From 16e2d4c8b714f3861405bb610694a0e3dc6a7ee9 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:24 +0100 Subject: [PATCH 01/10] flake: remove unneeded indirection in legacyPackages Example: The nix-bitcoin electrs pkg can now be reached via flake attr .#modulesPkgs.electrs instead of .#nbPkgs.modulesPkgs.electrs --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 96fb8a5..273216c 100644 --- a/flake.nix +++ b/flake.nix @@ -111,7 +111,7 @@ # Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`) # via this flake. # `packages` is not allowed to contain nested pkgs attrsets. - legacyPackages = { inherit nbPkgs; }; + legacyPackages = nbPkgs; defaultApp = apps.vm; From 6f8b4d9ebe00e7b62ce5bff1fb3a9573d976b721 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:25 +0100 Subject: [PATCH 02/10] flake: optimize nixpkgs importing `nixpkgs.legacyPackages.${system}` allows reusing a single pkgs instance that is shared among all flakes with the same `nixpkgs` input. This is relevant when a user overrides the `nixpkgs` input of our flake or exports our `nixpkgs` input to other flakes. `import nixpkgs` would create a new pkgs instance instead. --- flake.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 273216c..d27d621 100644 --- a/flake.nix +++ b/flake.nix @@ -18,8 +18,8 @@ lib = { mkNbPkgs = { system - , pkgs ? import nixpkgs { inherit system; } - , pkgsUnstable ? import nixpkgsUnstable { inherit system; } + , pkgs ? nixpkgs.legacyPackages.${system} + , pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system} }: import ./pkgs { inherit pkgs pkgsUnstable; }; }; @@ -65,7 +65,7 @@ } // (flake-utils.lib.eachSystem supportedSystems (system: let - pkgs = import nixpkgs { inherit system; }; + pkgs = nixpkgs.legacyPackages.${system}; nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; }; From 98f419233f0b90d764efdb212db0551044d3faad Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:26 +0100 Subject: [PATCH 03/10] bitcoind: don't log timestamps Timestamps are already logged via journald. --- modules/bitcoind.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 52e9ee8..10ededd 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -282,6 +282,7 @@ let configFile = builtins.toFile "bitcoin.conf" '' # We're already logging via journald nodebuglogfile=1 + logtimestamps=0 startupnotify=/run/current-system/systemd/bin/systemd-notify --ready From 679e7b6544f83ef77af40f09cfb8d6e664be2378 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:27 +0100 Subject: [PATCH 04/10] bitcoind: remove unneeded tmpfile rule --- modules/bitcoind.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 10ededd..ac8f913 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -367,7 +367,6 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" - "d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -" ]; systemd.services.bitcoind = { @@ -387,7 +386,12 @@ in { '' ) (builtins.attrNames cfg.rpc.users); in '' - ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"} + ${optionalString cfg.dataDirReadableByGroup '' + if [[ -e '${cfg.dataDir}/blocks' ]]; then + chmod -R g+rX '${cfg.dataDir}/blocks' + fi + ''} + cfg=$( cat ${configFile} ${extraRpcauth} From 397b372cf36f3f5d79dbe1f301b61437eeea0144 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:28 +0100 Subject: [PATCH 05/10] bitcoind: improve option `rpc.users` - Move description to top - Improve example --- modules/bitcoind.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index ac8f913..bf59a80 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -101,9 +101,14 @@ let }; users = mkOption { default = {}; + description = '' + Allowed users for JSON-RPC connections. + ''; example = { - alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; - bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; + alice = { + passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; + rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ]; + }; }; type = with types; attrsOf (submodule ({ name, ... }: { options = { @@ -138,9 +143,6 @@ let }; }; })); - description = '' - RPC user information for JSON-RPC connections. - ''; }; }; regtest = mkOption { From d41a550355379461fe2a20961dea9837f186ad49 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:29 +0100 Subject: [PATCH 06/10] fetch-release: export GNUPGHOME This approach is less error-prone. It is also used by our fetcher scripts. --- helper/fetch-release | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/helper/fetch-release b/helper/fetch-release index 4cc0ccf..cc3ffdb 100755 --- a/helper/fetch-release +++ b/helper/fetch-release @@ -14,15 +14,15 @@ fi TMPDIR=$(mktemp -d) trap "rm -rf $TMPDIR" EXIT -GPG_HOME=$TMPDIR/gpg-home -mkdir -p -m 700 "$GPG_HOME" +export GNUPGHOME=$TMPDIR/gpg-home +mkdir -p -m 700 "$GNUPGHOME" # Import key -gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null # Check that exactly one key was imported -(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1)) +(($(gpg --list-keys --with-colons | grep -c pub) == 1)) # Verify key fingerprint -gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null +gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null # Fetch nar-hash of release cd $TMPDIR @@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc # Verify signature for nar-hash -gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || { +gpg --verify nar-hash.txt.asc &> /dev/null || { >&2 echo "Error: Signature verification failed. Please open an issue in the project repository." exit 1 } From e093bb64d98e7851e54acb188f8d3be7b8c33582 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:30 +0100 Subject: [PATCH 07/10] examples/configuration.nix: fix links to `docs/services.md` --- examples/configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index 4e75f64..6593cab 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -51,7 +51,7 @@ # nix-bitcoin.onionServices.clightning.public = true; # # == Plugins - # See ../docs/usage.md for the list of available plugins. + # See ../docs/services.md for the list of available plugins. # services.clightning.plugins.prometheus.enable = true; ### LND @@ -154,7 +154,7 @@ # services.hardware-wallets.ledger = true; # # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in - # `docs/usage.md`. + # `../docs/services.md`. # services.hardware-wallets.trezor = true; ### lightning-loop From 7402212263c332a933fe46131583d8f9c3ad5b63 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:31 +0100 Subject: [PATCH 08/10] examples/configuration.nix: disable `passwordAuthentication` This is a sensible default. Also clarify the pubkey setup. --- examples/configuration.