ||
|
356c5df9de | ||
|
f6708ca2d7 | ||
|
4a28d53bcb | ||
|
c2d87b0b68 | ||
|
0daf52bd3f | ||
|
52810e6c88 | ||
|
5b6cd9fd49 | ||
|
5f1e747270 | ||
|
05310fc02b | ||
|
64304b6d66 | ||
|
992946f20e | ||
|
22de1a5353 | ||
|
d04cad8ed1 | ||
|
ce332177be | ||
|
560efcb7f1 | ||
|
2344acbf42 | ||
|
f26216b624 | ||
|
5b672fe82a | ||
|
7489c10999 | ||
|
6244e3a6ed | ||
|
a71c60bfe4 | ||
|
e9b6b3123d | ||
|
b5293b7e53 | ||
|
72f09458b6 | ||
|
2a073a1d64 | ||
|
3550ed1e32 | ||
|
336a3fccf1 | ||
|
c8f9e167c1 | ||
|
9cb5a7295a | ||
|
11f91f83e6 | ||
|
1645451275 | ||
|
a7bc488b17 | ||
|
9184db69dd | ||
|
0c354ee9eb | ||
|
c9cfcf695f | ||
|
f0ca489867 | ||
|
de49082f2a | ||
|
22e41d5c06 | ||
|
740dd666ad | ||
|
1e21feb257 | ||
|
e7407d9efe | ||
|
cfeddd44aa | ||
|
49229a3e2d | ||
|
c237f1302f | ||
|
d119c207b9 | ||
|
4d637adf57 | ||
|
94659f3326 | ||
|
0e35b8a79a | ||
|
e6ce10a478 | ||
|
d6cb65fbde | ||
|
2737e8374c | ||
|
c3d2072b58 | ||
|
f603cb6101 | ||
|
e96ff7075e | ||
|
ba54d3d699 | ||
|
2e5b287bc8 | ||
|
7a2c1efd5d | ||
|
2156b4410d | ||
|
bf7dc0f27a | ||
|
85aa6f8ede | ||
|
f3fdab1d76 | ||
|
de4dccb006 | ||
|
bc72ad94b3 | ||
|
6b7b23cd6e | ||
|
de4797be1f | ||
|
761898f380 | ||
|
206deaf2b3 | ||
|
c263aec335 | ||
|
9c61850621 | ||
|
45bfc181fc | ||
|
4bb95d1e29 | ||
|
a1a27857e7 | ||
|
6dd365e719 | ||
|
e68cb010ba | ||
|
f4f4808d59 | ||
|
32db35d1bf | ||
|
bd5d70813f | ||
|
d70fc7d71b | ||
|
820a71f34f | ||
|
ab23466fb7 | ||
|
365068d763 | ||
|
e2d653e7cb | ||
|
f405a2ceda | ||
|
6a2d4ab1d7 | ||
|
ada564c1ea | ||
|
514c05ee47 | ||
|
c12489d838 | ||
|
d5e50191d6 | ||
|
b2bae90584 | ||
|
f874c3b563 | ||
|
b3c134c01d | ||
|
29d1a6b8a8 | ||
|
425a411e2b | ||
|
5e6b560fcf | ||
|
bdb4ee0e0b | ||
|
d96c0a628a | ||
|
589860b842 | ||
|
ac4c01c374 | ||
|
effc1ce0a7 | ||
|
48170b241c | ||
|
5a063aff00 | ||
|
b25bccbdc6 | ||
|
9a7e5e1921 |
@ -27,6 +27,7 @@ task:
|
||||
- scenario: default
|
||||
- scenario: netns
|
||||
- scenario: netnsRegtest
|
||||
- scenario: trustedcoin
|
||||
# This script is run as root
|
||||
build_script:
|
||||
- echo "sandbox = true" >> /etc/nix/nix.conf
|
||||
|
19
README.md
19
README.md
@ -79,19 +79,22 @@ NixOS modules ([src](modules/modules.nix))
|
||||
* [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
|
||||
* [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
|
||||
* [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
|
||||
* [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
|
||||
* [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
|
||||
* [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
|
||||
* [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
|
||||
* [Lightning Loop](https://github.com/lightninglabs/loop)
|
||||
* [Lightning Pool](https://github.com/lightninglabs/pool)
|
||||
* [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
|
||||
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
|
||||
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or
|
||||
clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
|
||||
[Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
|
||||
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
|
||||
* [spark-wallet](https://github.com/shesek/spark-wallet)
|
||||
* [electrs](https://github.com/romanz/electrs)
|
||||
* [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
|
||||
* [electrs](https://github.com/romanz/electrs): Electrum server
|
||||
* [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
|
||||
* [btcpayserver](https://github.com/btcpayserver/btcpayserver)
|
||||
* [liquid](https://github.com/elementsproject/elements)
|
||||
* [liquid](https://github.com/elementsproject/elements): federated sidechain
|
||||
* [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
|
||||
* [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
|
||||
* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
|
||||
@ -99,7 +102,13 @@ NixOS modules ([src](modules/modules.nix))
|
||||
* [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
|
||||
* [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
|
||||
* [backups](modules/backups.nix): duplicity backups of all your node's important files
|
||||
* [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
|
||||
* [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
|
||||
|
||||
### Extension modules
|
||||
Extension modules are maintained in separate repositories and have their own review
|
||||
and release process.
|
||||
|
||||
* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
|
||||
|
||||
Security
|
||||
---
|
||||
|
@ -56,9 +56,10 @@ ls -al /var/lib/containers/nb-test
|
||||
# Start a shell in the context of a service process.
|
||||
# Must be run inside the container (enter with cmd `c`).
|
||||
enter_service() {
|
||||
local name=$1
|
||||
nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
|
||||
--setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
|
||||
name=$1
|
||||
pid=$(systemctl show -p MainPID --value "$name")
|
||||
IFS=- read -r uid gid < <(stat -c "%u-%g" "/proc/$pid")
|
||||
nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
|
||||
}
|
||||
enter_service clightning
|
||||
|
||||
|
@ -9,6 +9,9 @@ with lib;
|
||||
services.btcpayserver.enable = true;
|
||||
test.container.exposeLocalhost = true;
|
||||
# services.btcpayserver.lbtc = false;
|
||||
|
||||
# Required for testing interactive plugin installation
|
||||
test.container.enableWAN = true;
|
||||
};
|
||||
|
||||
# A node with internet access to test joinmarket-ob-watcher
|
||||
@ -42,4 +45,34 @@ with lib;
|
||||
nix-bitcoin.nodeinfo.enable = true;
|
||||
# test.container.enableWAN = true;
|
||||
};
|
||||
|
||||
wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
|
||||
imports = [
|
||||
../modules/presets/wireguard.nix
|
||||
scenarios.regtestBase
|
||||
];
|
||||
|
||||
# 51820 (default wg port) + 1
|
||||
networking.wireguard.interfaces.wg-nb.listenPort = 51821;
|
||||
test.container.enableWAN = true;
|
||||
# test.container.exposeLocalhost = true;
|
||||
|
||||
services.clightning.extraConfig = "disable-dns";
|
||||
|
||||
services.lnd = {
|
||||
enable = true;
|
||||
lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
};
|
||||
};
|
||||
services.clightning-rest = {
|
||||
enable = true;
|
||||
lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
};
|
||||
};
|
||||
nix-bitcoin.nodeinfo.enable = true;
|
||||
};
