nix-bitcoin/README.md
Erik Arvstedt aada35fc7b
minor improvements
- README: add matrix room

- examples/configuration.nix: explain why bitcoind is enabled by default

- btcpayserver: group lnd service settings

- clightning:
  Use public onion port only when the onion service is public

  This allows users to enable the onion service while announcing a
  non-onion public address.

- netns-isolation: move `readOnly` attr to the top

- tests: use mkDefault to allow for easier overriding

- tests/btcpayserver: test web server response
2021-10-30 15:34:48 +02:00

7.1 KiB

nix-bitcoin logo


CirrusCI status GitHub tag (latest SemVer) GitHub commit activity GitHub contributors GitHub downloads


nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Overview

nix-bitcoin can be used for personal or merchant wallets, public infrastructure or for Bitcoin application backends. In all cases, the aim is to provide security and privacy by default. However, while nix-bitcoin is used in production today, it is still considered experimental.

nix-bitcoin nodes can be deployed on dedicated hardware, virtual machines or containers. The Nix packages and NixOS modules can be used independently and combined freely.

nix-bitcoin is built on top of Nix and NixOS which provide powerful abstractions to keep it highly customizable and maintainable. Testament to this are nix-bitcoin's robust security features and its potent test framework. However, running nix-bitcoin does not require any previous experience with the Nix ecosystem.

Get started

Features

A configuration preset for setting up a secure node

  • All applications use Tor for outbound connections and support accepting inbound connections via onion services.

NixOS modules (src)

Security

  • Simplicity: Only services enabled in configuration.nix and their dependencies are installed, support for doas (sudo alternative), code is continuously reviewed and refined.
  • Integrity: The Nix package manager guarantees that all dependencies are exactly specified, packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
  • Principle of Least Privilege: Services operate with least privileges; they each have their own user and are restricted further with systemd features, RPC whitelisting and netns-isolation. There's a non-root user operator to interact with the various services.
  • Defense-in-depth: nix-bitcoin supports a hardened kernel, services are confined through discretionary access control, Linux namespaces, dbus firewall and seccomp-bpf with continuous improvements.

Note that if the machine you're deploying from is insecure, there is nothing nix-bitcoin can do to protect itself.

Docs

Troubleshooting

If you are having problems with nix-bitcoin check the FAQ or submit an issue.
There's also a Matrix room at #general:nixbitcoin.org and a #nix-bitcoin IRC channel on libera.
We are always happy to help.