nix-bitcoin/modules/presets/secure-node.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services;

  operatorName = config.nix-bitcoin.operatorName;

  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };
in {
  imports = [
    ../modules.nix
    ../nodeinfo.nix
    ../nix-bitcoin-webindex.nix
  ];

  options = {
    services.clightning.onionport = mkOption {
      type = types.port;
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };
    services.lnd.onionport = mkOption {
      type = types.ints.u16;
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };
    nix-bitcoin.operatorName = mkOption {
      type = types.str;
      default = "operator";
      description = "Less-privileged user's name.";
    };
  };

  config =  {
    # For backwards compatibility only
    nix-bitcoin.secretsDir = mkDefault "/secrets";

    networking.firewall.enable = true;

    nix-bitcoin.security.hideProcessInformation = true;

    # Tor
    services.tor = {
      enable = true;
      client.enable = true;
      # LND uses ControlPort to create onion services
      controlPort = mkIf cfg.lnd.enable 9051;

      hiddenServices.sshd = mkHiddenService { port = 22; };
    };

    # netns-isolation
    nix-bitcoin.netns-isolation = {
      addressblock = 1;
    };

    # bitcoind
    services.bitcoind = {
      enable = true;
      listen = true;
      dataDirReadableByGroup = mkIf cfg.electrs.high-memory true;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      port = 8333;
      assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
      addnodes = [ "ecoc5q34tmbq54wl.onion" ];
      discover = false;
      addresstype = "bech32";
      dbCache = 1000;
      # higher rpcthread count due to reports that lightning implementations fail
      # under high bitcoind rpc load
      rpcthreads = 16;
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };

    # clightning
    services.clightning = {
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      always-use-proxy = true;
    };
    services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService {
      port = cfg.clightning.onionport;
      toHost = cfg.clightning.bind-addr;
      toPort = cfg.clightning.bindport;
    });

    # lnd
    services.lnd = {
      tor-socks = cfg.tor.client.socksListenAddress;
      enforceTor = true;
    };
    services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; });

    # lightning-loop
    services.lightning-loop = {
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
    };

    # liquidd
    services.liquidd = {
      rpcuser = "liquidrpc";
      prune = 1000;
      extraConfig = ''
        mainchainrpcuser=${config.services.bitcoind.rpc.users.public.name}
        mainchainrpcport=8332
      '';
      validatepegin = true;
      listen = true;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      port = 7042;
    };
    services.tor.hiddenServices.liquidd = mkIf cfg.liquidd.enable (mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.bind; });

    # electrs
    services.electrs = {
      port = 50001;
      enforceTor = true;
    };
    services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {
      port = cfg.electrs.port; toHost = cfg.electrs.address;
    });

    # btcpayserver
    # disable tor enforcement until btcpayserver can fetch rates over Tor
    services.btcpayserver.enforceTor = false;
    services.nbxplorer.enforceTor = true;
    services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.bind; });

    services.spark-wallet = {
      onion-service = true;
      enforceTor = true;
    };

    services.lightning-charge.enforceTor = true;

    services.nanopos.enforceTor = true;

    services.recurring-donations.enforceTor = true;

    services.nix-bitcoin-webindex.enforceTor = true;

    # Backups
    services.backups = {
      program = "duplicity";
      frequency = "daily";
    };

    environment.systemPackages = with pkgs; [
      tor
      jq
      qrencode
    ];

    # Create operator user which can access the node's services
    users.users.${operatorName} = {
      isNormalUser = true;
      extraGroups = [
          "systemd-journal"
          "proc" # Enable full /proc access and systemd-status
          cfg.bitcoind.group
        ]
        ++ (optionals cfg.clightning.enable [ "clightning" ])
        ++ (optionals cfg.lnd.enable [ "lnd" ])
        ++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
        ++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
            [ cfg.hardware-wallets.group ])
        ++ (optionals cfg.joinmarket.enable [ cfg.joinmarket.group ]);
      openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
    };
    nix-bitcoin.netns-isolation.allowedUser = operatorName;
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
    services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];

    security.sudo.configFile =
     (optionalString cfg.lnd.enable ''
       ${operatorName}    ALL=(lnd) NOPASSWD: ALL
     '') +
     (optionalString cfg.joinmarket.enable ''
       ${operatorName}    ALL=(${cfg.joinmarket.user}) NOPASSWD: ALL
     '');

    # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
    systemd.services.get-vbox-nixops-client-key =
      mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
        postStart = ''
          cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
        '';
      };
  };
}
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`cfg = config.services;`

nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`operatorName = config.nix-bitcoin.operatorName;`

extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`mkHiddenService = map: {`
			`map = [ map ];`
			`version = 3;`
			`};`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`in {`
nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`imports = [`
			`../modules.nix`
			`../nodeinfo.nix`
			`../nix-bitcoin-webindex.nix`
			`];`
add clightning 2018-11-22 10:32:26 -08:00
move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`options = {`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`services.clightning.onionport = mkOption {`
services: use 'port' option type 2020-06-02 08:09:52 -07:00			`type = types.port;`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`default = 9735;`
			`description = "Port on which to listen for tor client connections.";`
			`};`
lnd: prepare for netns and bring in line with clightning - Adds bitcoind-host, and tor-socks options to allow using with network namespaces. - Adds listen, rpclisten, and restlisten option to specify host on which to listen on for peer, rpc and rest connections respectively - Adds announce-tor option and generates Tor Hidden Service with nix instead of lnd to bring in line with clightning. WARNING: Breaking changes for Tor Hidden Service. Manual migration necessary. 2020-06-04 02:30:17 -07:00			`services.lnd.onionport = mkOption {`
			`type = types.ints.u16;`
			`default = 9735;`
			`description = "Port on which to listen for tor client connections.";`
			`};`
nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`nix-bitcoin.operatorName = mkOption {`
			`type = types.str;`
			`default = "operator";`
			`description = "Less-privileged user's name.";`
			`};`
move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`};`

add nix-bitcoin.nix for backwards compatibility 2020-04-07 13:47:33 -07:00			`config = {`
			`# For backwards compatibility only`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`nix-bitcoin.secretsDir = mkDefault "/secrets";`

Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`networking.firewall.enable = true;`

security: don't restrict process info by default for module users 2020-08-20 04:11:10 -07:00			`nix-bitcoin.security.hideProcessInformation = true;`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00
add clightning 2018-11-22 10:32:26 -08:00			`# Tor`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.tor = {`
			`enable = true;`
			`client.enable = true;`
			`# LND uses ControlPort to create onion services`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`controlPort = mkIf cfg.lnd.enable 9051;`
add clightning 2018-11-22 10:32:26 -08:00
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`hiddenServices.sshd = mkHiddenService { port = 22; };`
Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`};`
Add sshd onion service 2018-12-27 13:22:52 -08:00
netns-isolation: netns architecture - Adds network namespace instantiation and routing architecture. - netns-isolation disabled by default. Can be enabled with configuration.nix FIXME. - Uses mkMerge to toggle certain options for non netns and netns systems. - Adds security wrapper for netns-exec which allows operator to exec with cap_sys_admin - User can select the 169.254.N.0/24 addressblock netns's are created in. - nix-bitcoin-services IpAddressAllow is amended with link-local addresses 2020-05-29 03:53:35 -07:00			`# netns-isolation`
			`nix-bitcoin.netns-isolation = {`
			`addressblock = 1;`
			`};`

