Merge fort-nix/nix-bitcoin#450: Misc. improvements
d959d5b558
secure-node: don't set `nix-bitcoin.secretsDir` (Erik Arvstedt)7b0c3d48c9
docs/services.md: link to clightning plugin list (Erik Arvstedt)7402212263
examples/configuration.nix: disable `passwordAuthentication` (Erik Arvstedt)e093bb64d9
examples/configuration.nix: fix links to `docs/services.md` (Erik Arvstedt)d41a550355
fetch-release: export GNUPGHOME (Erik Arvstedt)397b372cf3
bitcoind: improve option `rpc.users` (Erik Arvstedt)679e7b6544
bitcoind: remove unneeded tmpfile rule (Erik Arvstedt)98f419233f
bitcoind: don't log timestamps (Erik Arvstedt)6f8b4d9ebe
flake: optimize nixpkgs importing (Erik Arvstedt)16e2d4c8b7
flake: remove unneeded indirection in legacyPackages (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACKd959d5b558
Tree-SHA512: e62fcf36ac77df62b9f86279d0ebac807525d188cbf1ee5c13cf1406b3caadad0f2df7527b0c8713259cbc6d5cdfa006f01e90d5377f974213f204a2f85a8ae6
This commit is contained in:
commit
0ac9d6f4c8
@ -250,9 +250,4 @@ following default values:
|
|||||||
|
|
||||||
- If you're using the krops deployment method: `/var/src/secrets`
|
- If you're using the krops deployment method: `/var/src/secrets`
|
||||||
|
|
||||||
- Otherwise:
|
- Otherwise: `/etc/nix-bitcoin-secrets`
|
||||||
- `/secrets` (if you're using the `secure-node.nix` template)
|
|
||||||
- `/etc/nix-bitcoin-secrets` (otherwise)
|
|
||||||
|
|
||||||
`/secrets` only exists to provide backwards compatibility for users of the
|
|
||||||
`secure-node.nix` template.
|
|
||||||
|
@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node
|
|||||||
|
|
||||||
Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
|
Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
|
||||||
You can find the `<onion-address>` with command `nodeinfo`.
|
You can find the `<onion-address>` with command `nodeinfo`.
|
||||||
The default password location is `/secrets/rtl-password`.
|
The default password location is `$secretsDir/rtl-password`.
|
||||||
|
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||||
|
|
||||||
# Connect to spark-wallet
|
# Connect to spark-wallet
|
||||||
### Requirements
|
### Requirements
|
||||||
@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps:
|
|||||||
Follow the on-screen instructions and write down your seed.
|
Follow the on-screen instructions and write down your seed.
|
||||||
|
|
||||||
In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
|
In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
|
||||||
from `/secrets/jm-wallet-password` and use the suggested default wallet name
|
from `$secretsDir/jm-wallet-password` and use the suggested default wallet name
|
||||||
`wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
|
`wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
|
||||||
replace the password string in your local secrets directory.
|
replace the password string in your local secrets directory.
|
||||||
|
See: [Secrets dir](./configuration.md#secrets-dir)
|
||||||
|
|
||||||
## Run the tumbler
|
## Run the tumbler
|
||||||
|
|
||||||
@ -391,15 +393,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master
|
|||||||
# clightning
|
# clightning
|
||||||
|
|
||||||
## Plugins
|
## Plugins
|
||||||
|
There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning.
|
||||||
|
See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list.
|
||||||
|
|
||||||
There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports:
|
[1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins
|
||||||
|
|
||||||
- helpme
|
|
||||||
- monitor
|
|
||||||
- prometheus
|
|
||||||
- rebalance
|
|
||||||
- summary
|
|
||||||
- zmq
|
|
||||||
|
|
||||||
You can activate and configure these plugins like so:
|
You can activate and configure these plugins like so:
