nix-bitcoin/modules/presets/secure-node.nix

{ config, lib, pkgs, ... }:

with lib;

let
  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };

  operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''
    mkdir -p ${config.users.users.operator.home}/.ssh
    if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
      cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
    fi
    if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
      cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
    fi
    chown -R operator ${config.users.users.operator.home}/.ssh
  '';
in {
  imports = [ ../modules.nix ];

  options = {
    services.clightning.onionport = mkOption {
      type = types.ints.u16;
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };

    services.electrs.onionport = mkOption {
      type = types.ints.u16;
      default = 50002;
      description = "Port on which to listen for tor client connections.";
    };
  };

  config =  {
    # For backwards compatibility only
    nix-bitcoin.secretsDir = mkDefault "/secrets";

    networking.firewall.enable = true;

    # Tor
    services.tor = {
      enable = true;
      client.enable = true;
      # LND uses ControlPort to create onion services
      controlPort = mkIf config.services.lnd.enable 9051;

      hiddenServices.sshd = mkHiddenService { port = 22; };
    };

    # bitcoind
    services.bitcoind = {
      enable = true;
      listen = true;
      sysperms = if config.services.electrs.enable then true else null;
      disablewallet = if config.services.electrs.enable then true else null;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      port = 8333;
      zmqpubrawblock = "tcp://127.0.0.1:28332";
      zmqpubrawtx = "tcp://127.0.0.1:28333";
      assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
      addnodes = [ "ecoc5q34tmbq54wl.onion" ];
      discover = false;
      addresstype = "bech32";
      prune = 0;
      dbCache = 1000;
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = config.services.bitcoind.port; };

    # clightning
    services.clightning = {
      bitcoin-rpcuser = config.services.bitcoind.rpcuser;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      always-use-proxy = true;
      bind-addr = "127.0.0.1:${toString config.services.clightning.onionport}";
    };
    services.tor.hiddenServices.clightning = mkHiddenService { port = config.services.clightning.onionport; };

    # lnd
    services.lnd.enforceTor = true;

    # liquidd
    services.liquidd = {
      rpcuser = "liquidrpc";
      prune = 1000;
      extraConfig = "
      mainchainrpcuser=${config.services.bitcoind.rpcuser}
      mainchainrpcport=8332
    ";
      validatepegin = true;
      listen = true;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      port = 7042;
    };
    services.tor.hiddenServices.liquidd = mkHiddenService { port = config.services.liquidd.port; };

    # electrs
    services.electrs = {
      port = 50001;
      enforceTor = true;
      TLSProxy.enable = true;
      TLSProxy.port = 50003;
    };
    services.tor.hiddenServices.electrs = mkHiddenService {
      port = config.services.electrs.onionport;
      toPort = config.services.electrs.TLSProxy.port;
    };

    services.spark-wallet.onion-service = true;

    services.nix-bitcoin-webindex.enforceTor = true;


    environment.systemPackages = with pkgs; with nix-bitcoin; let
      s = config.services;
    in
    [
      tor
      bitcoind
      (hiPrio s.bitcoind.cli)
      nodeinfo
      jq
      qrencode
    ]
    ++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
    ++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
    ++ optionals s.lightning-charge.enable [lightning-charge]
    ++ optionals s.nanopos.enable [nanopos]
    ++ optionals s.nix-bitcoin-webindex.enable [nginx]
    ++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
    ++ optionals s.spark-wallet.enable [spark-wallet]
    ++ optionals s.electrs.enable [electrs]
    ++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
        hwi
        # To allow debugging issues with lsusb
        usbutils
    ]
    ++ optionals s.hardware-wallets.trezor [
        python3.pkgs.trezor
    ];

    # Create user operator which can use bitcoin-cli and lightning-cli
    users.users.operator = {
      isNormalUser = true;
      extraGroups = [ config.services.bitcoind.group ]
        ++ (optionals config.services.clightning.enable [ "clightning" ])
        ++ (optionals config.services.lnd.enable [ "lnd" ])
        ++ (optionals config.services.liquidd.enable [ config.services.liquidd.group ])
        ++ (optionals (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
            [ config.services.hardware-wallets.group ]);
    };
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
    # https://github.com/ElementsProject/lightning/issues/1366
    security.sudo.configFile =
     (optionalString config.services.clightning.enable ''
       operator    ALL=(clightning) NOPASSWD: ALL
     '') +
     (optionalString config.services.lnd.enable ''
       operator    ALL=(lnd) NOPASSWD: ALL
     '');