|
||||
}
|
||||
|
64
dev/topics/lndconnect-and-wireguard.sh
Normal file
64
dev/topics/lndconnect-and-wireguard.sh
Normal file
@ -0,0 +1,64 @@
|
||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
||||
# Test Tor and WireGuard connections on a mobile device
|
||||
|
||||
# 1. Run container
|
||||
run-tests.sh -s wireguard-lndconnect-online container
|
||||
|
||||
# 2. Test connecting via Tor
|
||||
# Print QR codes for lnd, clightning-rest connections via Tor
|
||||
c lndconnect
|
||||
c lndconnect-clightning
|
||||
# Add these to Zeus >= 0.7.1.
|
||||
# To explicitly check if the connection is successful, press the node logo in the top
|
||||
# left corner, and then "Node Info".
|
||||
|
||||
# Debug
|
||||
c lndconnect --url
|
||||
c lndconnect-clightning --url
|
||||
|
||||
# 3. Test connecting via WireGuard
|
||||
|
||||
# 3.1 Forward WireGuard port from the container host to the container
|
||||
iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
|
||||
|
||||
# 3.2. Optional: When your container host has an external firewall,
|
||||
# forward the WireGuard port to the container host:
|
||||
# - Port: 51821
|
||||
# - Protocol: UDP
|
||||
# - Destination: IPv4 of the container host
|
||||
|
||||
# 3.2 Print QR code and setup wireguard on the mobile device
|
||||
c nix-bitcoin-wg-connect
|
||||
c nix-bitcoin-wg-connect --text
|
||||
|
||||
# Print QR codes for lnd, clightning-rest connections via WireGuard
|
||||
c lndconnect-wg
|
||||
c lndconnect-clightning-wg
|
||||
# Add these to Zeus >= 0.7.1.
|
||||
# To explicitly check if the connection is successful, press the node logo in the top
|
||||
# left corner, and then "Node Info".
|
||||
|
||||
# Debug
|
||||
c lndconnect-wg --url
|
||||
c lndconnect-clightning-wg --url
|
||||
|
||||
# 3.3.remove external firewall port forward, remove local port forward:
|
||||
iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
|
||||
# Now exit the container shell
|
||||
|
||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
||||
# Debug lndconnect
|
||||
|
||||
run-tests.sh -s wireguard-lndconnect-online container
|
||||
|
||||
c nodeinfo
|
||||
|
||||
c lndconnect --url
|
||||
c lndconnect-wg --url
|
||||
c lndconnect-clightning --url
|
||||
c lndconnect-clightning-wg --url
|
||||
|
||||
c lndconnect
|
||||
c lndconnect-wg
|
||||
c lndconnect-clightning
|
||||
c lndconnect-clightning-wg
|
158
docs/services.md
158
docs/services.md
@ -142,60 +142,154 @@ You can find the `<onion-address>` with command `nodeinfo`.
|
||||
The default password location is `$secretsDir/rtl-password`.
|
||||
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||
|
||||
# Use LND or clightning with Zeus (mobile wallet) via Tor
|
||||
1. Install [Zeus](https://zeusln.app)
|
||||
# Use Zeus (mobile lightning wallet) via Tor
|
||||
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1)
|
||||
|
||||
2. Edit your `configuration.nix`
|
||||
|
||||
##### For lnd
|
||||
|
||||
Add the following config:
|
||||
```
|
||||
services.lnd.lndconnectOnion.enable = true;
|
||||
```nix
|
||||
services.lnd.lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
};
|
||||
```
|
||||
|
||||
##### For clightning
|
||||
|
||||
Add the following config:
|
||||
```
|
||||
```nix
|
||||
services.clightning-rest = {
|
||||
enable = true;
|
||||
lndconnectOnion.enable = true;
|
||||
lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
3. Deploy your configuration
|
||||
|
||||
3. Run the following command on your node (as user `operator`) to create a QR code
|
||||
4. Run the following command on your node (as user `operator`) to create a QR code
|
||||
with address and authentication information:
|
||||
|
||||
##### For lnd
|
||||
```
|
||||
lndconnect-onion
|
||||
lndconnect
|
||||
```
|
||||
|
||||
##### For clightning
|
||||
```
|
||||
lndconnect-onion-clightning
|
||||
lndconnect-clightning
|
||||
```
|
||||
|
||||
4. Configure Zeus
|
||||
- Add a new node
|
||||
- Select `Scan lndconnect config` (at the bottom) and scan the QR code
|
||||
- For clightning: Set `Node interface` to `c-lightning-REST`
|
||||
5. Configure Zeus
|
||||
- Add a new node and scan the QR code
|
||||
- Click `Save node config`
|
||||
- Start sending and stacking sats privately
|
||||
|
||||
### Additional lndconnect features
|
||||
Create plain text URLs or QR code images:
|
||||
- Create a plain text URL:
|
||||
```bash
|
||||
lndconnect --url
|
||||
```
|
||||
lndconnect-onion --url
|
||||
lndconnect-onion --image
|
||||
- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
|
||||
```bash
|
||||
lndconnect --host myhost
|
||||
```
|
||||
|
||||
# Use Zeus (mobile lightning wallet) via WireGuard
|
||||
|
||||
Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
|
||||
|
||||
There are two ways to establish a secure, direct connection:
|
||||
|
||||
- Connecting via TLS. This requires installing your lightning app's
|
||||
TLS Certificate on your mobile device.
|
||||
|
||||
- Connecting via WireGuard. This approach is simpler and more versatile, and is
|
||||
described in this guide.
|
||||
|
||||
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
|
||||
[WireGuard](https://www.wireguard.com/install/) on your mobile device.
|
||||
|
||||
2. Add the following to your `configuration.nix`:
|
||||
```nix
|
||||
imports = [
|
||||
# Use this line when using the default deployment method
|
||||
<nix-bitcoin/modules/presets/wireguard.nix>
|
||||
|
||||
# Use this line when using Flakes
|
||||
(nix-bitcoin + /modules/presets/wireguard.nix)
|
||||
]
|
||||
|
||||
# For lnd
|
||||
services.lnd.lndconnect.enable = true;
|
||||
|
||||
# For clightning
|
||||
services.clightning-rest = {
|
||||
enable = true;
|
||||
lndconnect.enable = true;
|
||||
};
|
||||
```
|
||||
3. Deploy your configuration.
|
||||
|
||||
4. If your node is behind an external firewall or NAT, add the following port forwarding
|
||||
rule to the external device:
|
||||
- Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
|
||||
- Protocol: UDP
|
||||
- Destination: IP of your node
|
||||
|
||||
5. Setup WireGuard on your mobile device.
|
||||
|
||||
Run the following command on your node (as user `operator`) to create a QR code
|
||||
for WireGuard:
|
||||
```bash
|
||||
nix-bitcoin-wg-connect
|
||||
|
||||
# For debugging: Show the WireGuard config as text
|
||||
nix-bitcoin-wg-connect --text
|
||||
```
|
||||
The above commands automatically detect your node's external IP.\
|
||||
To set a custom IP or hostname, run the following:
|
||||
```
|
||||
nix-bitcoin-wg-connect 93.184.216.34
|
||||
nix-bitcoin-wg-connect mynode.org
|
||||
```
|
||||
|
||||
Configure WireGuard:
|
||||
- Press the `+` button in the bottom right corner
|
||||
- Scan the QR code
|
||||
- Add the tunnel
|
||||
|
||||
6. Setup Zeus
|
||||
|
||||
Run the following command on your node (as user `operator`) to create a QR code for Zeus:
|
||||
|
||||
##### For lnd
|
||||
```
|
||||
lndconnect-wg
|
||||
```
|
||||
|
||||
##### For clightning
|
||||
```
|
||||
lndconnect-clightning-wg
|
||||
```
|
||||
|
||||
Configure Zeus:
|
||||
- Add a new node and scan the QR code
|
||||
- Click `Save node config`
|
||||
- On the certificate warning screen, click `I understand, save node config`.\
|
||||
Certificates are not needed when connecting via WireGuard.
|
||||
- Start sending and stacking sats privately
|
||||
|
||||
### Additional lndconnect features
|
||||
Create a plain text URL:
|
||||
```bash
|
||||
lndconnect-wg --url
|
||||
``````
|
||||
Create a QR code for a custom hostname:
|
||||
```
|
||||
lndconnect-onion --host=mynode.org
|
||||
```
|
||||
|
||||
# Connect to spark-wallet
|
||||
### Requirements
|
||||
@ -527,3 +621,27 @@ services.clightning = {
|
||||
```
|
||||
|
||||
Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
|
||||
|
||||
### Trustedcoin hints
|
||||
The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
|
||||
proxy for all of its external connections by default. That's why you can
|
||||
sometimes face issues with your connections to esploras getting blocked.
