Go to file
Jonas Nick cba1188db8
Merge #308: Update nixpkgs-unstable, bitcoind
b114d0c3b1 bitcoind: use systemd startup notification (Erik Arvstedt)
332d0e70c8 bitcoind: support onion address announcing (Erik Arvstedt)
9662c19ab1 onionServices: use actual user name of services (Erik Arvstedt)
5c09845e6f bitcoind: tag incoming connections as onion on enforceTor (Erik Arvstedt)
8f9ea61d6e update nixpkgs-unstable (Erik Arvstedt)
05e5ec99ec modules packages: build electrs, lightning-loop with nixpkgs stable (Erik Arvstedt)
44546561fc run-tests: allow defining scenarios via cmdline args (Erik Arvstedt)
fc40776689 improve backup test (Erik Arvstedt)
9a67a32779 fix build-to-cachix (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b114d0c3b1
  nixbitcoin:
    ACK b114d0c3b1

Tree-SHA512: fbf4810fb0e1aeb46618c53cea3d6bde582eb92837afabe77e5bbf5c4add82277af4eba6bfeae6331f8992902e5dbe5081f2a016121a02dab3e797d53f232dd2
2021-02-01 10:07:22 +00:00
ci fix build-to-cachix 2021-01-30 11:38:47 +01:00
docs improve nodeinfo 2021-01-14 13:25:10 +01:00
examples bitcoind: support onion address announcing 2021-01-31 22:26:49 +01:00
helper Fetch from the nixpkgs repo instead of nixpkgs-channels 2020-12-06 21:42:20 +00:00
modules bitcoind: use systemd startup notification 2021-01-31 22:26:49 +01:00
pkgs update nixpkgs-unstable 2021-01-31 22:26:30 +01:00
test update nixpkgs-unstable 2021-01-31 22:26:30 +01:00
.cirrus.yml fix build-to-cachix 2021-01-30 11:38:47 +01:00
.gitignore Fix typo in gitignore 2020-11-24 18:25:12 +01:00
default.nix simplify overlay.nix 2020-01-09 10:43:29 +01:00
LICENSE Add license 2019-01-02 14:03:52 +00:00
overlay.nix simplify overlay.nix 2020-01-09 10:43:29 +01:00
README.md joinmarket-obwatcher: add pkg & module 2021-01-17 17:40:12 +00:00
shell.nix Clean up development shell.nix 2020-03-30 10:49:15 +02:00

nix-bitcoin logo


CirrusCI status GitHub tag (latest SemVer) GitHub commit activity GitHub contributors GitHub downloads


nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Overview

A Bitcoin node verifies the Bitcoin protocol and provides ways of interacting with the Bitcoin network. nix-bitcoin nodes are used for a variety of purposes and can serve as personal or merchant wallets, second layer public infrastructure and as backends for Bitcoin applications. In all cases, the aim is to provide security and privacy by default. However, while nix-bitcoin is used in production today, it is still considered experimental.

A full installation of nix-bitcoin is usually deployed either on a dedicated (virtual) machine or runs in a container and is online 24/7. Alternatively, the Nix packages, NixOS modules and configurations can be used independently and combined freely.

nix-bitcoin is built on top of Nix and NixOS which provide powerful abstractions to keep it highly customizable and maintainable. Testament to this are nix-bitcoin's robust security features and its potent test framework. However, running nix-bitcoin does not require any previous experience with the Nix ecosystem.

Examples

See the examples directory.

Features

A configuration preset for setting up a secure node

  • All applications use Tor for outbound connections and support accepting inbound connections via onion services.

NixOS modules

Security

  • Simplicity: Only services you select in configuration.nix and their dependencies are installed, packages and dependencies are pinned, most packages are built from the NixOS stable channel, with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a sandboxed environment, code is continuously reviewed and refined.
  • Integrity: Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
  • Principle of Least Privilege: Services operate with least privileges; they each have their own user and are restricted further with systemd options, RPC whitelisting, and netns-isolation. There's a non-root user operator to interact with the various services.
  • Defense-in-depth: nix-bitcoin is built with a hardened kernel by default, services are confined through discretionary access control, Linux namespaces, dbus firewall and seccomp-bpf with continuous improvements.

Note that if the machine you're deploying from is insecure, there is nothing nix-bitcoin can do to protect itself.

Docs

Troubleshooting

If you are having problems with nix-bitcoin check the FAQ or submit an issue. There's also a #nix-bitcoin IRC channel on freenode. We are always happy to help.