Merge fort-nix/nix-bitcoin#450: Misc. improvements
d959d5b558
secure-node: don't set `nix-bitcoin.secretsDir` (Erik Arvstedt)7b0c3d48c9
docs/services.md: link to clightning plugin list (Erik Arvstedt)7402212263
examples/configuration.nix: disable `passwordAuthentication` (Erik Arvstedt)e093bb64d9
examples/configuration.nix: fix links to `docs/services.md` (Erik Arvstedt)d41a550355
fetch-release: export GNUPGHOME (Erik Arvstedt)397b372cf3
bitcoind: improve option `rpc.users` (Erik Arvstedt)679e7b6544
bitcoind: remove unneeded tmpfile rule (Erik Arvstedt)98f419233f
bitcoind: don't log timestamps (Erik Arvstedt)6f8b4d9ebe
flake: optimize nixpkgs importing (Erik Arvstedt)16e2d4c8b7
flake: remove unneeded indirection in legacyPackages (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACKd959d5b558
Tree-SHA512: e62fcf36ac77df62b9f86279d0ebac807525d188cbf1ee5c13cf1406b3caadad0f2df7527b0c8713259cbc6d5cdfa006f01e90d5377f974213f204a2f85a8ae6
This commit is contained in:
commit
0ac9d6f4c8
@ -250,9 +250,4 @@ following default values:
|
||||
|
||||
- If you're using the krops deployment method: `/var/src/secrets`
|
||||
|
||||
- Otherwise:
|
||||
- `/secrets` (if you're using the `secure-node.nix` template)
|
||||
- `/etc/nix-bitcoin-secrets` (otherwise)
|
||||
|
||||
`/secrets` only exists to provide backwards compatibility for users of the
|
||||
`secure-node.nix` template.
|
||||
- Otherwise: `/etc/nix-bitcoin-secrets`
|
||||
|
@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node
|
||||
|
||||
Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
|
||||
You can find the `<onion-address>` with command `nodeinfo`.
|
||||
The default password location is `/secrets/rtl-password`.
|
||||
The default password location is `$secretsDir/rtl-password`.
|
||||
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||
|
||||
# Connect to spark-wallet
|
||||
### Requirements
|
||||
@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps:
|
||||
Follow the on-screen instructions and write down your seed.
|
||||
|
||||
In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
|
||||
from `/secrets/jm-wallet-password` and use the suggested default wallet name
|
||||
from `$secretsDir/jm-wallet-password` and use the suggested default wallet name
|
||||
`wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
|
||||
replace the password string in your local secrets directory.
|
||||
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||
|
||||
## Run the tumbler
|
||||
|
||||
@ -391,15 +393,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master
|
||||
# clightning
|
||||
|
||||
## Plugins
|
||||
There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning.
|
||||
See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list.
|
||||
|
||||
There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports:
|
||||
|
||||
- helpme
|
||||
- monitor
|
||||
- prometheus
|
||||
- rebalance
|
||||
- summary
|
||||
- zmq
|
||||
[1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins
|
||||
|
||||
You can activate and configure these plugins like so:
|
||||
|
||||
|
@ -51,7 +51,7 @@
|
||||
# nix-bitcoin.onionServices.clightning.public = true;
|
||||
#
|
||||
# == Plugins
|
||||
# See ../docs/usage.md for the list of available plugins.
|
||||
# See ../README.md (Features → clightning) for the list of available plugins.
|
||||
# services.clightning.plugins.prometheus.enable = true;
|
||||
|
||||
### LND
|
||||
@ -154,7 +154,7 @@
|
||||
# services.hardware-wallets.ledger = true;
|
||||
#
|
||||
# Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
|
||||
# `docs/usage.md`.
|
||||
# `../docs/services.md`.
|
||||
# services.hardware-wallets.trezor = true;
|
||||
|
||||
### lightning-loop
|
||||
@ -234,10 +234,15 @@
|
||||
networking.hostName = "host";
|
||||
time.timeZone = "UTC";
|
||||
|
||||
# FIXME: Add your SSH pubkey
|
||||
services.openssh.enable = true;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keys = [ "" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
# FIXME: Replace this with your SSH pubkey
|
||||
"ssh-ed25519 AAAAC3..."
|
||||
];
|
||||
};