|
||||
|
||||
An example of clightning log error output in a case your connections are getting blocked:
|
||||
|
||||
```
|
||||
lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
|
||||
```
|
||||
|
||||
```
|
||||
lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
|
||||
lightningd[4933]: <meta http-equiv="content-type" content="text/html;
|
||||
```
|
||||
|
||||
If you face these issues and you still need to use trustedcoin, use can disable
|
||||
clightning's tor hardening by setting this option in your `configuration.nix`
|
||||
file:
|
||||
|
||||
```
|
||||
services.clightning.tor.enforce = false;
|
||||
```
|
||||
|
@ -56,13 +56,18 @@
|
||||
#
|
||||
# == REST server
|
||||
# Set this to create a clightning REST onion service.
|
||||
# This also adds binary `lndconnect-onion-clightning` to the system environment.
|
||||
# This also adds binary `lndconnect-clightning` to the system environment.
|
||||
# This binary creates QR codes or URLs for connecting applications to clightning
|
||||
# via the REST onion service (see ../docs/services.md).
|
||||
# via the REST onion service.
|
||||
# You can also connect via WireGuard instead of Tor.
|
||||
# See ../docs/services.md for details.
|
||||
#
|
||||
# services.clightning-rest = {
|
||||
# enable = true;
|
||||
# lndconnectOnion.enable = true;
|
||||
# lndconnect = {
|
||||
# enable = true;
|
||||
# onion = true;
|
||||
# };
|
||||
# };
|
||||
|
||||
### LND
|
||||
@ -78,11 +83,17 @@
|
||||
# The onion service is automatically announced to peers.
|
||||
# nix-bitcoin.onionServices.lnd.public = true;
|
||||
#
|
||||
# Set this to create an lnd REST onion service.
|
||||
# This also adds binary `lndconnect-onion` to the system environment.
|
||||
# Set this to create a lnd REST onion service.
|
||||
# This also adds binary `lndconnect` to the system environment.
|
||||
# This binary generates QR codes or URLs for connecting applications to lnd via the
|
||||
# REST onion service (see ../docs/services.md).
|
||||
# services.lnd.lndconnectOnion.enable = true;
|
||||
# REST onion service.
|
||||
# You can also connect via WireGuard instead of Tor.
|
||||
# See ../docs/services.md for details.
|
||||
#
|
||||
# services.lnd.lndconnect = {
|
||||
# enable = true;
|
||||
# onion = true;
|
||||
# };
|
||||
#
|
||||
## WARNING
|
||||
# If you use lnd, you should manually backup your wallet mnemonic
|
||||
|
42
flake.lock
42
flake.lock
@ -10,11 +10,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1671802034,
|
||||
"narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
|
||||
"lastModified": 1679648217,
|
||||
"narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
|
||||
"owner": "erikarvstedt",
|
||||
"repo": "extra-container",
|
||||
"rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
|
||||
"rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -24,12 +24,15 @@
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"lastModified": 1681202837,
|
||||
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -40,11 +43,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1674407282,
|
||||
"narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
|
||||
"lastModified": 1683207485,
|
||||
"narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
|
||||
"rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -56,11 +59,11 @@
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1674487464,
|
||||
"narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
|
||||
"lastModified": 1683353485,
|
||||
"narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
|
||||
"rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -77,6 +80,21 @@
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
Binary file not shown.
@ -427,7 +427,8 @@ in {
|
||||
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
|
||||
Restart = "on-failure";
|
||||
UMask = mkIf cfg.dataDirReadableByGroup "0027";
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
#ReadWritePaths = [ cfg.dataDir ];
|
||||
ReadWritePaths = [ "/dummy" ];
|
||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
||||
};
|
||||
|
@ -236,11 +236,16 @@ in {
|
||||
--datadir='${cfg.btcpayserver.dataDir}'
|
||||
'';
|
||||
User = cfg.btcpayserver.user;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
# Also restart after the program has exited successfully.
|
||||
# This is required to support restarting from the web interface after
|
||||
# interactive plugin installation.
|
||||
# Restart rate limiting is implemented via the `startLimit*` options below.
|
||||
Restart = "always";
|
||||
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
||||
MemoryDenyWriteExecute = false;
|
||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
||||
startLimitIntervalSec = 30;
|
||||
startLimitBurst = 10;
|
||||
}; in self;
|
||||
|
||||
users.users.${cfg.nbxplorer.user} = {
|
||||
|
@ -17,6 +17,7 @@ in {
|
||||
./feeadjuster.nix
|
||||
./prometheus.nix
|
||||
./summary.nix
|
||||
./trustedcoin.nix
|
||||
./zmq.nix
|
||||
];
|
||||
|
||||
|
28
modules/clightning-plugins/trustedcoin.nix
Normal file
28
modules/clightning-plugins/trustedcoin.nix
Normal file
@ -0,0 +1,28 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let cfg = config.services.clightning.plugins.trustedcoin; in
|
||||
{
|
||||
options.services.clightning.plugins.trustedcoin = {
|
||||
enable = mkEnableOption "Trustedcoin (clightning plugin)";
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = config.nix-bitcoin.pkgs.trustedcoin;
|
||||
defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
|
||||
description = mdDoc "The package providing trustedcoin binaries.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.clightning.extraConfig = ''
|
||||
plugin=${cfg.package}/bin/trustedcoin
|
||||
disable-plugin=bcli
|
||||
'';
|
||||
|
||||
# Trustedcoin does not honor the clightning's proxy configuration.
|
||||
# Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
|
||||
systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
|
||||
HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
|
||||
};
|
||||
};
|
||||
}
|
@ -107,13 +107,15 @@ let
|
||||
network = bitcoind.makeNetworkName "bitcoin" "regtest";
|
||||
configFile = pkgs.writeText "config" ''
|
||||
network=${network}
|
||||
bitcoin-datadir=${bitcoind.dataDir}
|
||||
${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
|
||||
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
||||
always-use-proxy=${boolToString cfg.always-use-proxy}
|
||||
bind-addr=${cfg.address}:${toString cfg.port}
|
||||
|
||||
bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
|
||||
bitcoin-rpcport=${toString bitcoind.rpc.port}
|
||||
bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
|
||||
|
||||
rpc-file-mode=0660
|
||||
log-timestamps=false
|
||||
${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
|
||||
@ -161,6 +163,7 @@ in {
|
||||
{
|
||||
cat ${configFile}
|
||||
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
|
||||
|
||||
${optionalString (cfg.getPublicAddressCmd != "") ''
|
||||
echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
|
||||
''}
|
||||
|
@ -61,10 +61,9 @@ in {
|
||||
listenWhitelisted = true;
|
||||
};
|
||||
|
||||
# Commented out to allow nfs mounts
|
||||
# systemd.tmpfiles.rules = [
|
||||
# "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
# ];
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
systemd.services.electrs = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -158,7 +158,7 @@ let
|
||||
onion_serving_host = ${cfg.messagingAddress}
|
||||
onion_serving_port = ${toString cfg.messagingPort}
|
||||
hidden_service_dir =
|
||||
directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
|
||||
directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
|
||||
|
||||
# irc.darkscience.net
|
||||
[MESSAGING:server1]
|
||||
|
@ -1,126 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
options = {
|
||||
services.lnd.lndconnectOnion.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Create an onion service for the lnd REST server.
|
||||
Add a `lndconnect-onion` binary to the system environment.
|
||||
See: https://github.com/LN-Zap/lndconnect
|
||||
|
||||
Usage:
|
||||
```bash
|
||||
# Print QR code
|
||||
lndconnect-onion
|
||||
|
||||
# Print URL
|
||||
lndconnect-onion --url
|
||||
```
|
||||
'';
|
||||
};
|
||||
|
||||
services.clightning-rest.lndconnectOnion.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Create an onion service for clightning-rest.
|
||||
Add a `lndconnect-onion-clightning` binary to the system environment.