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@
|
|||||||
# nix-bitcoin.onionServices.clightning.public = true;
|
# nix-bitcoin.onionServices.clightning.public = true;
|
||||||
#
|
#
|
||||||
# == Plugins
|
# == Plugins
|
||||||
# See ../docs/usage.md for the list of available plugins.
|
# See ../README.md (Features → clightning) for the list of available plugins.
|
||||||
# services.clightning.plugins.prometheus.enable = true;
|
# services.clightning.plugins.prometheus.enable = true;
|
||||||
|
|
||||||
### LND
|
### LND
|
||||||
@ -154,7 +154,7 @@
|
|||||||
# services.hardware-wallets.ledger = true;
|
# services.hardware-wallets.ledger = true;
|
||||||
#
|
#
|
||||||
# Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
|
# Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
|
||||||
# `docs/usage.md`.
|
# `../docs/services.md`.
|
||||||
# services.hardware-wallets.trezor = true;
|
# services.hardware-wallets.trezor = true;
|
||||||
|
|
||||||
### lightning-loop
|
### lightning-loop
|
||||||
@ -234,10 +234,15 @@
|
|||||||
networking.hostName = "host";
|
networking.hostName = "host";
|
||||||
time.timeZone = "UTC";
|
time.timeZone = "UTC";
|
||||||
|
|
||||||
# FIXME: Add your SSH pubkey
|
services.openssh = {
|
||||||
services.openssh.enable = true;
|
enable = true;
|
||||||
|
passwordAuthentication = false;
|
||||||
|
};
|
||||||
users.users.root = {
|
users.users.root = {
|
||||||
openssh.authorizedKeys.keys = [ "" ];
|
openssh.authorizedKeys.keys = [
|
||||||
|
# FIXME: Replace this with your SSH pubkey
|
||||||
|
"ssh-ed25519 AAAAC3..."
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# FIXME: Uncomment this to allow the operator user to run
|
# FIXME: Uncomment this to allow the operator user to run
|
||||||
@ -261,5 +266,5 @@
|
|||||||
# The nix-bitcoin release version that your config is compatible with.
|
# The nix-bitcoin release version that your config is compatible with.
|
||||||
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
|
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
|
||||||
# an error and provide hints for migrating your config to the new release.
|
# an error and provide hints for migrating your config to the new release.
|
||||||
nix-bitcoin.configVersion = "0.0.57";
|
nix-bitcoin.configVersion = "0.0.65";
|
||||||
}
|
}
|
||||||
|
@ -18,8 +18,8 @@
|
|||||||
lib = {
|
lib = {
|
||||||
mkNbPkgs = {
|
mkNbPkgs = {
|
||||||
system
|
system
|
||||||
, pkgs ? import nixpkgs { inherit system; }
|
, pkgs ? nixpkgs.legacyPackages.${system}
|
||||||
, pkgsUnstable ? import nixpkgsUnstable { inherit system; }
|
, pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system}
|
||||||
}:
|
}:
|
||||||
import ./pkgs { inherit pkgs pkgsUnstable; };
|
import ./pkgs { inherit pkgs pkgsUnstable; };
|
||||||
};
|
};
|
||||||
@ -65,7 +65,7 @@
|
|||||||
|
|
||||||
} // (flake-utils.lib.eachSystem supportedSystems (system:
|
} // (flake-utils.lib.eachSystem supportedSystems (system:
|
||||||
let
|
let
|
||||||
pkgs = import nixpkgs { inherit system; };
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
|
||||||
nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; };
|
nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; };
|
||||||
|
|
||||||
@ -111,7 +111,7 @@
|
|||||||
# Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`)
|
# Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`)
|
||||||
# via this flake.
|
# via this flake.
|
||||||
# `packages` is not allowed to contain nested pkgs attrsets.
|
# `packages` is not allowed to contain nested pkgs attrsets.
|
||||||
legacyPackages = { inherit nbPkgs; };
|
legacyPackages = nbPkgs;
|
||||||
|
|
||||||
defaultApp = apps.vm;
|
defaultApp = apps.vm;
|
||||||
|
|
||||||
|
@ -14,15 +14,15 @@ fi
|
|||||||
TMPDIR=$(mktemp -d)
|
TMPDIR=$(mktemp -d)
|
||||||
trap "rm -rf $TMPDIR" EXIT
|
trap "rm -rf $TMPDIR" EXIT
|
||||||
|
|
||||||
GPG_HOME=$TMPDIR/gpg-home
|
export GNUPGHOME=$TMPDIR/gpg-home
|
||||||
mkdir -p -m 700 "$GPG_HOME"
|
mkdir -p -m 700 "$GNUPGHOME"
|
||||||
|
|
||||||
# Import key
|
# Import key
|
||||||
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||||
# Check that exactly one key was imported
|
# Check that exactly one key was imported
|
||||||
(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1))
|
(($(gpg --list-keys --with-colons | grep -c pub) == 1))
|
||||||
# Verify key fingerprint
|
# Verify key fingerprint
|
||||||
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
||||||
|
|
||||||
# Fetch nar-hash of release
|
# Fetch nar-hash of release
|
||||||
cd $TMPDIR
|
cd $TMPDIR
|
||||||
@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
|
|||||||
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
|
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
|
||||||
|
|
||||||
# Verify signature for nar-hash
|
# Verify signature for nar-hash
|
||||||
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
|
gpg --verify nar-hash.txt.asc &> /dev/null || {
|
||||||
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
|
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
@ -101,9 +101,14 @@ let
|
|||||||
};
|
};
|
||||||
users = mkOption {
|
users = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
|
description = ''
|
||||||
|
Allowed users for JSON-RPC connections.