|
||||
|
||||
# FIXME: Uncomment this to allow the operator user to run
|
||||
@ -261,5 +266,5 @@
|
||||
# The nix-bitcoin release version that your config is compatible with.
|
||||
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
|
||||
# an error and provide hints for migrating your config to the new release.
|
||||
nix-bitcoin.configVersion = "0.0.57";
|
||||
nix-bitcoin.configVersion = "0.0.65";
|
||||
}
|
||||
|
@ -18,8 +18,8 @@
|
||||
lib = {
|
||||
mkNbPkgs = {
|
||||
system
|
||||
, pkgs ? import nixpkgs { inherit system; }
|
||||
, pkgsUnstable ? import nixpkgsUnstable { inherit system; }
|
||||
, pkgs ? nixpkgs.legacyPackages.${system}
|
||||
, pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system}
|
||||
}:
|
||||
import ./pkgs { inherit pkgs pkgsUnstable; };
|
||||
};
|
||||
@ -65,7 +65,7 @@
|
||||
|
||||
} // (flake-utils.lib.eachSystem supportedSystems (system:
|
||||
let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
|
||||
nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; };
|
||||
|
||||
@ -111,7 +111,7 @@
|
||||
# Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`)
|
||||
# via this flake.
|
||||
# `packages` is not allowed to contain nested pkgs attrsets.
|
||||
legacyPackages = { inherit nbPkgs; };
|
||||
legacyPackages = nbPkgs;
|
||||
|
||||
defaultApp = apps.vm;
|
||||
|
||||
|
@ -14,15 +14,15 @@ fi
|
||||
TMPDIR=$(mktemp -d)
|
||||
trap "rm -rf $TMPDIR" EXIT
|
||||
|
||||
GPG_HOME=$TMPDIR/gpg-home
|
||||
mkdir -p -m 700 "$GPG_HOME"
|
||||
export GNUPGHOME=$TMPDIR/gpg-home
|
||||
mkdir -p -m 700 "$GNUPGHOME"
|
||||
|
||||
# Import key
|
||||
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||
gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||
# Check that exactly one key was imported
|
||||
(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1))
|
||||
(($(gpg --list-keys --with-colons | grep -c pub) == 1))
|
||||
# Verify key fingerprint
|
||||
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
||||
gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
||||
|
||||
# Fetch nar-hash of release
|
||||
cd $TMPDIR
|
||||
@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
|
||||
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
|
||||
|
||||
# Verify signature for nar-hash
|
||||
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
|
||||
gpg --verify nar-hash.txt.asc &> /dev/null || {
|
||||
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
|
||||
exit 1
|
||||
}
|
||||
|
@ -101,9 +101,14 @@ let
|
||||
};
|
||||
users = mkOption {
|
||||
default = {};
|
||||
description = ''
|
||||
Allowed users for JSON-RPC connections.
|
||||
'';
|
||||
example = {
|
||||
alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
||||
bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
|
||||
alice = {
|
||||
passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
||||
rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
|
||||
};
|
||||
};
|
||||
type = with types; attrsOf (submodule ({ name, ... }: {
|
||||
options = {
|
||||
@ -138,9 +143,6 @@ let
|
||||
};
|
||||
};
|
||||
}));
|
||||
description = ''
|
||||
RPC user information for JSON-RPC connections.
|
||||
'';
|
||||
};
|
||||
};
|
||||
regtest = mkOption {
|
||||
@ -282,6 +284,7 @@ let
|
||||
configFile = builtins.toFile "bitcoin.conf" ''
|
||||
# We're already logging via journald
|
||||
nodebuglogfile=1
|
||||
logtimestamps=0
|
||||
|
||||
startupnotify=/run/current-system/systemd/bin/systemd-notify --ready
|
||||
|
||||
@ -366,7 +369,6 @@ in {
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
"d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
|
||||
systemd.services.bitcoind = {
|
||||
@ -386,7 +388,12 @@ in {
|
||||
''
|
||||
) (builtins.attrNames cfg.rpc.users);
|
||||
in ''
|
||||
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
||||
${optionalString cfg.dataDirReadableByGroup ''
|
||||
if [[ -e '${cfg.dataDir}/blocks' ]]; then
|
||||
chmod -R g+rX '${cfg.dataDir}/blocks'
|
||||
fi
|
||||
''}
|
||||
|
||||
cfg=$(
|
||||
cat ${configFile}
|
||||
${extraRpcauth}
|
||||
|
@ -18,9 +18,6 @@ in {
|
||||
};
|
||||
|
||||
config = {
|
||||
# For backwards compatibility only
|
||||
nix-bitcoin.secretsDir = mkDefault "/secrets";
|
||||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
nix-bitcoin.security.dbusHideProcessInformation = true;
|
||||
|
@ -181,6 +181,27 @@ let
|
||||
once.
|
||||
'';
|
||||
}
|
||||
{
|
||||
version = "0.0.65";
|
||||
condition = config.nix-bitcoin ? secure-node-preset-enabled &&
|
||||
config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets";
|
||||
message = ''
|
||||
The `secure-node.nix` preset does not set the secrets directory
|
||||
to "/secrets" anymore.
|
||||
Instead, the default location "/etc/nix-bitcoin-secrets" is used.
|
||||
|
||||
To upgrade, choose one of the following:
|
||||
|
||||
- Continue using "/secrets":
|
||||
Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix.
|
||||
|
||||
- Move your secrets to the default location:
|
||||
Run the following command as root on your node:
|
||||
`rsync -a /secrets/ /etc/nix-bitcoin-secrets`.
|
||||
You can delete the old "/secrets" directory after deploying the new system
|
||||
config to your node.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
mkOnionServiceChange = service: {
|
||||
|
Loading…
Reference in New Issue
Block a user