Add Carl's bitcoind module 2018-11-22 16:46:56 -08:00			`# bitcoind`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.bitcoind = {`
			`enable = true;`
			`listen = true;`
Only set dataDirReadableByGroup if cfg.high-memory is enabled 2020-04-24 07:21:12 -07:00			`dataDirReadableByGroup = mkIf cfg.electrs.high-memory true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`port = 8333;`
			`assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";`
			`addnodes = [ "ecoc5q34tmbq54wl.onion" ];`
			`discover = false;`
			`addresstype = "bech32";`
			`dbCache = 1000;`
bitcoind: bump rpcthread count 2020-08-04 07:12:20 -07:00			`# higher rpcthread count due to reports that lightning implementations fail`
			`# under high bitcoind rpc load`
			`rpcthreads = 16;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`};`
bitcoind: add netns - Adds bitcoind to netns-isolation.services - Adds rpcbind and rpcallowip options to allow using bitcoind with network namespaces - Adds bind option (defaults to localhost), used as target of hidden service - Makes bitcoind-import-banlist run in netns 2020-06-10 07:56:07 -07:00			`services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };`
add clightning 2018-11-22 10:32:26 -08:00
			`# clightning`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.clightning = {`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`always-use-proxy = true;`
			`};`
clightning: refactor bind-addr to be IP address only With typecheck 2020-08-04 06:21:40 -07:00			`services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService {`
			`port = cfg.clightning.onionport;`
			`toHost = cfg.clightning.bind-addr;`
			`toPort = cfg.clightning.bindport;`
			`});`
Add index page with nginx 2018-12-01 12:48:58 -08:00
Add LND support 2019-08-05 01:44:38 -07:00			`# lnd`
lnd: prepare for netns and bring in line with clightning - Adds bitcoind-host, and tor-socks options to allow using with network namespaces. - Adds listen, rpclisten, and restlisten option to specify host on which to listen on for peer, rpc and rest connections respectively - Adds announce-tor option and generates Tor Hidden Service with nix instead of lnd to bring in line with clightning. WARNING: Breaking changes for Tor Hidden Service. Manual migration necessary. 2020-06-04 02:30:17 -07:00			`services.lnd = {`
			`tor-socks = cfg.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`};`
lnd: add listenPort option 2020-08-04 00:45:02 -07:00			`services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; });`
Add LND support 2019-08-05 01:44:38 -07:00
lightning-loop: add module 2020-07-07 07:22:17 -07:00			`# lightning-loop`
			`services.lightning-loop = {`
			`proxy = cfg.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`};`

rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# liquidd`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.liquidd = {`
			`rpcuser = "liquidrpc";`
			`prune = 1000;`
fixup! use '' for multi-line string 2020-04-07 13:47:43 -07:00			`extraConfig = ''`
bitcoind: switch from rpcpassword to rpcauth Includes bitcoind's `share/rpcauth` to convert apg generated passwords into salted HMAC-SHA-256 hashed passwords. 2020-06-22 05:10:54 -07:00			`mainchainrpcuser=${config.services.bitcoind.rpc.users.public.name}`
fixup! use '' for multi-line string 2020-04-07 13:47:43 -07:00			`mainchainrpcport=8332`
			`'';`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`validatepegin = true;`
			`listen = true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`port = 7042;`
			`};`
secure-node: only mkHiddenServices if services are enabled 2020-07-09 04:08:39 -07:00			`services.tor.hiddenServices.liquidd = mkIf cfg.liquidd.enable (mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.bind; });`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# electrs`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.electrs = {`
			`port = 50001;`
			`enforceTor = true;`
			`};`
netns: remove conditionals for service settings Going without the conditionals (like in secure-node.nix) adds readability and doesn't reduce evaluation performance (in fact, it even slightly improves performance due to implementation details of mkIf). To avoid errors, remove use of disabled services in secure-node.nix and nix-bitcoin-webindex.nix. 2020-08-21 13:35:58 -07:00			`services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {`
			`port = cfg.electrs.port; toHost = cfg.electrs.address;`
			`});`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00
nbxplorer/btcpayserver: add module 2020-08-12 07:47:56 -07:00			`# btcpayserver`
			`# disable tor enforcement until btcpayserver can fetch rates over Tor`
			`services.btcpayserver.enforceTor = false;`
			`services.nbxplorer.enforceTor = true;`
			`services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.bind; });`

spark-wallet: add netns - Adds spark-wallet to netns-isolation.services - Adds extraArgs option to allow using spark-wallet with network namespaces - Adds host option (defaults to localhost) as target of hidden service - Adds enforceTor option to bring in line with other services 2020-06-10 07:41:13 -07:00			`services.spark-wallet = {`
			`onion-service = true;`
			`enforceTor = true;`
			`};`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
lightning-charge: add netns - Adds lightning-charge to netns-isolation.services - Adds cfg.enforceTor to bring lightning-charge in line with other services - Adds extraArgs option to allow using lightning-charge with network namespaces - Adds host option (defaults to localhost) as target of hidden service 2020-06-10 07:43:03 -07:00			`services.lightning-charge.enforceTor = true;`

nanopos: add netns - Adds nanopos to netns-isolation.services - Adds cfg.enforceTor and extraArgs to bring nanopos in line with other services - Adds charged-url option to allow using nanopos with network namespaces. - Modularizes nginx so webindex can be used without nanopos. - Adds host option (defaults to localhost) as target of hidden service - Removes unnecessary after 2020-06-10 07:44:50 -07:00			`services.nanopos.enforceTor = true;`