    # Give root ssh access to the operator account
    systemd.services.copy-root-authorized-keys = {
      description = "Copy root authorized keys";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
        user = "root";
        type = "oneshot";
      };
    };
  };
}
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`mkHiddenService = map: {`
			`map = [ map ];`
			`version = 3;`
			`};`

rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-07 13:47:32 -07:00			`operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''`
Don't assume virtual box deployments when copying authorized keys 2018-12-10 15:11:44 -08:00			`mkdir -p ${config.users.users.operator.home}/.ssh`
			`if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then`
			`cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys`
			`fi`
			`if [ -e "/etc/ssh/authorized_keys.d/root" ]; then`
			`cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys`
			`fi`
			`chown -R operator ${config.users.users.operator.home}/.ssh`
			`'';`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`in {`
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-07 13:47:32 -07:00			`imports = [ ../modules.nix ];`
add clightning 2018-11-22 10:32:26 -08:00
move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`options = {`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`services.clightning.onionport = mkOption {`
			`type = types.ints.u16;`
			`default = 9735;`
			`description = "Port on which to listen for tor client connections.";`
			`};`

move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`services.electrs.onionport = mkOption {`
			`type = types.ints.u16;`
			`default = 50002;`
			`description = "Port on which to listen for tor client connections.";`
			`};`
			`};`

add nix-bitcoin.nix for backwards compatibility 2020-04-07 13:47:33 -07:00			`config = {`
			`# For backwards compatibility only`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`nix-bitcoin.secretsDir = mkDefault "/secrets";`

Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`networking.firewall.enable = true;`

add clightning 2018-11-22 10:32:26 -08:00			`# Tor`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.tor = {`
			`enable = true;`
			`client.enable = true;`
			`# LND uses ControlPort to create onion services`
use mkIf 2020-04-07 13:47:36 -07:00			`controlPort = mkIf config.services.lnd.enable 9051;`
add clightning 2018-11-22 10:32:26 -08:00
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`hiddenServices.sshd = mkHiddenService { port = 22; };`
Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`};`
Add sshd onion service 2018-12-27 13:22:52 -08:00
Add Carl's bitcoind module 2018-11-22 16:46:56 -08:00			`# bitcoind`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.bitcoind = {`
			`enable = true;`
			`listen = true;`
			`sysperms = if config.services.electrs.enable then true else null;`
			`disablewallet = if config.services.electrs.enable then true else null;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`port = 8333;`
			`zmqpubrawblock = "tcp://127.0.0.1:28332";`
			`zmqpubrawtx = "tcp://127.0.0.1:28333";`
			`assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";`
			`addnodes = [ "ecoc5q34tmbq54wl.onion" ];`
			`discover = false;`
			`addresstype = "bech32";`
			`prune = 0;`
			`dbCache = 1000;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`services.tor.hiddenServices.bitcoind = mkHiddenService { port = config.services.bitcoind.port; };`
add clightning 2018-11-22 10:32:26 -08:00
			`# clightning`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.clightning = {`
			`bitcoin-rpcuser = config.services.bitcoind.rpcuser;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`always-use-proxy = true;`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`bind-addr = "127.0.0.1:${toString config.services.clightning.onionport}";`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`};`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`services.tor.hiddenServices.clightning = mkHiddenService { port = config.services.clightning.onionport; };`
Add index page with nginx 2018-12-01 12:48:58 -08:00
Add LND support 2019-08-05 01:44:38 -07:00			`# lnd`
			`services.lnd.enforceTor = true;`

rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# liquidd`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.liquidd = {`
			`rpcuser = "liquidrpc";`
			`prune = 1000;`
			`extraConfig = "`
Enable validatepegin in liquid module 2019-02-11 00:02:11 -08:00			`mainchainrpcuser=${config.services.bitcoind.rpcuser}`
			`mainchainrpcport=8332`
			`";`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`validatepegin = true;`
			`listen = true;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`port = 7042;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`services.tor.hiddenServices.liquidd = mkHiddenService { port = config.services.liquidd.port; };`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# electrs`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.electrs = {`
			`port = 50001;`
			`enforceTor = true;`
			`TLSProxy.enable = true;`
			`TLSProxy.port = 50003;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`services.tor.hiddenServices.electrs = mkHiddenService {`
			`port = config.services.electrs.onionport;`
			`toPort = config.services.electrs.TLSProxy.port;`
Fix electrs and add electrs hidden service 2019-02-25 08:00:50 -08:00			`};`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`services.spark-wallet.onion-service = true;`