|
||||
See: https://github.com/LN-Zap/lndconnect
|
||||
|
||||
Usage:
|
||||
```bash
|
||||
# Print QR code
|
||||
lndconnect-onion-clightning
|
||||
|
||||
# Print URL
|
||||
lndconnect-onion-clightning --url
|
||||
```
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nbLib = config.nix-bitcoin.lib;
|
||||
runAsUser = config.nix-bitcoin.runAsUserCmd;
|
||||
|
||||
inherit (config.services)
|
||||
lnd
|
||||
clightning
|
||||
clightning-rest;
|
||||
|
||||
mkLndconnect = {
|
||||
name,
|
||||
shebang ? "#!${pkgs.stdenv.shell} -e",
|
||||
onionService,
|
||||
port,
|
||||
certPath,
|
||||
macaroonPath
|
||||
}:
|
||||
# TODO-EXTERNAL:
|
||||
# lndconnect requires a --configfile argument, although it's unused
|
||||
# https://github.com/LN-Zap/lndconnect/issues/25
|
||||
pkgs.writeScriptBin name ''
|
||||
${shebang}
|
||||
exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
|
||||
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
|
||||
--port=${toString port} \
|
||||
--tlscertpath='${certPath}' \
|
||||
--adminmacaroonpath='${macaroonPath}' \
|
||||
--configfile=/dev/null "$@"
|
||||
'';
|
||||
|
||||
operatorName = config.nix-bitcoin.operator.name;
|
||||
in {
|
||||
inherit options;
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
|
||||
services.tor = {
|
||||
enable = true;
|
||||
relay.onionServices.lnd-rest = nbLib.mkOnionService {
|
||||
target.addr = nbLib.address lnd.restAddress;
|
||||
target.port = lnd.restPort;
|
||||
port = lnd.restPort;
|
||||
};
|
||||
};
|
||||
nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
|
||||
|
||||
environment.systemPackages = [(
|
||||
mkLndconnect {
|
||||
name = "lndconnect-onion";
|
||||
# Run as lnd user because the macaroon and cert are not group-readable
|
||||
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
|
||||
onionService = "${lnd.user}/lnd-rest";
|
||||
port = lnd.restPort;
|
||||
certPath = lnd.certPath;
|
||||
macaroonPath = "${lnd.networkDir}/admin.macaroon";
|
||||
}
|
||||
)];
|
||||
})
|
||||
|
||||
(mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
|
||||
services.tor = {
|
||||
enable = true;
|
||||
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
||||
target.addr = nbLib.address clightning-rest.address;
|
||||
target.port = clightning-rest.port;
|
||||
port = clightning-rest.port;
|
||||
};
|
||||
};
|
||||
# This also allows nodeinfo to show the clightning-rest onion address
|
||||
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
|
||||
|
||||
environment.systemPackages = [(
|
||||
mkLndconnect {
|
||||
name = "lndconnect-onion-clightning";
|
||||
onionService = "${operatorName}/clightning-rest";
|
||||
port = clightning-rest.port;
|
||||
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
||||
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
||||
}
|
||||
)];
|
||||
})
|
||||
];
|
||||
}
|
205
modules/lndconnect.nix
Normal file
205
modules/lndconnect.nix
Normal file
@ -0,0 +1,205 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
options = {
|
||||
services.lnd.lndconnect = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Add a `lndconnect` binary to the system environment which prints
|
||||
connection info for lnd clients.
|
||||
See: https://github.com/LN-Zap/lndconnect
|
||||
|
||||
Usage:
|
||||
```bash
|
||||
# Print QR code
|
||||
lndconnect
|
||||
|
||||
# Print URL
|
||||
lndconnect --url
|
||||
```
|
||||
'';
|
||||
};
|
||||
onion = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Create an onion service for the lnd REST server,
|
||||
which is used by lndconnect.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.clightning-rest.lndconnect = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Add a `lndconnect-clightning` binary to the system environment which prints
|
||||
connection info for clightning clients.
|
||||
See: https://github.com/LN-Zap/lndconnect
|
||||
|
||||
Usage:
|
||||
```bash
|
||||
# Print QR code
|
||||
lndconnect-clightning
|
||||
|
||||
# Print URL
|
||||
lndconnect-clightning --url
|
||||
```
|
||||
'';
|
||||
};
|
||||
onion = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
Create an onion service for the clightning REST server,
|
||||
which is used by lndconnect.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nix-bitcoin.mkLndconnect = mkOption {
|
||||
readOnly = true;
|
||||
default = mkLndconnect;
|
||||
description = mdDoc ''
|
||||
A function to create a lndconnect binary.
|
||||
See the source for further details.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
nbLib = config.nix-bitcoin.lib;
|
||||
runAsUser = config.nix-bitcoin.runAsUserCmd;
|
||||
|
||||
inherit (config.services)
|
||||
lnd
|
||||
clightning-rest;
|
||||
|
||||
mkLndconnect = {
|
||||
name,
|
||||
shebang ? "#!${pkgs.stdenv.shell} -e",
|
||||
isClightning ? false,
|
||||
port,
|
||||
macaroonPath,
|
||||
enableOnion,
|
||||
onionService ? null,
|
||||
certPath ? null
|
||||
}:
|
||||
# TODO-EXTERNAL:
|
||||
# lndconnect requires a --configfile argument, although it's unused
|
||||
# https://github.com/LN-Zap/lndconnect/issues/25
|
||||
pkgs.hiPrio (pkgs.writeScriptBin name ''
|
||||
${shebang}
|
||||
url=$(
|
||||
${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
|
||||
${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
|
||||
--port=${toString port} \
|
||||
${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
|
||||
--adminmacaroonpath='${macaroonPath}' \
|
||||
--configfile=/dev/null "$@"
|
||||
)
|
||||
|
||||
${optionalString isClightning
|
||||
# - Change URL procotcol to c-lightning-rest
|
||||
# - Encode macaroon as hex (in uppercase) instead of base 64.
|
||||
# Because `macaroon` is always the last URL fragment, the
|
||||
# sed replacement below works correctly.
|
||||
''
|
||||
macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
|
||||
url=$(
|
||||
echo "$url" | ${getExe pkgs.gnused} "
|
||||
s|^lndconnect|c-lightning-rest|
|
||||
s|macaroon=.*|macaroon=$macaroonHex|
|
||||
";
|
||||
)
|
||||
''
|
||||
}
|
||||
|
||||
# If --url is in args
|
||||
if [[ " $* " =~ " --url " ]]; then
|
||||
echo "$url"
|
||||
else
|
||||
# This UTF-8 encoding yields a smaller, more convenient output format
|
||||
# compared to the native lndconnect output
|
||||
echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
|
||||
fi
|
||||
'');
|
||||
|
||||
operatorName = config.nix-bitcoin.operator.name;
|
||||
in {
|
||||
inherit options;
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf (lnd.enable && lnd.lndconnect.enable)
|
||||
(mkMerge [
|
||||
{
|
||||
environment.systemPackages = [(
|
||||
mkLndconnect {
|
||||
name = "lndconnect";
|
||||
# Run as lnd user because the macaroon and cert are not group-readable
|
||||
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
|
||||
enableOnion = lnd.lndconnect.onion;
|
||||
onionService = "${lnd.user}/lnd-rest";
|
||||
port = lnd.restPort;
|
||||
certPath = lnd.certPath;
|
||||
macaroonPath = "${lnd.networkDir}/admin.macaroon";
|
||||
}
|
||||
)];
|
||||
|
||||
services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
|
||||
}
|
||||
|
||||
(mkIf lnd.lndconnect.onion {
|
||||
services.tor = {
|
||||
enable = true;
|
||||
relay.onionServices.lnd-rest = nbLib.mkOnionService {
|
||||
target.addr = nbLib.address lnd.restAddress;
|
||||
target.port = lnd.restPort;
|
||||
port = lnd.restPort;
|
||||
};
|
||||
};
|
||||
nix-bitcoin.onionAddresses.access = {
|
||||
${lnd.user} = [ "lnd-rest" ];
|
||||
${operatorName} = [ "lnd-rest" ];
|
||||
};
|
||||
})
|
||||
]))
|
||||
|
||||
(mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
|
||||
(mkMerge [
|
||||
{
|
||||
environment.systemPackages = [(
|
||||
mkLndconnect {
|
||||
name = "lndconnect-clightning";
|
||||
isClightning = true;
|
||||
enableOnion = clightning-rest.lndconnect.onion;
|
||||
onionService = "${operatorName}/clightning-rest";
|
||||
port = clightning-rest.port;
|
||||
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
||||
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
||||
}
|
||||
)];
|
||||
|
||||
# clightning-rest always binds to all interfaces
|
||||
}
|
||||
|
||||
(mkIf clightning-rest.lndconnect.onion {
|
||||
services.tor = {
|
||||
enable = true;
|
||||
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
||||
target.addr = nbLib.address clightning-rest.address;
|
||||
target.port = clightning-rest.port;
|
||||
port = clightning-rest.port;
|
||||
};
|
||||
};
|
||||
# This also allows nodeinfo to show the clightning-rest onion address
|
||||
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
|
||||
})
|
||||
])
|
||||
)
|
||||
];
|
||||
}
|
@ -19,7 +19,7 @@
|
||||
./lightning-loop.nix
|
||||
./lightning-pool.nix
|
||||
./charge-lnd.nix
|
||||
./lndconnect-onion.nix # Requires onion-addresses.nix
|
||||
./lndconnect.nix # Requires onion-addresses.nix
|
||||
./rtl.nix
|
||||
./electrs.nix
|
||||
./fulcrum.nix
|
||||
|
@ -63,7 +63,7 @@ let
|
||||
infos = OrderedDict()
|
||||
operator = "${config.nix-bitcoin.operator.name}"
|
||||
|
||||
def set_onion_address(info, name, port):
|
||||
def get_onion_address(name, port):
|
||||
path = f"/var/lib/onion-addresses/{operator}/{name}"
|
||||
try:
|
||||
with open(path, "r") as f:
|
||||
@ -71,7 +71,7 @@ let
|
||||
except OSError:
|
||||
print(f"error reading file {path}", file=sys.stderr)
|
||||
return
|
||||
info["onion_address"] = f"{onion_address}:{port}"
|
||||
return f"{onion_address}:{port}"
|
||||
|
||||
def add_service(service, make_info, systemd_service = None):
|
||||
systemd_service = systemd_service or service
|
||||
@ -106,7 +106,7 @@ let
|
||||
add_service("${name}", """
|
||||
info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
|
||||
'' + mkIfOnionPort name (onionPort: ''
|
||||
set_onion_address(info, "${name}", ${onionPort})
|
||||
info["onion_address"] = get_onion_address("${name}", ${onionPort})
|
||||
'') + extraCode + ''
|
||||
|
||||
""", "${systemdServiceName}")
|
||||
@ -123,8 +123,10 @@ let
|
||||
in {
|
||||
inherit options;
|
||||
|
||||
config = {
|
||||
environment.systemPackages = optional cfg.enable script;
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ script ];
|
||||
|
||||
nix-bitcoin.operator.enable = true;
|
||||
|
||||
nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
|
||||
bitcoind = mkInfo "";
|
||||
@ -133,9 +135,13 @@ in {
|
||||
if 'onion_address' in info:
|
||||
info["id"] = f"{info['nodeid']}@{info['onion_address']}"
|
||||
'';
|
||||
lnd = mkInfo ''
|
||||
lnd = name: cfg: mkInfo (''
|
||||
info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
|
||||
'' + mkIfOnionPort "lnd-rest" (onionPort: ''
|
||||
info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
|
||||
'') + ''
|
||||
info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
|
||||
'';
|
||||
'') name cfg;
|
||||
clightning-rest = mkInfo "";
|
||||
electrs = mkInfo "";
|
||||
fulcrum = mkInfo "";
|
||||
@ -146,7 +152,7 @@ in {
|
||||
rtl = mkInfo "";
|
||||
# Only add sshd when it has an onion service
|
||||
sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
|
||||
add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
|
||||
add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
|
||||
'');
|
||||
};
|
||||
};
|
||||
|
@ -33,7 +33,6 @@ in {
|
||||
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
|
||||
# 0.0.70
|
||||
(mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
|
||||
(mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
|
||||
|
||||
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
|
||||
|
||||
@ -46,6 +45,28 @@ in {
|
||||
bitcoin peer connections for syncing blocks. This performs well on low and high
|
||||
memory systems.