recurring-donations: add netns - Adds recurring-donations to netns-isolation.services - Adds cfg.enforceTor to bring recurring-donations in line with other services - Removes torsocks dependency in favor of `curl --socks-hostname` 2020-06-10 07:46:30 -07:00			`services.recurring-donations.enforceTor = true;`

rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`services.nix-bitcoin-webindex.enforceTor = true;`

backups: add module 2020-06-11 04:39:17 -07:00			`# Backups`
			`services.backups = {`
			`program = "duplicity";`
			`frequency = "daily";`
			`};`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
move systemPackages definitions to services These are generally useful and shouldn't be limited to secure-node.nix. Also, only add the hardware-wallets group when hardware wallets are enabled. 2020-04-07 13:47:45 -07:00			`environment.systemPackages = with pkgs; [`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 07:50:30 -07:00			`tor`
			`jq`
Add qrencode package 2019-05-17 17:00:35 -07:00			`qrencode`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 13:39:25 -07:00			`];`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`# Create operator user which can access the node's services`
			`users.users.${operatorName} = {`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`isNormalUser = true;`
operator: allow reading systemd journal 2020-04-08 14:30:10 -07:00			`extraGroups = [`
			`"systemd-journal"`
security: enable full systemd-status for group 'proc' Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate. 2020-08-20 04:11:08 -07:00			`"proc" # Enable full /proc access and systemd-status`
operator: allow reading systemd journal 2020-04-08 14:30:10 -07:00			`cfg.bitcoind.group`
			`]`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`++ (optionals cfg.clightning.enable [ "clightning" ])`
			`++ (optionals cfg.lnd.enable [ "lnd" ])`
			`++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])`
			`++ (optionals (cfg.hardware-wallets.ledger \|\| cfg.hardware-wallets.trezor)`
joinmarket: add module 2020-04-23 09:18:47 -07:00			`[ cfg.hardware-wallets.group ])`
			`++ (optionals cfg.joinmarket.enable [ cfg.joinmarket.group ]);`
fix operator authorized keys setup This fixes these flaws in `copy-root-authorized-keys`: - When `.vbox-nixops-client-key` is missing, operator's authorized_keys file is always appended to, growing the file indefinitely. - Service is always added and not restricted to nixops-vbox deployments. 2020-04-08 12:51:31 -07:00			`openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`};`
netns: add option 'allowedUser' for modules-only usage The dependency on secure-node.nix prevented using nix-bitcoin by just importing modules.nix. 2020-08-21 13:36:01 -07:00			`nix-bitcoin.netns-isolation.allowedUser = operatorName;`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# Give operator access to onion hostnames`
			`services.onion-chef.enable = true;`
nodeinfo: add btcpayserver onion 2020-08-26 02:21:54 -07:00			`services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
			`security.sudo.configFile =`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`(optionalString cfg.lnd.enable ''`
nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`${operatorName} ALL=(lnd) NOPASSWD: ALL`
joinmarket: add module 2020-04-23 09:18:47 -07:00			`'') +`
			`(optionalString cfg.joinmarket.enable ''`
			`${operatorName} ALL=(${cfg.joinmarket.user}) NOPASSWD: ALL`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`'');`

fix operator authorized keys setup This fixes these flaws in `copy-root-authorized-keys`: - When `.vbox-nixops-client-key` is missing, operator's authorized_keys file is always appended to, growing the file indefinitely. - Service is always added and not restricted to nixops-vbox deployments. 2020-04-08 12:51:31 -07:00			# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
			`systemd.services.get-vbox-nixops-client-key =`
			`mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {`
			`postStart = ''`
nodeinfo: Convert to module and allow alternative operator username currently, nodeinfo has presets/secure-node.nix as a strict dependency as it requires onion-chef and the 'operatorName' option. and nix-bitcoin-webindex.nix has nodeinfo as a dependecy. so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use. 2020-05-03 07:42:53 -07:00			`cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"`
fix operator authorized keys setup This fixes these flaws in `copy-root-authorized-keys`: - When `.vbox-nixops-client-key` is missing, operator's authorized_keys file is always appended to, growing the file indefinitely. - Service is always added and not restricted to nixops-vbox deployments. 2020-04-08 12:51:31 -07:00			`'';`
			`};`
Add bitcoind onion service 2018-11-19 16:22:16 -08:00			`};`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`}`