9239268ab6
b2e15c17b8c9fe5c55a271204b5c12e80aba15ec docs: Update to new deployment method (import instead of fork) (Jonas Nick) 5ed0284db99e6659b8be3065db44648d6660d57c Add fetch-release script (Jonas Nick) c303cd47e4880dae59f8ada846f0c61f0931058f Add push-release.sh helper (Jonas Nick) 705d187a35b728e6091428be3fd07da576516e2a examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt) 65039be65692fee706b03d9049dd08028dfecf11 docs: Remove duplicate instructions (Jonas Nick) 455c5664c9beefc3fc68491523481988801e9536 docs: Replace tabs with spaces (Jonas Nick) 8aa4714979d8296fae023bb21a4a9fc3b0ca3095 docs: Update NixOS version (Jonas Nick) 9df22a2764a550f0f9a94f759a091d1d8cdd1135 add deploy-qemu-vm.sh example (Erik Arvstedt) 548ced19943efd48d12bc4f52bf26b440c43a4f2 README: Add Example section (Jonas Nick) 44ccbb91d0a03211f4b6c1a0349db38a21c0ab09 Clean up development shell.nix (Jonas Nick) abcee651d3c24213b5efddf7e1532a6eafa70600 add deploy-container.sh (Erik Arvstedt) 5dadea310cc0522c2bf6a6a7771c6889f0ad39e0 add deploy-nixops.sh (Erik Arvstedt) 0c74c365de8cb5df3b9f8433d5e9baecc8df1aac mention performance loss with hardened kernel profile (Erik Arvstedt) f3121892ef22e269fd799ce38bd2a7aea3f1370e move main module import to configuration.nix (Erik Arvstedt) 0c0978c0073d18d195e8518ca4624592000fb8a9 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt) 87d0286498b7d7d9e85a2ac0fa3af650723ca196 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick) Pull request description: Top commit has no ACKs. Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
nix-bitcoin
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. This is a work in progress - don't expect it to be bug-free, secure or stable.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in configuration.nix to make c-lightning accessible with a smartphone using spark-wallet.
A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
It also includes elements-daemon.
Outbound peer-to-peer traffic is forced through Tor, and listening services are bound to onion addresses.
A demo installation is running at http://6tr4dg3f2oa7slotdjp4syvnzzcry2lqqlcvqkfxdavxo6jsuxwqpxad.onion. The following screen cast shows a fresh deployment of a nix-bitcoin node.
The goal is to make it easy to deploy a reasonably secure Bitcoin node with a usable wallet. It should allow managing bitcoin (the currency) effectively and providing public infrastructure. It should be a reproducible and extensible platform for applications building on Bitcoin.
Example
The easiest way to try out nix-bitcoin is to use one of the provided examples.
git clone https://github.com/fort-nix/nix-bitcoin
cd examples/
nix-shell
The following example scripts set up a nix-bitcoin node according to examples/configuration.nix and then
shut down immediately. They leave no traces (outside of /nix/store) on the host system.
-
./deploy-container.shcreates a NixOS container.
This is the fastest way to set up a node.
Requires: NixOS -
./deploy-qemu-vm.shcreates a QEMU VM.
Requires: Nix -
./deploy-nixops.shcreates a VirtualBox VM via NixOps.
NixOps can be used to deploy to various other backends like cloud providers.
Requires: Nix, VirtualBox
Available modules
By default the configuration.nix provides:
- bitcoind with outbound connections through Tor and inbound connections through a hidden service. By default loaded with banlist of spy nodes.
- clightning with outbound connections through Tor, not listening
- includes "nodeinfo" script which prints basic info about the node
- adds non-root user "operator" which has access to bitcoin-cli and lightning-cli
In configuration.nix the user can enable:
- a clightning hidden service
- liquid
- lightning charge
- nanopos
- an index page using nginx to display node information and link to nanopos
- spark-wallet
- electrs
- recurring-donations, a module to repeatedly send lightning payments to recipients specified in the configuration.
- bitcoin-core-hwi.
- You no longer need extra software to connect your hardware wallet to Bitcoin Core. Use Bitcoin Core's own Hardware Wallet Interface with one
configuration.nixsetting.
- You no longer need extra software to connect your hardware wallet to Bitcoin Core. Use Bitcoin Core's own Hardware Wallet Interface with one
The data directories of the services can be found in /var/lib on the deployed machines.
Installation
See install.md for a detailed tutorial.
Security
- Simplicity: Only services you select in
configuration.nixand their dependencies are installed, packages and dependencies are pinned, most packages are built from the nixos stable channel, with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a sandboxed environment, code is continiously reviewed and refined. - Integrity: Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
- Principle of Least Privilege: Services operate with least privileges; they each have their own user and are restricted further with systemd options, there's a non-root user operator to interact with the various services.
- Defense-in-depth: nix-bitcoin is built with a hardened kernel by default, services are confined through discretionary access control, Linux namespaces, and seccomp-bpf with continuous improvements.
Note that nix-bitcoin is still experimental. Also, by design if the machine you're deploying from is insecure, there is nothing nix-bitcoin can do to protect itself.
Hardware requirements
- Disk space: 300 GB (235GB for Bitcoin blockchain + some room)
- Bitcoin Core pruning is not supported at the moment because it's not supported by c-lightning. It's possible to use pruning but you need to know what you're doing.
- RAM: 2GB of memory. ECC memory is better. Additionally, it's recommended to use DDR4 memory with targeted row refresh (TRR) enabled (https://rambleed.com/).
Tested hardware includes pcengine's apu2c4, GB-BACE-3150, GB-BACE-3160. Some hardware (including Intel NUCs) may not be compatible with the hardened kernel turned on by default (see https://github.com/fort-nix/nix-bitcoin/issues/39#issuecomment-517366093 for a workaround).
Usage
For usage instructions, such as how to connect to spark-wallet, electrs and the ssh Tor Hidden Service, see usage.md.
Troubleshooting
If you are having problems with nix-bitcoin check the FAQ or submit an issue.
There's also a #nix-bitcoin IRC channel on freenode.
We are always happy to help.