			`services.nix-bitcoin-webindex.enforceTor = true;`


systemPackages: improve readability with shorter service references 2019-11-27 05:04:36 -08:00			`environment.systemPackages = with pkgs; with nix-bitcoin; let`
			`s = config.services;`
			`in`
			`[`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 07:50:30 -07:00			`tor`
add nix-bitcoin pkgs namespace Not polluting the main pkgs namespace with internal pkgs makes it easier to integrate the nix-bitcoin modules into a larger config. Also, by overriding the nix-bitcoin namespace, users can now easily set the packages used by services that offer no explicit `package` option, like `clightning`. 2019-11-27 05:04:21 -08:00			`bitcoind`
systemPackages: improve readability with shorter service references 2019-11-27 05:04:36 -08:00			`(hiPrio s.bitcoind.cli)`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 07:50:30 -07:00			`nodeinfo`
			`jq`
Add qrencode package 2019-05-17 17:00:35 -07:00			`qrencode`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 07:50:30 -07:00			`]`
systemPackages: improve readability with shorter service references 2019-11-27 05:04:36 -08:00			`++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]`
			`++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]`
			`++ optionals s.lightning-charge.enable [lightning-charge]`
			`++ optionals s.nanopos.enable [nanopos]`
			`++ optionals s.nix-bitcoin-webindex.enable [nginx]`
			`++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]`
			`++ optionals s.spark-wallet.enable [spark-wallet]`
			`++ optionals s.electrs.enable [electrs]`
			`++ optionals (s.hardware-wallets.ledger \|\| s.hardware-wallets.trezor) [`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 13:39:25 -07:00			`hwi`
systemPackages: improve readability with shorter service references 2019-11-27 05:04:36 -08:00			`# To allow debugging issues with lsusb`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 13:39:25 -07:00			`usbutils`
			`]`
systemPackages: improve readability with shorter service references 2019-11-27 05:04:36 -08:00			`++ optionals s.hardware-wallets.trezor [`
Switch from python 3.5 to python 3.x for trezor 2019-10-27 12:52:56 -07:00			`python3.pkgs.trezor`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 13:39:25 -07:00			`];`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
			`# Create user operator which can use bitcoin-cli and lightning-cli`
			`users.users.operator = {`
			`isNormalUser = true;`
			`extraGroups = [ config.services.bitcoind.group ]`
use lib.optionals 2020-04-07 13:47:39 -07:00			`++ (optionals config.services.clightning.enable [ "clightning" ])`
			`++ (optionals config.services.lnd.enable [ "lnd" ])`
			`++ (optionals config.services.liquidd.enable [ config.services.liquidd.group ])`
			`++ (optionals (config.services.hardware-wallets.ledger \|\| config.services.hardware-wallets.trezor)`
			`[ config.services.hardware-wallets.group ]);`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`};`
			`# Give operator access to onion hostnames`
			`services.onion-chef.enable = true;`
			`services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];`

			`# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket`
			`# https://github.com/ElementsProject/lightning/issues/1366`
			`security.sudo.configFile =`
			`(optionalString config.services.clightning.enable ''`
			`operator ALL=(clightning) NOPASSWD: ALL`
			`'') +`
			`(optionalString config.services.lnd.enable ''`
			`operator ALL=(lnd) NOPASSWD: ALL`
			`'');`

			`# Give root ssh access to the operator account`
			`systemd.services.copy-root-authorized-keys = {`
			`description = "Copy root authorized keys";`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";`
			`user = "root";`
			`type = "oneshot";`
			`};`
			`};`
Add bitcoind onion service 2018-11-19 16:22:16 -08:00			`};`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`}`