2018-11-19 15:09:57 -08:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
|
|
let
|
2020-04-07 13:47:42 -07:00
|
|
|
cfg = config.services;
|
|
|
|
|
|
2020-09-28 04:09:03 -07:00
|
|
|
operatorName = config.nix-bitcoin.operator.name;
|
2020-05-03 07:42:53 -07:00
|
|
|
|
2020-04-07 13:47:37 -07:00
|
|
|
mkHiddenService = map: {
|
|
|
|
|
map = [ map ];
|
|
|
|
|
version = 3;
|
|
|
|
|
};
|
2018-11-19 15:09:57 -08:00
|
|
|
in {
|
2020-05-03 07:42:53 -07:00
|
|
|
imports = [
|
|
|
|
|
../modules.nix
|
|
|
|
|
../nodeinfo.nix
|
|
|
|
|
../nix-bitcoin-webindex.nix
|
|
|
|
|
];
|
2018-11-22 10:32:26 -08:00
|
|
|
|
2020-04-07 13:47:40 -07:00
|
|
|
options = {
|
2020-04-07 13:47:41 -07:00
|
|
|
services.clightning.onionport = mkOption {
|
2020-06-02 08:09:52 -07:00
|
|
|
type = types.port;
|
2020-04-07 13:47:41 -07:00
|
|
|
default = 9735;
|
|
|
|
|
description = "Port on which to listen for tor client connections.";
|
|
|
|
|
};
|
2020-06-04 02:30:17 -07:00
|
|
|
services.lnd.onionport = mkOption {
|
|
|
|
|
type = types.ints.u16;
|
|
|
|
|
default = 9735;
|
|
|
|
|
description = "Port on which to listen for tor client connections.";
|
|
|
|
|
};
|
2020-04-07 13:47:40 -07:00
|
|
|
};
|
|
|
|
|
|
2020-04-07 13:47:33 -07:00
|
|
|
config = {
|
|
|
|
|
# For backwards compatibility only
|
2020-01-12 11:52:39 -08:00
|
|
|
nix-bitcoin.secretsDir = mkDefault "/secrets";
|
|
|
|
|
|
2019-01-01 11:16:24 -08:00
|
|
|
networking.firewall.enable = true;
|
|
|
|
|
|
2020-08-20 04:11:10 -07:00
|
|
|
nix-bitcoin.security.hideProcessInformation = true;
|
2020-07-27 10:26:45 -07:00
|
|
|
|
2018-11-22 10:32:26 -08:00
|
|
|
# Tor
|
2020-04-07 13:47:35 -07:00
|
|
|
services.tor = {
|
|
|
|
|
enable = true;
|
|
|
|
|
client.enable = true;
|
2018-11-22 10:32:26 -08:00
|
|
|
|
2020-04-07 13:47:37 -07:00
|
|
|
hiddenServices.sshd = mkHiddenService { port = 22; };
|
2019-01-01 11:16:24 -08:00
|
|
|
};
|
2018-12-27 13:22:52 -08:00
|
|
|
|
2018-11-22 16:46:56 -08:00
|
|
|
# bitcoind
|
2020-04-07 13:47:35 -07:00
|
|
|
services.bitcoind = {
|
|
|
|
|
enable = true;
|
|
|
|
|
listen = true;
|
2020-04-24 07:21:12 -07:00
|
|
|
dataDirReadableByGroup = mkIf cfg.electrs.high-memory true;
|
2020-04-07 13:47:35 -07:00
|
|
|
enforceTor = true;
|
|
|
|
|
assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
|
|
|
|
|
addnodes = [ "ecoc5q34tmbq54wl.onion" ];
|
|
|
|
|
discover = false;
|
|
|
|
|
addresstype = "bech32";
|
|
|
|
|
dbCache = 1000;
|
2020-08-04 07:12:20 -07:00
|
|
|
# higher rpcthread count due to reports that lightning implementations fail
|
|
|
|
|
# under high bitcoind rpc load
|
2021-01-14 04:24:02 -08:00
|
|
|
rpc.threads = 16;
|
2020-04-07 13:47:35 -07:00
|
|
|
};
|
2021-01-14 04:24:01 -08:00
|
|
|
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.address; };
|
2018-11-22 10:32:26 -08:00
|
|
|
|
|
|
|
|
# clightning
|
2020-10-29 13:20:27 -07:00
|
|
|
services.clightning.enforceTor = true;
|
2020-08-04 06:21:40 -07:00
|
|
|
services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService {
|
|
|
|
|
port = cfg.clightning.onionport;
|
2021-01-14 04:24:04 -08:00
|
|
|
toHost = cfg.clightning.address;
|
|
|
|
|
toPort = cfg.clightning.port;
|
2020-08-04 06:21:40 -07:00
|
|
|
});
|
2018-12-01 12:48:58 -08:00
|
|
|
