nix-bitcoin/modules/presets/secure-node.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services;

  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };
in {
  imports = [ ../modules.nix ];

  options = {
    services.clightning.onionport = mkOption {
      type = types.ints.u16;
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };

    services.electrs.onionport = mkOption {
      type = types.ints.u16;
      default = 50002;
      description = "Port on which to listen for tor client connections.";
    };
  };

  config =  {
    # For backwards compatibility only
    nix-bitcoin.secretsDir = mkDefault "/secrets";

    networking.firewall.enable = true;

    # Tor
    services.tor = {
      enable = true;
      client.enable = true;
      # LND uses ControlPort to create onion services
      controlPort = mkIf cfg.lnd.enable 9051;

      hiddenServices.sshd = mkHiddenService { port = 22; };
    };

    # bitcoind
    services.bitcoind = {
      enable = true;
      listen = true;
      sysperms = if cfg.electrs.enable then true else null;
      disablewallet = if cfg.electrs.enable then true else null;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      port = 8333;
      zmqpubrawblock = "tcp://127.0.0.1:28332";
      zmqpubrawtx = "tcp://127.0.0.1:28333";
      assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
      addnodes = [ "ecoc5q34tmbq54wl.onion" ];
      discover = false;
      addresstype = "bech32";
      prune = 0;
      dbCache = 1000;
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; };

    # clightning
    services.clightning = {
      bitcoin-rpcuser = cfg.bitcoind.rpcuser;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      always-use-proxy = true;
      bind-addr = "127.0.0.1:${toString cfg.clightning.onionport}";
    };
    services.tor.hiddenServices.clightning = mkHiddenService { port = cfg.clightning.onionport; };

    # lnd
    services.lnd.enforceTor = true;

    # liquidd
    services.liquidd = {
      rpcuser = "liquidrpc";
      prune = 1000;
      extraConfig = ''
        mainchainrpcuser=${cfg.bitcoind.rpcuser}
        mainchainrpcport=8332
      '';
      validatepegin = true;
      listen = true;
      proxy = cfg.tor.client.socksListenAddress;
      enforceTor = true;
      port = 7042;
    };
    services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; };

    # electrs
    services.electrs = {
      port = 50001;
      enforceTor = true;
      TLSProxy.enable = true;
      TLSProxy.port = 50003;
    };
    services.tor.hiddenServices.electrs = mkHiddenService {
      port = cfg.electrs.onionport;
      toPort = cfg.electrs.TLSProxy.port;
    };

    services.spark-wallet.onion-service = true;

    services.nix-bitcoin-webindex.enforceTor = true;


    environment.systemPackages = with pkgs; [
      tor
      jq
      qrencode
      nix-bitcoin.nodeinfo
    ];

    # Create user operator which can use bitcoin-cli and lightning-cli
    users.users.operator = {
      isNormalUser = true;
      extraGroups = [ cfg.bitcoind.group ]
        ++ (optionals cfg.clightning.enable [ "clightning" ])
        ++ (optionals cfg.lnd.enable [ "lnd" ])
        ++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
        ++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
            [ cfg.hardware-wallets.group ]);
    };
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
    # https://github.com/ElementsProject/lightning/issues/1366
    security.sudo.configFile =
     (optionalString cfg.clightning.enable ''
       operator    ALL=(clightning) NOPASSWD: ALL
     '') +
     (optionalString cfg.lnd.enable ''
       operator    ALL=(lnd) NOPASSWD: ALL
     '');