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index 6593cab..e441c23 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -234,10 +234,15 @@ networking.hostName = "host"; time.timeZone = "UTC"; - # FIXME: Add your SSH pubkey - services.openssh.enable = true; + services.openssh = { + enable = true; + passwordAuthentication = false; + }; users.users.root = { - openssh.authorizedKeys.keys = [ "" ]; + openssh.authorizedKeys.keys = [ + # FIXME: Replace this with your SSH pubkey + "ssh-ed25519 AAAAC3..." + ]; }; # FIXME: Uncomment this to allow the operator user to run From 7b0c3d48c9f347a2738a282ec3b813e35c2612ad Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:32 +0100 Subject: [PATCH 09/10] docs/services.md: link to clightning plugin list The old list was incomplete. Also update configuration.nix. --- docs/services.md | 11 +++-------- examples/configuration.nix | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/docs/services.md b/docs/services.md index 572bc09..350211e 100644 --- a/docs/services.md +++ b/docs/services.md @@ -391,15 +391,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master # clightning ## Plugins +There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning. +See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list. -There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports: - -- helpme -- monitor -- prometheus -- rebalance -- summary -- zmq +[1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins You can activate and configure these plugins like so: diff --git a/examples/configuration.nix b/examples/configuration.nix index e441c23..5f9e854 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -51,7 +51,7 @@ # nix-bitcoin.onionServices.clightning.public = true; # # == Plugins - # See ../docs/services.md for the list of available plugins. + # See ../README.md (Features → clightning) for the list of available plugins. # services.clightning.plugins.prometheus.enable = true; ### LND From d959d5b5581a02b6faef30f876489ca1cf89c564 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 3 Feb 2022 20:46:33 +0100 Subject: [PATCH 10/10] secure-node: don't set `nix-bitcoin.secretsDir` This simplifies the docs and the secure-node module. This change doesn't affect users that deploy via krops. --- docs/configuration.md | 7 +------ docs/services.md | 6 ++++-- examples/configuration.nix | 2 +- modules/presets/secure-node.nix | 3 --- modules/versioning.nix | 21 +++++++++++++++++++++ 5 files changed, 27 insertions(+), 12 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 4a64c57..f65446a 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -250,9 +250,4 @@ following default values: - If you're using the krops deployment method: `/var/src/secrets` -- Otherwise: - - `/secrets` (if you're using the `secure-node.nix` template) - - `/etc/nix-bitcoin-secrets` (otherwise) - - `/secrets` only exists to provide backwards compatibility for users of the - `secure-node.nix` template. +- Otherwise: `/etc/nix-bitcoin-secrets` diff --git a/docs/services.md b/docs/services.md index 350211e..28935d6 100644 --- a/docs/services.md +++ b/docs/services.md @@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node Otherwise, you can access it via Tor Browser at `http://`. You can find the `` with command `nodeinfo`. -The default password location is `/secrets/rtl-password`. +The default password location is `$secretsDir/rtl-password`. +See: [Secrets dir](./configuration.md#secrets-dir) # Connect to spark-wallet ### Requirements @@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps: Follow the on-screen instructions and write down your seed. In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password - from `/secrets/jm-wallet-password` and use the suggested default wallet name + from `$secretsDir/jm-wallet-password` and use the suggested default wallet name `wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply replace the password string in your local secrets directory. + See: [Secrets dir](./configuration.md#secrets-dir) ## Run the tumbler diff --git a/examples/configuration.nix b/examples/configuration.nix index 5f9e854..0c84226 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -266,5 +266,5 @@ # The nix-bitcoin release version that your config is compatible with. # When upgrading to a backwards-incompatible release, nix-bitcoin will display an # an error and provide hints for migrating your config to the new release. - nix-bitcoin.configVersion = "0.0.57"; + nix-bitcoin.configVersion = "0.0.65"; } diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 250034e..34d8ed5 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -18,9 +18,6 @@ in { }; config = { - # For backwards compatibility only - nix-bitcoin.secretsDir = mkDefault "/secrets"; - networking.firewall.enable = true; nix-bitcoin.security.dbusHideProcessInformation = true; diff --git a/modules/versioning.nix b/modules/versioning.nix index 5fd03d6..e1d6761 100644 --- a/modules/versioning.nix +++ b/modules/versioning.nix @@ -181,6 +181,27 @@ let once. ''; } + { + version = "0.0.65"; + condition = config.nix-bitcoin ? secure-node-preset-enabled && + config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets"; + message = '' + The `secure-node.nix` preset does not set the secrets directory + to "/secrets" anymore. + Instead, the default location "/etc/nix-bitcoin-secrets" is used. + + To upgrade, choose one of the following: + + - Continue using "/secrets": + Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix. + + - Move your secrets to the default location: + Run the following command as root on your node: + `rsync -a /secrets/ /etc/nix-bitcoin-secrets`. + You can delete the old "/secrets" directory after deploying the new system + config to your node. + ''; + } ]; mkOnionServiceChange = service: {