|
||||||
|
'';
|
||||||
example = {
|
example = {
|
||||||
alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
alice = {
|
||||||
bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
|
passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
|
||||||
|
rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
type = with types; attrsOf (submodule ({ name, ... }: {
|
type = with types; attrsOf (submodule ({ name, ... }: {
|
||||||
options = {
|
options = {
|
||||||
@ -138,9 +143,6 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
description = ''
|
|
||||||
RPC user information for JSON-RPC connections.
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
regtest = mkOption {
|
regtest = mkOption {
|
||||||
@ -282,6 +284,7 @@ let
|
|||||||
configFile = builtins.toFile "bitcoin.conf" ''
|
configFile = builtins.toFile "bitcoin.conf" ''
|
||||||
# We're already logging via journald
|
# We're already logging via journald
|
||||||
nodebuglogfile=1
|
nodebuglogfile=1
|
||||||
|
logtimestamps=0
|
||||||
|
|
||||||
startupnotify=/run/current-system/systemd/bin/systemd-notify --ready
|
startupnotify=/run/current-system/systemd/bin/systemd-notify --ready
|
||||||
|
|
||||||
@ -366,7 +369,6 @@ in {
|
|||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||||
"d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.bitcoind = {
|
systemd.services.bitcoind = {
|
||||||
@ -386,7 +388,12 @@ in {
|
|||||||
''
|
''
|
||||||
) (builtins.attrNames cfg.rpc.users);
|
) (builtins.attrNames cfg.rpc.users);
|
||||||
in ''
|
in ''
|
||||||
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
${optionalString cfg.dataDirReadableByGroup ''
|
||||||
|
if [[ -e '${cfg.dataDir}/blocks' ]]; then
|
||||||
|
chmod -R g+rX '${cfg.dataDir}/blocks'
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
|
||||||
cfg=$(
|
cfg=$(
|
||||||
cat ${configFile}
|
cat ${configFile}
|
||||||
${extraRpcauth}
|
${extraRpcauth}
|
||||||
|
@ -18,9 +18,6 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# For backwards compatibility only
|
|
||||||
nix-bitcoin.secretsDir = mkDefault "/secrets";
|
|
||||||
|
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
nix-bitcoin.security.dbusHideProcessInformation = true;
|
nix-bitcoin.security.dbusHideProcessInformation = true;
|
||||||
|
@ -181,6 +181,27 @@ let
|
|||||||
once.
|
once.
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
version = "0.0.65";
|
||||||
|
condition = config.nix-bitcoin ? secure-node-preset-enabled &&
|
||||||
|
config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets";
|
||||||
|
message = ''
|
||||||
|
The `secure-node.nix` preset does not set the secrets directory
|
||||||
|
to "/secrets" anymore.
|
||||||
|
Instead, the default location "/etc/nix-bitcoin-secrets" is used.
|
||||||
|
|
||||||
|
To upgrade, choose one of the following:
|
||||||
|
|
||||||
|
- Continue using "/secrets":
|
||||||
|
Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix.
|
||||||
|
|
||||||
|
- Move your secrets to the default location:
|
||||||
|
Run the following command as root on your node:
|
||||||
|
`rsync -a /secrets/ /etc/nix-bitcoin-secrets`.
|
||||||
|
You can delete the old "/secrets" directory after deploying the new system
|
||||||
|
config to your node.
|
||||||
|
'';
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
mkOnionServiceChange = service: {
|
mkOnionServiceChange = service: {
|
||||||
|
Loading…
Reference in New Issue
Block a user