    # Give root ssh access to the operator account
    # FIXME: move this to deployment/nixops.nix after merging PR 'nix-bitcoin-as-module'
    systemd.services.copy-root-authorized-keys = {
      description = "Copy root authorized keys";
      wantedBy = [ "multi-user.target" ];
      serviceConfig.type = "oneshot";
      script =  let
        operator = config.users.users.operator.home;
        root = config.users.users.root.home;
      in ''
        mkdir -p ${operator}/.ssh
        if [[ -e "${root}/.vbox-nixops-client-key" ]]; then
          cp ${root}/.vbox-nixops-client-key ${operator}/.ssh/authorized_keys
        fi
        if [[ -e "/etc/ssh/authorized_keys.d/root" ]]; then
          cat /etc/ssh/authorized_keys.d/root >> ${operator}/.ssh/authorized_keys
        fi
        chown -R operator ${operator}/.ssh
      '';
    };
  };
}
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`cfg = config.services;`

extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`mkHiddenService = map: {`
			`map = [ map ];`
			`version = 3;`
			`};`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`in {`
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-07 13:47:32 -07:00			`imports = [ ../modules.nix ];`
add clightning 2018-11-22 10:32:26 -08:00
move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`options = {`
add option clightning.onionport Analogous to electrs.onionport 2020-04-07 13:47:41 -07:00			`services.clightning.onionport = mkOption {`
			`type = types.ints.u16;`
			`default = 9735;`
			`description = "Port on which to listen for tor client connections.";`
			`};`

move electrs.onionport option Only used in secure-node.nix 2020-04-07 13:47:40 -07:00			`services.electrs.onionport = mkOption {`
			`type = types.ints.u16;`
			`default = 50002;`
			`description = "Port on which to listen for tor client connections.";`
			`};`
			`};`

add nix-bitcoin.nix for backwards compatibility 2020-04-07 13:47:33 -07:00			`config = {`
			`# For backwards compatibility only`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`nix-bitcoin.secretsDir = mkDefault "/secrets";`

Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`networking.firewall.enable = true;`

add clightning 2018-11-22 10:32:26 -08:00			`# Tor`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.tor = {`
			`enable = true;`
			`client.enable = true;`
			`# LND uses ControlPort to create onion services`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`controlPort = mkIf cfg.lnd.enable 9051;`
add clightning 2018-11-22 10:32:26 -08:00
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`hiddenServices.sshd = mkHiddenService { port = 22; };`
Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 11:16:24 -08:00			`};`
Add sshd onion service 2018-12-27 13:22:52 -08:00
Add Carl's bitcoind module 2018-11-22 16:46:56 -08:00			`# bitcoind`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.bitcoind = {`
			`enable = true;`
			`listen = true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`sysperms = if cfg.electrs.enable then true else null;`
			`disablewallet = if cfg.electrs.enable then true else null;`
			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`port = 8333;`
			`zmqpubrawblock = "tcp://127.0.0.1:28332";`
			`zmqpubrawtx = "tcp://127.0.0.1:28333";`
			`assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";`
			`addnodes = [ "ecoc5q34tmbq54wl.onion" ];`
			`discover = false;`
			`addresstype = "bech32";`
			`prune = 0;`
			`dbCache = 1000;`
			`};`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; };`
add clightning 2018-11-22 10:32:26 -08:00
			`# clightning`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.clightning = {`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`bitcoin-rpcuser = cfg.bitcoind.rpcuser;`
			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`always-use-proxy = true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`bind-addr = "127.0.0.1:${toString cfg.clightning.onionport}";`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`};`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`services.tor.hiddenServices.clightning = mkHiddenService { port = cfg.clightning.onionport; };`
Add index page with nginx 2018-12-01 12:48:58 -08:00
Add LND support 2019-08-05 01:44:38 -07:00			`# lnd`
			`services.lnd.enforceTor = true;`

rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# liquidd`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.liquidd = {`
			`rpcuser = "liquidrpc";`
			`prune = 1000;`
fixup! use '' for multi-line string 2020-04-07 13:47:43 -07:00			`extraConfig = ''`
			`mainchainrpcuser=${cfg.bitcoind.rpcuser}`
			`mainchainrpcport=8332`
			`'';`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`validatepegin = true;`
			`listen = true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`proxy = cfg.tor.client.socksListenAddress;`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`enforceTor = true;`
			`port = 7042;`
			`};`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; };`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-27 16:53:26 -07:00
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`# electrs`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00			`services.electrs = {`
			`port = 50001;`
			`enforceTor = true;`
			`TLSProxy.enable = true;`
			`TLSProxy.port = 50003;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 13:47:37 -07:00			`services.tor.hiddenServices.electrs = mkHiddenService {`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`port = cfg.electrs.onionport;`
			`toPort = cfg.electrs.TLSProxy.port;`
Fix electrs and add electrs hidden service 2019-02-25 08:00:50 -08:00			`};`
improve grouping of suboptions 2020-04-07 13:47:35 -07:00
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`services.spark-wallet.onion-service = true;`

			`services.nix-bitcoin-webindex.enforceTor = true;`


move systemPackages definitions to services These are generally useful and shouldn't be limited to secure-node.nix. Also, only add the hardware-wallets group when hardware wallets are enabled. 2020-04-07 13:47:45 -07:00			`environment.systemPackages = with pkgs; [`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 07:50:30 -07:00			`tor`
			`jq`
Add qrencode package 2019-05-17 17:00:35 -07:00			`qrencode`
move systemPackages definitions to services These are generally useful and shouldn't be limited to secure-node.nix. Also, only add the hardware-wallets group when hardware wallets are enabled. 2020-04-07 13:47:45 -07:00			`nix-bitcoin.nodeinfo`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 13:39:25 -07:00			`];`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00
			`# Create user operator which can use bitcoin-cli and lightning-cli`
			`users.users.operator = {`
			`isNormalUser = true;`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`extraGroups = [ cfg.bitcoind.group ]`
			`++ (optionals cfg.clightning.enable [ "clightning" ])`
			`++ (optionals cfg.lnd.enable [ "lnd" ])`
			`++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])`
			`++ (optionals (cfg.hardware-wallets.ledger \|\| cfg.hardware-wallets.trezor)`
			`[ cfg.hardware-wallets.group ]);`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`};`
			`# Give operator access to onion hostnames`
			`services.onion-chef.enable = true;`
			`services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];`

			`# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket`
			`# https://github.com/ElementsProject/lightning/issues/1366`
			`security.sudo.configFile =`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`(optionalString cfg.clightning.enable ''`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`operator ALL=(clightning) NOPASSWD: ALL`
			`'') +`
extract variable 'cfg' 2020-04-07 13:47:42 -07:00			`(optionalString cfg.lnd.enable ''`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`operator ALL=(lnd) NOPASSWD: ALL`
			`'');`

			`# Give root ssh access to the operator account`
copy-root-authorized-keys: use inline script definition 2020-04-07 13:47:44 -07:00			`# FIXME: move this to deployment/nixops.nix after merging PR 'nix-bitcoin-as-module'`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`systemd.services.copy-root-authorized-keys = {`
			`description = "Copy root authorized keys";`
			`wantedBy = [ "multi-user.target" ];`
copy-root-authorized-keys: use inline script definition 2020-04-07 13:47:44 -07:00			`serviceConfig.type = "oneshot";`
			`script = let`
			`operator = config.users.users.operator.home;`
			`root = config.users.users.root.home;`
			`in ''`
			`mkdir -p ${operator}/.ssh`
			`if [[ -e "${root}/.vbox-nixops-client-key" ]]; then`
			`cp ${root}/.vbox-nixops-client-key ${operator}/.ssh/authorized_keys`
			`fi`
			`if [[ -e "/etc/ssh/authorized_keys.d/root" ]]; then`
			`cat /etc/ssh/authorized_keys.d/root >> ${operator}/.ssh/authorized_keys`
			`fi`
			`chown -R operator ${operator}/.ssh`
			`'';`
rearrange code sections Move services to the top, operator account setup to the bottom. 2020-04-07 13:47:38 -07:00			`};`
Add bitcoind onion service 2018-11-19 16:22:16 -08:00			`};`
Add onion listening node with tor HS v3 2018-11-19 15:09:57 -08:00			`}`