nix-bitcoin

Go to file

Merge fort-nix/nix-bitcoin#577 : Upgrade to NixOS 22.11

4b5b4eac58fea3f6c1303d3f92fc8a0c1d3a7224 examples/deploy-container: fix `sudo` env propagation (Erik Arvstedt)
8d476cfeaf9aadf2211016204a28be64fb57ba24 nix-bitcoin/runAsUserCmd: remove workaround (Erik Arvstedt)
00cceca861feb383315551551a7ed34d421f6246 joinmarket: fix Python packages (Erik Arvstedt)
e4b8e14d3acf0e447786031d1f47b6c279b927f4 clightning: fix Python packages (Erik Arvstedt)
d1ef2a6e1e0272cab70d98cf14a7bf727abc0015 pythonPackages: improve layout (Erik Arvstedt)
74c8593407a4b4c6b24720a0acd130785c385ae1 pythonPackages: add indentation (Erik Arvstedt)
109dccca275b3008e0cc85df85e9a992db27d37a treewide: use `mdDoc` for descriptions (Erik Arvstedt)
a9c1995ed9c94119e1cba9cecce603847829482c treewide: rename maintainer `earvstedt` -> `erikarvstedt` (Erik Arvstedt)
9e456ea3a98c6620e2b1aff4865c82a5a57d3cde shellcheck-services.nix: update to NixOS 22.11 (Erik Arvstedt)
77d58162e7cdcf1cd3ec97f755f03858f114ae7a test: update to NixOS 22.11 (Erik Arvstedt)
142cbcfb3756a1bbb70b74f66e555bd341b1e0a3 flake: remove 32-bit systems (Erik Arvstedt)
c9b1e59f2062b39d7b0f836732bb498424c5f4d4 update to NixOS 22.11 (Erik Arvstedt)
62515a56963c4aa46eeb637caf9e8a9ac8da7256 helper/update-flake: support updating NixOS versions (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 4b5b4eac58fea3f6c1303d3f92fc8a0c1d3a7224

Tree-SHA512: b6ff443c4c6721dee9e6bf8f068d72c819851d54cb52d3fec64475cd884825063c28a87b2e9d1645617b7d0e7c1d52ee1ccd898f833c720c25f1b07add938cd5

2023-01-06 22:37:46 +00:00

docs

minor typo

2022-12-28 16:31:03 +01:00

examples

examples/deploy-container: fix sudo env propagation

2023-01-06 23:23:54 +01:00

helper

helper/update-flake: support updating NixOS versions

2022-12-18 20:01:48 +01:00

modules

nix-bitcoin/runAsUserCmd: remove workaround

2023-01-03 16:18:27 +01:00

pkgs

Merge fort-nix/nix-bitcoin#577 : Upgrade to NixOS 22.11

2023-01-06 22:37:46 +00:00

test

treewide: use mdDoc for descriptions

2022-12-18 20:01:52 +01:00

.cirrus.yml

update to NixOS 22.11

2022-12-18 20:01:52 +01:00

default.nix

delete modules/default.nix

2022-08-28 23:49:12 +02:00

flake.lock

update to NixOS 22.11

2022-12-18 20:01:52 +01:00

flake.nix

flake: remove 32-bit systems

2022-12-18 20:01:52 +01:00

LICENSE

Add license

2019-01-02 14:03:52 +00:00

overlay.nix

simplify overlay.nix

2020-01-09 10:43:29 +01:00

README.md

revert "tests: disable nixosSearch"

2022-09-23 09:04:57 +02:00

SECURITY.md

docs/security: fix typo

2022-08-28 23:49:12 +02:00

shell.nix

Clean up development shell.nix

2020-03-30 10:49:15 +02:00

README.md

nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Overview

nix-bitcoin can be used for personal or merchant wallets, public infrastructure or for Bitcoin application backends. In all cases, the aim is to provide security and privacy by default. However, while nix-bitcoin is used in production today, it is still considered experimental.

nix-bitcoin nodes can be deployed on dedicated hardware, virtual machines or containers. The Nix packages and NixOS modules can be used independently and combined freely.

nix-bitcoin is built on top of Nix and NixOS which provide powerful abstractions to keep it highly customizable and maintainable. Testament to this are nix-bitcoin's robust security features and its potent test framework. However, running nix-bitcoin does not require any previous experience with the Nix ecosystem.

Get started

See the examples for an overview of all features.
To setup a new node from scratch, see the installation instructions.
To add nix-bitcoin to an existing NixOS configuration, see importable-configuration.nix and the Flake example.

Docs

Hint: To show a table of contents, click the button () in the top left corner of the documents.

Features

A configuration preset for setting up a secure node

All applications use Tor for outbound connections and support accepting inbound connections via onion services.

NixOS modules (src)

Application services
- bitcoind
- clightning with support for announcing an onion service and database replication.
  Available plugins:
  - clboss: automated C-Lightning Node Manager
  - currencyrate: currency converter
  - helpme: walks you through setting up a fresh c-lightning node
  - monitor: helps you analyze the health of your peers and channels
  - prometheus: lightning node exporter for the prometheus timeseries server
  - rebalance: keeps your channels balanced
  - summary: print a nice summary of the node status
  - zmq: publishes notifications via ZeroMQ to configured endpoints
- clightning-rest: REST server for clightning
- lnd with support for announcing an onion service and static channel backups
  - Lightning Loop
  - Lightning Pool
  - charge-lnd: policy-based channel fee manager
- lndconnect: connect your wallet to lnd or clightning via a REST onion service
- Ride The Lightning: web interface for lnd and clightning
- spark-wallet
- electrs
- fulcrum (see the module for a comparison to electrs)
- btcpayserver
- liquid
- JoinMarket
  - JoinMarket Orderbook Watcher
- bitcoin-core-hwi
Helper
- netns-isolation: isolates applications on the network-level via network namespaces
- nodeinfo: script which prints info about the node's services
- backups: duplicity backups of all your node's important files
- operator: adds non-root user operator who has access to client tools (e.g. bitcoin-cli, lightning-cli)

Security

See SECURITY.md for the security policy and how to report a vulnerability.

nix-bitcoin aims to achieve a high degree of security by building on the following principles:

Simplicity: Only services enabled in configuration.nix and their dependencies are installed, support for doas (sudo alternative), code is continuously reviewed and refined.
Integrity: The Nix package manager guarantees that all dependencies are exactly specified, packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
Principle of Least Privilege: Services operate with least privileges; they each have their own user and are restricted further with systemd features, RPC whitelisting and netns-isolation. There's a non-root user operator to interact with the various services.
Defense-in-depth: nix-bitcoin supports a hardened kernel, services are confined through discretionary access control, Linux namespaces, dbus firewall and seccomp-bpf with continuous improvements.

Note that if the machine you're deploying from is insecure, there is nothing nix-bitcoin can do to protect itself.

Security fund

The nix-bitcoin security fund is a 2 of 3 bitcoin multisig address open for donations, used to reward security researchers who discover vulnerabilities in nix-bitcoin or its upstream dependencies.
See Security Fund for details.

Troubleshooting

If you are having problems with nix-bitcoin check the FAQ or submit an issue.
There's also a Matrix room at #general:nixbitcoin.org and a #nix-bitcoin IRC channel on libera.
We are always happy to help.