|
||||
'')
|
||||
# 0.0.86
|
||||
(mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
|
||||
Set the following options instead:
|
||||
services.lnd.lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
}
|
||||
'')
|
||||
(mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
|
||||
Set the following options instead:
|
||||
services.lnd.lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
}
|
||||
'')
|
||||
(mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
|
||||
Set the following options instead:
|
||||
services.clightning-rest.lndconnect = {
|
||||
enable = true;
|
||||
onion = true;
|
||||
}
|
||||
'')
|
||||
] ++
|
||||
# 0.0.59
|
||||
(map mkSplitEnforceTorOption [
|
||||
|
214
modules/presets/wireguard.nix
Normal file
214
modules/presets/wireguard.nix
Normal file
@ -0,0 +1,214 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
# Create a WireGuard server with a single peer.
|
||||
# Private/public keys are created via the secrets system.
|
||||
# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
|
||||
|
||||
# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
|
||||
# for usage instructions.
|
||||
|
||||
# This is a rather opinionated implementation that lacks the flexibility offered by
|
||||
# other nix-bitcoin modules, so ship this as a `preset`.
|
||||
# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
|
||||
|
||||
with lib;
|
||||
let
|
||||
options.nix-bitcoin.wireguard = {
|
||||
subnet = mkOption {
|
||||
type = types.str;
|
||||
default = "10.10.0";
|
||||
description = mdDoc "The /24 subnet of the wireguard network.";
|
||||
};
|
||||
restrictPeer = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = mdDoc ''
|
||||
Prevent the peer from connecting to any addresses except for the WireGuard server address.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
cfg = config.nix-bitcoin.wireguard;
|
||||
wgSubnet = cfg.subnet;
|
||||
inherit (config.networking.wireguard.interfaces) wg-nb;
|
||||
inherit (config.services)
|
||||
lnd
|
||||
clightning-rest;
|
||||
|
||||
lndconnect = lnd.enable && lnd.lndconnect.enable;
|
||||
lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
|
||||
|
||||
serverAddress = "${wgSubnet}.1";
|
||||
peerAddress = "${wgSubnet}.2";
|
||||
|
||||
secretsDir = config.nix-bitcoin.secretsDir;
|
||||
|
||||
wgConnectUser = if config.nix-bitcoin.operator.enable
|
||||
then config.nix-bitcoin.operator.name
|
||||
else "root";
|
||||
|
||||
# A script that prints a QR code to connect a peer to the server.
|
||||
# The QR code encodes a wg-quick config that can be imported by the wireguard
|
||||
# mobile app.
|
||||
wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
|
||||
set -euo pipefail
|
||||
text=
|
||||
host=
|
||||
for arg in "$@"; do
|
||||
case $arg in
|
||||
--text)
|
||||
text=1
|
||||
;;
|
||||
*)
|
||||
host=$arg
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ ! $host ]]; then
|
||||
# Use lndconnect to fetch the external ip.
|
||||
# This internally uses https://github.com/GlenDC/go-external-ip, which
|
||||
# queries a set of external ip providers.
|
||||
host=$(
|
||||
${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
|
||||
--configfile=/dev/null --adminmacaroonpath=/dev/null \
|
||||
| sed -nE 's|.*?/(.*?):.*|\1|p'
|
||||
)
|
||||
fi
|
||||
|
||||
config="[Interface]
|
||||
PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
|
||||
Address = ${peerAddress}/24
|
||||
|
||||
[Peer]
|
||||
PublicKey = $(cat ${secretsDir}/wg-server-public-key)
|
||||
AllowedIPs = ${wgSubnet}.0/24
|
||||
Endpoint = $host:${toString wg-nb.listenPort}
|
||||
PersistentKeepalive = 25
|
||||
"
|
||||
|
||||
if [[ $text ]]; then
|
||||
echo "$config"
|
||||
else
|
||||
echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
|
||||
fi
|
||||
'';
|
||||
in {
|
||||
inherit options;
|
||||
|
||||
config = {
|
||||
assertions = [
|
||||
{
|
||||
# Don't support `netns-isolation` for now to keep things simple
|
||||
assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
|
||||
message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
|
||||
}
|
||||
];
|
||||
|
||||
networking.wireguard.interfaces.wg-nb = {
|
||||
ips = [ "${serverAddress}/24" ];
|
||||
listenPort = mkDefault 51820;
|
||||
privateKeyFile = "${secretsDir}/wg-server-private-key";
|
||||
allowedIPsAsRoutes = false;
|
||||
peers = [
|
||||
{
|
||||
# To use the actual public key from the secrets file, use dummy pubkey
|
||||
# `peer0` and replace it via `getPubkeyFromFile` (see further below)
|
||||
# at peer service runtime.
|
||||
publicKey = "peer0";
|
||||
allowedIPs = [ "${peerAddress}/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
wireguard-wg-nb = rec {
|
||||
wants = [ "nix-bitcoin-secrets.target" ];
|
||||
after = wants;
|
||||
};
|
||||
|
||||
# HACK: Modify start/stop scripts of the peer setup service to read
|
||||
# the pubkey from a secrets file.
|
||||
wireguard-wg-nb-peer-peer0 = let
|
||||
getPubkeyFromFile = mkBefore ''
|
||||
if [[ ! -v inPatchedSrc ]]; then
|
||||
export inPatchedSrc=1
|
||||
publicKey=$(cat "${secretsDir}/wg-peer-public-key")
|
||||
<"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
|
||||
exit
|
||||
fi
|
||||
'';
|
||||
in {
|
||||
script = getPubkeyFromFile;
|
||||
postStop = getPubkeyFromFile;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
wgConnect
|
||||
] ++ (optional lndconnect
|
||||
(pkgs.writers.writeBashBin "lndconnect-wg" ''
|
||||
exec lndconnect --host "${serverAddress}" --nocert "$@"
|
||||
'')
|
||||
) ++ (optional lndconnect-clightning
|
||||
(pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
|
||||
exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
|
||||
'')
|
||||
);
|
||||
|
||||
networking.firewall = let
|
||||
restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
|
||||
in {
|
||||
allowedUDPPorts = [ wg-nb.listenPort ];
|
||||
|
||||
extraCommands =
|
||||
optionalString lndconnect ''
|
||||
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
|
||||
''
|
||||
+ optionalString lndconnect-clightning ''
|
||||
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
|
||||
''
|
||||
+ optionalString cfg.restrictPeer ''
|
||||
iptables -w -A nixos-fw ${restrictPeerRule}
|
||||
iptables -w -A FORWARD ${restrictPeerRule}
|
||||
'';