|
2019-08-05 01:44:38 -07:00
|
|
|
# lnd
|
2020-10-29 13:20:27 -07:00
|
|
|
services.lnd.enforceTor = true;
|
2021-01-14 04:24:03 -08:00
|
|
|
services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.address; toPort = cfg.lnd.port; });
|
2019-08-05 01:44:38 -07:00
|
|
|
|
2020-07-07 07:22:17 -07:00
|
|
|
# lightning-loop
|
2020-10-29 13:20:27 -07:00
|
|
|
services.lightning-loop.enforceTor = true;
|
2020-07-07 07:22:17 -07:00
|
|
|
|
2020-04-07 13:47:38 -07:00
|
|
|
# liquidd
|
2020-04-07 13:47:35 -07:00
|
|
|
services.liquidd = {
|
|
|
|
|
rpcuser = "liquidrpc";
|
|
|
|
|
prune = 1000;
|
|
|
|
|
validatepegin = true;
|
|
|
|
|
listen = true;
|
|
|
|
|
enforceTor = true;
|
|
|
|
|
};
|
2021-01-14 04:24:07 -08:00
|
|
|
services.tor.hiddenServices.liquidd = mkIf cfg.liquidd.enable (mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.address; });
|
2019-04-27 16:53:26 -07:00
|
|
|
|
2020-04-07 13:47:38 -07:00
|
|
|
# electrs
|
2020-04-07 13:47:35 -07:00
|
|
|
services.electrs = {
|
|
|
|
|
enforceTor = true;
|
|
|
|
|
};
|
2020-08-21 13:35:58 -07:00
|
|
|
services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {
|
|
|
|
|
port = cfg.electrs.port; toHost = cfg.electrs.address;
|
|
|
|
|
});
|
2020-04-07 13:47:35 -07:00
|
|
|
|
2020-08-12 07:47:56 -07:00
|
|
|
# btcpayserver
|
|
|
|
|
# disable tor enforcement until btcpayserver can fetch rates over Tor
|
|
|
|
|
services.btcpayserver.enforceTor = false;
|
|
|
|
|
services.nbxplorer.enforceTor = true;
|
2021-01-14 04:24:05 -08:00
|
|
|
services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.address; });
|
2020-08-12 07:47:56 -07:00
|
|
|
|
2020-06-10 07:41:13 -07:00
|
|
|
services.spark-wallet = {
|
|
|
|
|
onion-service = true;
|
|
|
|
|
enforceTor = true;
|
|
|
|
|
};
|
2020-04-07 13:47:38 -07:00
|
|
|
|
2020-06-10 07:46:30 -07:00
|
|
|
services.recurring-donations.enforceTor = true;
|
|
|
|
|
|
2020-04-07 13:47:38 -07:00
|
|
|
services.nix-bitcoin-webindex.enforceTor = true;
|
|
|
|
|
|
2020-06-11 04:39:17 -07:00
|
|
|
# Backups
|
|
|
|
|
services.backups = {
|
|
|
|
|
program = "duplicity";
|
|
|
|
|
frequency = "daily";
|
|
|
|
|
};
|
2020-04-07 13:47:38 -07:00
|
|
|
|
2020-04-07 13:47:45 -07:00
|
|
|
environment.systemPackages = with pkgs; [
|
2019-04-06 07:50:30 -07:00
|
|
|
tor
|
|
|
|
|
jq
|
2019-05-17 17:00:35 -07:00
|
|
|
qrencode
|
2019-04-29 13:39:25 -07:00
|
|
|
];
|
2020-04-07 13:47:38 -07:00
|
|
|
|
2021-01-14 04:24:10 -08:00
|
|
|
nix-bitcoin.onionAddresses = {
|
2020-09-28 04:09:03 -07:00
|
|
|
access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nix-bitcoin.operator.enable = true;
|
2020-05-03 07:42:53 -07:00
|
|
|
users.users.${operatorName} = {
|
2020-04-08 12:51:31 -07:00
|
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
2020-04-07 13:47:38 -07:00
|
|
|
};
|
2020-04-08 12:51:31 -07:00
|
|
|
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
|
|
|
|
|
systemd.services.get-vbox-nixops-client-key =
|
|
|
|
|
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
|
|
|
|
|
postStart = ''
|
2020-05-03 07:42:53 -07:00
|
|
|
cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
|
2020-04-08 12:51:31 -07:00
|
|
|
'';
|
|
|
|
|
};
|
2018-11-19 16:22:16 -08:00
|
|
|
};
|
2018-11-19 15:09:57 -08:00
|
|
|
}
|
