diff --git a/docs/configuration.md b/docs/configuration.md index 4a64c57..f65446a 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -250,9 +250,4 @@ following default values: - If you're using the krops deployment method: `/var/src/secrets` -- Otherwise: - - `/secrets` (if you're using the `secure-node.nix` template) - - `/etc/nix-bitcoin-secrets` (otherwise) - - `/secrets` only exists to provide backwards compatibility for users of the - `secure-node.nix` template. +- Otherwise: `/etc/nix-bitcoin-secrets` diff --git a/docs/services.md b/docs/services.md index 572bc09..28935d6 100644 --- a/docs/services.md +++ b/docs/services.md @@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node Otherwise, you can access it via Tor Browser at `http://`. You can find the `` with command `nodeinfo`. -The default password location is `/secrets/rtl-password`. +The default password location is `$secretsDir/rtl-password`. +See: [Secrets dir](./configuration.md#secrets-dir) # Connect to spark-wallet ### Requirements @@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps: Follow the on-screen instructions and write down your seed. In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password - from `/secrets/jm-wallet-password` and use the suggested default wallet name + from `$secretsDir/jm-wallet-password` and use the suggested default wallet name `wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply replace the password string in your local secrets directory. + See: [Secrets dir](./configuration.md#secrets-dir) ## Run the tumbler @@ -391,15 +393,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master # clightning ## Plugins +There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning. +See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list. -There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports: - -- helpme -- monitor -- prometheus -- rebalance -- summary -- zmq +[1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins You can activate and configure these plugins like so: diff --git a/examples/configuration.nix b/examples/configuration.nix index 4e75f64..0c84226 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -51,7 +51,7 @@ # nix-bitcoin.onionServices.clightning.public = true; # # == Plugins - # See ../docs/usage.md for the list of available plugins. + # See ../README.md (Features → clightning) for the list of available plugins. # services.clightning.plugins.prometheus.enable = true; ### LND @@ -154,7 +154,7 @@ # services.hardware-wallets.ledger = true; # # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in - # `docs/usage.md`. + # `../docs/services.md`. # services.hardware-wallets.trezor = true; ### lightning-loop @@ -234,10 +234,15 @@ networking.hostName = "host"; time.timeZone = "UTC"; - # FIXME: Add your SSH pubkey - services.openssh.enable = true; + services.openssh = { + enable = true; + passwordAuthentication = false; + }; users.users.root = { - openssh.authorizedKeys.keys = [ "" ]; + openssh.authorizedKeys.keys = [ + # FIXME: Replace this with your SSH pubkey + "ssh-ed25519 AAAAC3..." + ]; }; # FIXME: Uncomment this to allow the operator user to run @@ -261,5 +266,5 @@ # The nix-bitcoin release version that your config is compatible with. # When upgrading to a backwards-incompatible release, nix-bitcoin will display an # an error and provide hints for migrating your config to the new release. - nix-bitcoin.configVersion = "0.0.57"; + nix-bitcoin.configVersion = "0.0.65"; } diff --git a/flake.nix b/flake.nix index 96fb8a5..d27d621 100644 --- a/flake.nix +++ b/flake.nix @@ -18,8 +18,8 @@ lib = { mkNbPkgs = { system - , pkgs ? import nixpkgs { inherit system; } - , pkgsUnstable ? import nixpkgsUnstable { inherit system; } + , pkgs ? nixpkgs.legacyPackages.${system} + , pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system} }: import ./pkgs { inherit pkgs pkgsUnstable; }; }; @@ -65,7 +65,7 @@ } // (flake-utils.lib.eachSystem supportedSystems (system: let - pkgs = import nixpkgs { inherit system; }; + pkgs = nixpkgs.legacyPackages.${system}; nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; }; @@ -111,7 +111,7 @@ # Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`) # via this flake. # `packages` is not allowed to contain nested pkgs attrsets. - legacyPackages = { inherit nbPkgs; }; + legacyPackages = nbPkgs; defaultApp = apps.vm; diff --git a/helper/fetch-release b/helper/fetch-release index 4cc0ccf..cc3ffdb 100755 --- a/helper/fetch-release +++ b/helper/fetch-release @@ -14,15 +14,15 @@ fi TMPDIR=$(mktemp -d) trap "rm -rf $TMPDIR" EXIT -GPG_HOME=$TMPDIR/gpg-home -mkdir -p -m 700 "$GPG_HOME" +export GNUPGHOME=$TMPDIR/gpg-home +mkdir -p -m 700 "$GNUPGHOME" # Import key -gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null # Check that exactly one key was imported -(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1)) +(($(gpg --list-keys --with-colons | grep -c pub) == 1)) # Verify key fingerprint -gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null +gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null # Fetch nar-hash of release cd $TMPDIR @@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc # Verify signature for nar-hash -gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || { +gpg --verify nar-hash.txt.asc &> /dev/null || { >&2 echo "Error: Signature verification failed. Please open an issue in the project repository." exit 1 } diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 52e9ee8..bf59a80 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -101,9 +101,14 @@ let }; users = mkOption { default = {}; + description = '' + Allowed users for JSON-RPC connections. + ''; example = { - alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; - bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; + alice = { + passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; + rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ]; + }; }; type = with types; attrsOf (submodule ({ name, ... }: { options = { @@ -138,9 +143,6 @@ let }; }; })); - description = '' - RPC user information for JSON-RPC connections. - ''; }; }; regtest = mkOption { @@ -282,6 +284,7 @@ let configFile = builtins.toFile "bitcoin.conf" '' # We're already logging via journald nodebuglogfile=1 + logtimestamps=0 startupnotify=/run/current-system/systemd/bin/systemd-notify --ready @@ -366,7 +369,6 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" - "d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -" ]; systemd.services.bitcoind = { @@ -386,7 +388,12 @@ in { '' ) (builtins.attrNames cfg.rpc.users); in '' - ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"} + ${optionalString cfg.dataDirReadableByGroup '' + if [[ -e '${cfg.dataDir}/blocks' ]]; then + chmod -R g+rX '${cfg.dataDir}/blocks' + fi + ''} + cfg=$( cat ${configFile} ${extraRpcauth} diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 250034e..34d8ed5 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -18,9 +18,6 @@ in { }; config = { - # For backwards compatibility only - nix-bitcoin.secretsDir = mkDefault "/secrets"; - networking.firewall.enable = true; nix-bitcoin.security.dbusHideProcessInformation = true; diff --git a/modules/versioning.nix b/modules/versioning.nix index 5fd03d6..e1d6761 100644 --- a/modules/versioning.nix +++ b/modules/versioning.nix @@ -181,6 +181,27 @@ let once. ''; } + { + version = "0.0.65"; + condition = config.nix-bitcoin ? secure-node-preset-enabled && + config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets"; + message = '' + The `secure-node.nix` preset does not set the secrets directory + to "/secrets" anymore. + Instead, the default location "/etc/nix-bitcoin-secrets" is used. + + To upgrade, choose one of the following: + + - Continue using "/secrets": + Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix. + + - Move your secrets to the default location: + Run the following command as root on your node: + `rsync -a /secrets/ /etc/nix-bitcoin-secrets`. + You can delete the old "/secrets" directory after deploying the new system + config to your node. + ''; + } ]; mkOnionServiceChange = service: {