|
||||
|
||||
extraStopCommands =
|
||||
# Rules added to chain `nixos-fw` are automatically removed when restarting
|
||||
# the NixOS firewall service.
|
||||
mkIf cfg.restrictPeer ''
|
||||
iptables -w -D FORWARD ${restrictPeerRule} || :
|
||||
'';
|
||||
};
|
||||
|
||||
# Listen on all addresses, including `serverAddress`.
|
||||
# This is safe because the listen ports are secured by the firewall.
|
||||
services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
|
||||
# clightning-rest always listens on "0.0.0.0"
|
||||
|
||||
nix-bitcoin.secrets = {
|
||||
wg-server-private-key = {};
|
||||
wg-server-public-key = { user = wgConnectUser; group = "root"; };
|
||||
wg-peer-private-key = { user = wgConnectUser; group = "root"; };
|
||||
wg-peer-public-key = {};
|
||||
};
|
||||
|
||||
nix-bitcoin.generateSecretsCmds.wireguard = let
|
||||
wg = "${pkgs.wireguard-tools}/bin/wg";
|
||||
in ''
|
||||
makeWireguardKey() {
|
||||
local name=$1
|
||||
local priv=wg-$name-private-key
|
||||
local pub=wg-$name-public-key
|
||||
if [[ ! -e $priv ]]; then
|
||||
${wg} genkey > $priv
|
||||
fi
|
||||
if [[ $priv -nt $pub ]]; then
|
||||
${wg} pubkey < $priv > $pub
|
||||
fi
|
||||
}
|
||||
makeWireguardKey server
|
||||
makeWireguardKey peer
|
||||
'';
|
||||
};
|
||||
}
|
@ -191,6 +191,7 @@ in {
|
||||
optional cfg.nodes.lnd.enable "lnd.service";
|
||||
after = requires;
|
||||
environment.RTL_CONFIG_PATH = cfg.dataDir;
|
||||
environment.DB_DIRECTORY_PATH = cfg.dataDir;
|
||||
serviceConfig = nbLib.defaultHardening // {
|
||||
ExecStartPre = [
|
||||
(nbLib.script "rtl-setup-config" ''
|
||||
|
@ -228,7 +228,7 @@ let
|
||||
version = "0.0.70";
|
||||
condition = config.services.lnd.lndconnectOnion.enable;
|
||||
message = ''
|
||||
The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
|
||||
The `lndconnect-rest-onion` binary has been renamed to `lndconnect`.
|
||||
'';
|
||||
}
|
||||
{
|
||||
|
@ -32,7 +32,7 @@ let
|
||||
extraPkgs = [ prometheus_client ];
|
||||
patchRequirements =
|
||||
"--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
|
||||
+ " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
|
||||
+ " --replace pyln-client~=0.9.3 pyln-client~=23.02";
|
||||
};
|
||||
rebalance = {
|
||||
description = "Keeps your channels balanced";
|
||||
|
@ -20,6 +20,12 @@ let self = {
|
||||
# The secp256k1 version used by joinmarket
|
||||
secp256k1 = pkgs.callPackage ./secp256k1 { };
|
||||
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
||||
trustedcoin = pkgs.callPackage ./trustedcoin { };
|
||||
|
||||
# TODO-EXTERNAL:
|
||||
# Remove this when https://github.com/lightningnetwork/lnd/pull/7672
|
||||
# has been resolved
|
||||
lnd = pkgsUnstable.callPackage ./lnd { };
|
||||
|
||||
pyPkgs = import ./python-packages self pkgs.python3;
|
||||
inherit (self.pyPkgs)
|
||||
|
@ -1,10 +1,12 @@
|
||||
{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
|
||||
{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
|
||||
|
||||
let
|
||||
version = "0.9.8";
|
||||
src = fetchurl {
|
||||
url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
|
||||
sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
|
||||
version = "0.9.9";
|
||||
src = fetchFromGitHub {
|
||||
owner = "joinmarket-org";
|
||||
repo = "joinmarket-clientserver";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
|
||||
};
|
||||
|
||||
runtimePackages = with nbPython3PackagesJoinmarket; [
|
||||
|
@ -1,25 +1,23 @@
|
||||
#!/usr/bin/env bash
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p git gnupg jq
|
||||
|
||||
set -euo pipefail
|
||||
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
|
||||
newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
|
||||
|
||||
TMPDIR="$(mktemp -d -p /tmp)"
|
||||
trap 'rm -rf $TMPDIR' EXIT
|
||||
cd "$TMPDIR"
|
||||
|
||||
echo "Fetching latest release"
|
||||
git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
|
||||
cd joinmarket-clientserver
|
||||
latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
|
||||
echo "Latest release is $latest"
|
||||
|
||||
# GPG verification
|
||||
export GNUPGHOME=$TMPDIR
|
||||
# Fetch release and GPG-verify the content hash
|
||||
tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
|
||||
repo=$tmpdir/repo
|
||||
git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
|
||||
export GNUPGHOME=$tmpdir
|
||||
echo "Fetching Adam Gibson's key"
|
||||
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
|
||||
echo "Verifying latest release"
|
||||
git verify-tag "$latest"
|
||||
echo
|
||||
echo "Verifying commit"
|
||||
git -C "$repo" verify-commit HEAD
|
||||
rm -rf "$repo"/.git
|
||||
newHash=$(nix hash path "$repo")
|
||||
rm -rf "$tmpdir"
|
||||
echo
|
||||
|
||||
echo "tag: $latest"
|
||||
# The prefix option is necessary because GitHub prefixes the archive contents in this format
|
||||
echo "sha256: $(nix-hash --type sha256 --flat --base32 \
|
||||
<(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
|
||||
echo "tag: $newVersion"
|
||||
echo "hash: $newHash"
|
||||
|
12
pkgs/lnd/default.nix
Normal file
12
pkgs/lnd/default.nix
Normal file
@ -0,0 +1,12 @@
|
||||
{ lnd, fetchpatch }:
|
||||
|
||||
lnd.overrideAttrs (_: {
|
||||
patches = [
|
||||
(fetchpatch {
|
||||
# https://github.com/lightningnetwork/lnd/pull/7672
|
||||
name = "fix-PKCS8-cert-key-support";
|
||||
url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
|
||||
hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
|
||||
})
|
||||
];
|
||||
})
|
@ -4,21 +4,20 @@ pkgs: pkgsUnstable:
|
||||
inherit (pkgs)
|
||||
bitcoin
|
||||
bitcoind
|
||||
elementsd
|
||||
extra-container
|
||||
lightning-loop
|
||||
lightning-pool
|
||||
lndconnect
|
||||
nbxplorer;
|
||||
lndconnect;
|
||||
|
||||
inherit (pkgsUnstable)
|
||||
btcpayserver
|
||||
charge-lnd
|
||||
clightning
|
||||
electrs
|
||||
elementsd
|
||||
fulcrum
|
||||
hwi
|
||||
lnd;
|
||||
lightning-loop
|
||||
nbxplorer;
|
||||
|
||||
inherit pkgs pkgsUnstable;
|
||||
}
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "bencoder.pyx";
|
||||
version = "2.0.1";
|
||||
version = "3.0.1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
|
||||
sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
|
||||
url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
|
||||
sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cython ];
|
||||
|
@ -22,7 +22,6 @@ rec {
|
||||
};
|
||||
runes = callPackage ./runes {};
|
||||
sha256 = callPackage ./sha256 {};
|
||||
urldecode = callPackage ./urldecode {};
|
||||
};
|
||||
|
||||
# Joinmarket requires a custom package set because it uses older versions of Python pkgs
|
||||
@ -47,12 +46,10 @@ rec {
|
||||
# autobahn 20.12.3, required by joinmarketclient
|
||||
autobahn = callPackage ./specific-versions/autobahn.nix {};
|
||||
|
||||
# pyopenssl 20.0.1, required by joinmarketdaemon
|
||||
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
|
||||
openssl = super.pkgs.openssl_1_1;
|
||||
};
|
||||
# pyopenssl 21.0.0, required by joinmarketdaemon
|
||||
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
|
||||
|
||||
# twisted 22.4.0, compatible with pyopenssl 20.0.1
|
||||
# twisted 22.4.0, required by joinmarketbase
|
||||
twisted = callPackage ./specific-versions/twisted.nix {};
|
||||
};
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
|
||||
{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "joinmarketbitcoin";
|
||||
@ -6,7 +6,7 @@ buildPythonPackage rec {
|
||||
|
||||
postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
|
||||
|
||||
propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
|
||||
propagatedBuildInputs = [ pyaes python-bitcointx ];
|
||||
|
||||
checkInputs = [ joinmarketbase ];
|
||||
|
||||
|
@ -8,6 +8,12 @@ buildPythonPackage rec {
|
||||
|
||||
propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
|
||||
|
||||
# libnacl 1.8.0 is not on github
|
||||
patchPhase = ''
|
||||
substituteInPlace setup.py \
|
||||
--replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Client library for Bitcoin coinjoins";
|
||||
homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
|
||||
|
@ -6,17 +6,50 @@
|
||||
, cryptography
|
||||
, pyasn1
|
||||
, idna
|
||||
, pytest
|
||||
, pytestCheckHook
|
||||
, pretend
|
||||
, flaky
|
||||
, glibcLocales
|
||||
, six
|
||||
}:
|
||||
|
||||
let
|
||||
buildPythonPackage rec {
|
||||
pname = "pyopenssl";
|
||||
version = "21.0.0";
|
||||
|
||||
src = fetchPypi {
|
||||
pname = "pyOpenSSL";
|
||||
inherit version;
|
||||
sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
|
||||
};
|
||||
|
||||
outputs = [ "out" "dev" ];
|
||||
|
||||
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
|
||||
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
|
||||
doCheck = !stdenv.isDarwin;
|
||||
|
||||
nativeBuildInputs = [ openssl ];
|
||||
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
|
||||
|
||||
checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
|
||||
|
||||
preCheck = ''
|
||||
export LANG="en_US.UTF-8"
|
||||
'';
|
||||
|
||||
disabledTests = [
|
||||
# https://github.com/pyca/pyopenssl/issues/692
|
||||
# These tests, we disable always.
|
||||
"test_set_default_verify_paths"
|
||||
"test_fallback_default_verify_paths"
|
||||
# https://github.com/pyca/pyopenssl/issues/768
|
||||
"test_wantWriteError"
|
||||
# https://github.com/pyca/pyopenssl/issues/1043
|
||||
"test_alpn_call_failure"
|
||||
] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
|
||||
# https://github.com/pyca/pyopenssl/issues/791
|
||||
# These tests, we disable in the case that libressl is passed in as openssl.
|
||||
failingLibresslTests = [
|
||||
"test_op_no_compression"
|
||||
"test_npn_advertise_error"
|
||||
"test_npn_select_error"
|
||||
@ -29,64 +62,21 @@ let
|
||||
"test_verify_with_revoked"
|
||||
"test_set_notAfter"
|
||||
"test_set_notBefore"
|
||||
];
|
||||
|
||||
# these tests are extremely tightly wed to the exact output of the openssl cli tool,
|
||||
# including exact punctuation.
|
||||
failingOpenSSL_1_1Tests = [
|
||||
] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
|
||||
# these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
|
||||
"test_dump_certificate"
|
||||
"test_dump_privatekey_text"
|
||||
"test_dump_certificate_request"
|
||||
"test_export_text"
|
||||
] ++ lib.optionals stdenv.is32bit [
|
||||
# https://github.com/pyca/pyopenssl/issues/974
|
||||
"test_verify_with_time"
|
||||
];
|
||||
|
||||
disabledTests = [
|
||||
# https://github.com/pyca/pyopenssl/issues/692
|
||||
# These tests, we disable always.
|
||||
"test_set_default_verify_paths"
|
||||
"test_fallback_default_verify_paths"
|
||||
# https://github.com/pyca/pyopenssl/issues/768
|
||||
"test_wantWriteError"
|
||||
] ++ (
|
||||
lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
|
||||
) ++ (
|
||||
lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
|
||||
) ++ (
|
||||
# https://github.com/pyca/pyopenssl/issues/974
|
||||
lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
|
||||
);
|
||||
|
||||
# Compose the final string expression, including the "-k" and the single quotes.
|
||||
testExpression = lib.optionalString (disabledTests != [])
|
||||
"-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
|
||||
|
||||
in
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "pyopenssl";
|
||||
version = "20.0.1";
|
||||
|
||||
src = fetchPypi {
|
||||
pname = "pyOpenSSL";
|
||||
inherit version;
|
||||
sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
|
||||
meta = with lib; {
|
||||
description = "Python wrapper around the OpenSSL library";
|
||||
homepage = "https://github.com/pyca/pyopenssl";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ SuperSandro2000 ];
|
||||
};
|
||||
|
||||
outputs = [ "out" "dev" ];
|
||||
|
||||
checkPhase = ''
|
||||
runHook preCheck
|
||||
export LANG="en_US.UTF-8"
|
||||
py.test tests ${testExpression}
|
||||
runHook postCheck
|
||||
'';
|
||||
|
||||
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
|
||||
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
|
||||
doCheck = !stdenv.isDarwin;
|
||||
|
||||
nativeBuildInputs = [ openssl ];
|
||||
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
|
||||
|
||||
checkInputs = [ pytest pretend flaky glibcLocales ];
|
||||
}
|
||||
|
@ -1,16 +0,0 @@
|
||||
{ lib, buildPythonPackage, fetchPypi }:
|
||||
buildPythonPackage rec {
|
||||
pname = "urldecode";
|
||||
version = "0.1";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "A simple function to decode an encoded url";
|
||||
homepage = "https://github.com/jennyq/urldecode";
|
||||
maintainers = with maintainers; [ nixbitcoin ];
|
||||
};
|
||||
}
|
@ -10,11 +10,11 @@
|
||||
}:
|
||||
let self = stdenvNoCC.mkDerivation {
|
||||
pname = "rtl";
|
||||
version = "0.13.4";
|
||||
version = "0.13.6";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
|
||||
hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
|
||||
hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
|
||||
};
|
||||
|
||||
passthru = {
|
||||
@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
|
||||
# TODO-EXTERNAL: Remove `npmFlags` when no longer required
|
||||
# See: https://github.com/Ride-The-Lightning/RTL/issues/1182
|
||||
npmFlags = "--legacy-peer-deps";
|
||||
hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
|
||||
hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
set -euo pipefail
|
||||
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
|
||||
|
||||
version="0.13.4"
|
||||
version="0.13.6"
|
||||
repo=https://github.com/Ride-The-Lightning/RTL
|
||||
|
||||
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||
|
23
pkgs/trustedcoin/default.nix
Normal file
23
pkgs/trustedcoin/default.nix
Normal file
@ -0,0 +1,23 @@
|
||||
{ lib, buildGoModule, fetchFromGitHub }:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "trustedcoin";
|
||||
version = "0.6.1";
|
||||
src = fetchFromGitHub {
|
||||
owner = "nbd-wtf";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
|
||||
|
||||
subPackages = [ "." ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "Light bitcoin node implementation";
|
||||
homepage = "https://github.com/nbd-wtf/trustedcoin";
|
||||
maintainers = with maintainers; [ seberm fort-nix ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
20
pkgs/trustedcoin/get-sha256.sh
Executable file
20
pkgs/trustedcoin/get-sha256.sh
Executable file
@ -0,0 +1,20 @@
|
||||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p git gnupg curl jq
|
||||
set -euo pipefail
|
||||
|
||||
|
||||
TMPDIR="$(mktemp -d -p /tmp)"
|
||||
trap 'rm -rf $TMPDIR' EXIT
|
||||
cd "$TMPDIR"
|
||||
|
||||
echo "Fetching latest release"
|
||||
repo='nbd-wtf/trustedcoin'
|
||||
latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
|
||||
echo "Latest release is $latest"
|
||||
git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
|
||||
cd trustedcoin
|
||||
|
||||
echo "tag: $latest"
|
||||
git checkout -q "tags/$latest"
|
||||
rm -rf .git
|
||||
nix --extra-experimental-features nix-command hash path .
|
@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
|
||||
fi
|
||||
|
||||
echo "Running flake-info (nixos-search)"
|
||||
flake-info flake ../..
|
||||
flake-info --json flake ../.. >/dev/null
|
||||
|
@ -41,4 +41,4 @@ bwrap \
|
||||
--ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
|
||||
--ro-bind /usr /usr \
|
||||
--ro-bind-try /run /run \
|
||||
-- flake-info flake "$nbFlake"
|
||||
-- flake-info --json flake "$nbFlake" >/dev/null
|
||||
|
@ -2,11 +2,11 @@
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1667395993,
|
||||
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
|
||||
"lastModified": 1678901627,
|
||||
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
|
||||
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -18,11 +18,11 @@
|
||||
"nixos-org-configurations": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1674564797,
|
||||
"narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
|
||||
"lastModified": 1679995724,
|
||||
"narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-org-configurations",
|
||||
"rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
|
||||
"rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -39,11 +39,11 @@
|
||||
"npmlock2nix": "npmlock2nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1674593115,
|
||||
"narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
|
||||
"lastModified": 1683204679,
|
||||
"narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-search",
|
||||
"rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
|
||||
"rev": "0498effc4137095938f16fd752cc81a96901554f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -54,11 +54,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1667629849,
|
||||
"narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
|
||||
"lastModified": 1680213900,
|
||||
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
|
||||
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -70,11 +70,11 @@
|
||||
"npmlock2nix": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1666460237,
|
||||
"narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
|
||||
"lastModified": 1673447413,
|
||||
"narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=",
|
||||
"owner": "nix-community",
|
||||
"repo": "npmlock2nix",
|
||||
"rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
|
||||
"rev": "9197bbf397d76059a76310523d45df10d2e4ca81",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -274,6 +274,7 @@ buildable=(
|
||||
hardened
|
||||
clightning-replication
|
||||
lndPruned
|
||||
wireguard-lndconnect
|
||||
)
|
||||
buildable() { buildTests buildable "$@"; }
|
||||
|
||||
|
@ -45,7 +45,7 @@ let
|
||||
services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
|
||||
test.data.clightning-plugins = let
|
||||
plugins = config.services.clightning.plugins;
|
||||
removed = [ "commando" ];
|
||||
removed = [ "commando" "trustedcoin" ];
|
||||
enabled = builtins.filter (plugin: plugins.${plugin}.enable)
|
||||
(subtractLists removed (builtins.attrNames plugins));
|
||||
nbPkgs = config.nix-bitcoin.pkgs;
|
||||
@ -86,8 +86,8 @@ let
|
||||
|
||||
nix-bitcoin.onionServices.lnd.public = true;
|
||||
|
||||
tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
|
||||
tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
|
||||
tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion;
|
||||
tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion;
|
||||
|
||||
tests.lightning-loop = cfg.lightning-loop.enable;
|
||||
services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
|
||||
@ -187,9 +187,9 @@ let
|
||||
services.rtl.enable = true;
|
||||
services.spark-wallet.enable = true;
|
||||
services.clightning-rest.enable = true;
|
||||
services.clightning-rest.lndconnectOnion.enable = true;
|
||||
services.clightning-rest.lndconnect = { enable = true; onion = true; };
|
||||
services.lnd.enable = true;
|
||||
services.lnd.lndconnectOnion.enable = true;
|
||||
services.lnd.lndconnect = { enable = true; onion = true; };
|
||||
services.lightning-loop.enable = true;
|
||||
services.lightning-pool.enable = true;
|
||||
services.charge-lnd.enable = true;
|
||||
@ -315,6 +315,15 @@ let
|
||||
services.lnd.enable = true;
|
||||
services.bitcoind.prune = 1000;
|
||||
};
|
||||
|
||||
# Test the special clightning setup where trustedcoin plugin is used
|
||||
trustedcoin = {
|
||||
tests.trustedcoin = true;
|
||||
services.clightning = {
|
||||
enable = true;
|
||||
plugins.trustedcoin.enable = true;
|
||||
};
|
||||
};
|
||||
} // (import ../dev/dev-scenarios.nix {
|
||||
inherit lib scenarios;
|
||||
});
|
||||
@ -405,6 +414,7 @@ in {
|
||||
in
|
||||
{
|
||||
clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
|
||||
wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
|
||||
} // mainTests;
|
||||
|
||||
tests = makeTests scenarios;
|
||||
|
@ -177,12 +177,12 @@ def _():
|
||||
@test("lndconnect-onion-lnd")
|
||||
def _():
|
||||
assert_running("lnd")
|
||||
assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
|
||||
assert_matches("runuser -u operator -- lndconnect --url", ".onion")
|
||||
|
||||
@test("lndconnect-onion-clightning")
|
||||
def _():
|
||||
assert_running("clightning-rest")
|
||||
assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
|
||||
assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion")
|
||||
|
||||
@test("lightning-loop")
|
||||
def _():
|
||||
@ -433,6 +433,18 @@ def _():
|
||||
if enabled("btcpayserver"):
|
||||
machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
|
||||
|
||||
@test("trustedcoin")
|
||||
def _():
|
||||
machine.wait_for_unit("bitcoind")
|
||||
machine.wait_for_unit("clightning")
|
||||
|
||||
# Let's check the trustedcoin plugin was correctly initialized
|
||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
|
||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
|
||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
|
||||
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
|
||||
|
||||
|
||||
if "netns-isolation" in enabled_tests:
|
||||
def ip(name):
|
||||
return test_data["netns"][name]["address"]
|
||||
|
103
test/wireguard-lndconnect.nix
Normal file
103
test/wireguard-lndconnect.nix
Normal file
@ -0,0 +1,103 @@
|
||||
# You can run this test via `run-tests.sh -s wireguard-lndconnect`
|
||||
|
||||
makeTestVM: pkgs:
|
||||
with pkgs.lib;
|
||||
|
||||
makeTestVM {
|
||||
name = "wireguard-lndconnect";
|
||||
|
||||
nodes = {
|
||||
server = {
|
||||
imports = [
|
||||
../modules/modules.nix
|
||||
../modules/presets/wireguard.nix
|
||||
];
|
||||
|
||||
nixpkgs.pkgs = pkgs;
|
||||
|
||||
nix-bitcoin.generateSecrets = true;
|
||||
nix-bitcoin.operator.enable = true;
|
||||
|
||||
services.clightning-rest = {
|
||||
enable = true;
|
||||
lndconnect.enable = true;
|
||||
};
|
||||
# TODO-EXTERNAL:
|
||||
# When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
|
||||
services.clightning.extraConfig = "disable-dns";
|
||||
|
||||
services.lnd = {
|
||||
enable = true;
|
||||
lndconnect.enable = true;
|
||||
port = 9736;
|
||||
};
|
||||
};
|
||||
|
||||
client = {
|
||||
nixpkgs.pkgs = pkgs;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
wireguard-tools
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import base64
|
||||
import urllib.parse as Url
|
||||
from types import SimpleNamespace
|
||||
|
||||
def parse_lndconnect_url(url):
|
||||
u = Url.urlparse(url)
|
||||
queries = Url.parse_qs(u.query)
|
||||
macaroon = queries['macaroon'][0]
|
||||
is_clightning = url.startswith("c-lightning-rest")
|
||||
|
||||
return SimpleNamespace(
|
||||
host = u.hostname,
|
||||
port = u.port,
|
||||
macaroon_hex =
|
||||
macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
|
||||
)
|
||||
|
||||
client.start()
|
||||
server.connect()
|
||||
|
||||
if not "is_interactive" in vars():
|
||||
|
||||
with subtest("connect client to server via WireGuard"):
|
||||
server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
|
||||
|
||||
# Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
|
||||
wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
|
||||
# Encode to base64
|
||||
b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
|
||||
client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
|
||||
|
||||
# Connect to server via WireGuard
|
||||
client.succeed("wg-quick up /tmp/wireguard.conf")
|
||||
|
||||
# Ping server from client
|
||||
print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
|
||||
|
||||
with subtest("lndconnect-wg"):
|
||||
server.wait_for_unit("lnd.service")
|
||||
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
|
||||
api = parse_lndconnect_url(lndconnect_url)
|
||||
# Make lnd REST API call
|
||||
client.succeed(
|
||||
f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
|
||||
f"-X GET https://{api.host}:{api.port}/v1/getinfo"
|
||||
)
|
||||
|
||||
with subtest("lndconnect-clightning-wg"):
|
||||
server.wait_for_unit("clightning-rest.service")
|
||||
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
|
||||
api = parse_lndconnect_url(lndconnect_url)
|
||||
# Make clightning-rest API call
|
||||
client.succeed(
|
||||
f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
|
||||
f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
|
||||
)
|
||||
'';
|
||||
}
|
Loading…
Reference in New Issue
Block a user