greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

services: use new 'tor' options

This commit is contained in:
Erik Arvstedt 2021-08-05 00:49:00 +02:00
parent e44f78ebb8
commit 178a0dcf8f
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
18 changed files with 56 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/bitcoind.nix
View File

@ -193,7 +193,7 @@ in {
};
proxy = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Connect through SOCKS5 proxy";
};
listen = mkOption {

2
modules/btcpayserver.nix
View File

@ -184,7 +184,7 @@ in {
network=${config.services.bitcoind.network}
bind=${cfg.btcpayserver.address}
port=${toString cfg.btcpayserver.port}
socksendpoint=${cfg.tor.client.socksListenAddress}
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
btcexplorerurl=${nbExplorerUrl}
btcexplorercookiefile=${nbExplorerCookie}
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb

2
modules/clightning.nix
View File

@ -34,7 +34,7 @@ in {
};
proxy = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = ''
Socks proxy for connecting to Tor nodes (or for all connections if option always-use-proxy is set).
'';

16
modules/joinmarket-ob-watcher.nix
View File

@ -5,7 +5,13 @@ let
cfg = config.services.joinmarket-ob-watcher;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
socks5Settings = with config.services.tor.client.socksListenAddress; ''
socks5 = true
socks5_host = ${addr}
socks5_port = ${toString port}
'';
configFile = builtins.toFile "config" ''
[BLOCKCHAIN]
blockchain_source = no-blockchain
@ -15,18 +21,14 @@ let
channel = joinmarket-pit
port = 6697
usessl = true
socks5 = true
socks5_host = ${torAddress}
socks5_port = 9050
${socks5Settings}
[MESSAGING:server2]
host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion
channel = joinmarket-pit
port = 6667
usessl = false
socks5 = true
socks5_host = ${torAddress}
socks5_port = 9050
${socks5Settings}
'';
in {
options.services.joinmarket-ob-watcher = {

21
modules/joinmarket.nix
View File

@ -10,7 +10,14 @@ let
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services) bitcoind;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
torAddress = config.services.tor.client.socksListenAddress;
socks5Settings = ''
socks5 = true
socks5_host = ${torAddress.addr}
socks5_port = ${toString torAddress.port}
'';
# Based on https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/jmclient/jmclient/configure.py
yg = cfg.yieldgenerator;
configFile = builtins.toFile "config" ''
@ -34,18 +41,14 @@ let
channel = joinmarket-pit
port = 6697
usessl = true
socks5 = true
socks5_host = ${torAddress}
socks5_port = 9050
${socks5Settings}
[MESSAGING:server2]
host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion
channel = joinmarket-pit
port = 6667
usessl = false
socks5 = true
socks5_host = ${torAddress}
socks5_port = 9050
${socks5Settings}
[LOGGING]
console_log_level = INFO
@ -72,8 +75,8 @@ let
disable_output_substitution = 0
max_additional_fee_contribution = default
min_fee_rate = 1.1
onion_socks5_host = ${torAddress}
onion_socks5_port = 9050
onion_socks5_host = ${torAddress.addr}
onion_socks5_port = ${toString torAddress.port}
tor_control_host = unix:/run/tor/control
hidden_service_ssl = false

2
modules/lightning-loop.nix
View File

@ -60,7 +60,7 @@ in {
};
proxy = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "host:port of SOCKS5 proxy for connnecting to the loop server.";
};
extraConfig = mkOption {

2
modules/lightning-pool.nix
View File

@ -54,7 +54,7 @@ in {
};
proxy = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "host:port of SOCKS5 proxy for connnecting to the pool auction server.";
};
extraConfig = mkOption {

2
modules/liquid.nix
View File

@ -144,7 +144,7 @@ in {
};
proxy = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Connect through SOCKS5 proxy";
};
listen = mkOption {

5
modules/lnd-rest-onion-service.nix
View File

@ -40,8 +40,9 @@ in {
config = mkIf cfg.enable {
services.tor = {
enable = true;
hiddenServices.lnd-rest = nbLib.mkHiddenService {
toHost = lnd.restAddress;
relay.onionServices.lnd-rest = nbLib.mkOnionService {
target.addr = lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort;
};
};

2
modules/lnd.nix
View File

@ -83,7 +83,7 @@ in {
};
tor-socks = mkOption {
type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null;
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Socks proxy for connecting to Tor nodes";
};
macaroons = mkOption {

8
modules/modules.nix
View File

@ -49,13 +49,19 @@ with lib;
default = import ../pkgs/lib.nix lib pkgs;
};
torClientAddressWithPort = mkOption {
readOnly = true;
default = with config.services.tor.client.socksListenAddress;
"${addr}:${toString port}";
};
# Torify binary that works with custom Tor SOCKS addresses
# Related issue: https://github.com/NixOS/nixpkgs/issues/94236
torify = mkOption {
readOnly = true;
default = pkgs.writeScriptBin "torify" ''
${pkgs.tor}/bin/torify \
--address ${head (splitString ":" config.services.tor.client.socksListenAddress)} \
--address ${config.services.tor.client.socksListenAddress.addr} \
"$@"
'';
};

9
modules/netns-isolation.nix
View File

@ -97,8 +97,13 @@ in {
# Base infrastructure
{
networking.dhcpcd.denyInterfaces = [ "nb-br" "nb-veth*" ];
services.tor.client.socksListenAddress = "${bridgeIp}:9050";
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ];
services.tor.client.socksListenAddress = {
addr = bridgeIp;
# Default NixOS values. These must be repeated when redefining this option.
port = 9050;
IsolateDestAddr = true;
};
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ config.services.tor.client.socksListenAddress.port ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
security.wrappers.netns-exec = {

6
modules/nodeinfo.nix
View File

@ -95,12 +95,12 @@ let
'';
mkIfOnionPort = name: fn:
if hiddenServices ? ${name} then
fn (toString (builtins.elemAt hiddenServices.${name}.map 0).port)
if onionServices ? ${name} then
fn (toString (builtins.elemAt onionServices.${name}.map 0).port)
else
"";
inherit (config.services.tor) hiddenServices;
inherit (config.services.tor.relay) onionServices;
in {
options = {
nix-bitcoin.nodeinfo = {

8
modules/onion-services.nix
View File

@ -57,14 +57,14 @@ in {
# Define hidden services
services.tor = {
enable = true;
hiddenServices = genAttrs activeServices (name:
relay.onionServices = genAttrs activeServices (name:
let
service = config.services.${name};
inherit (cfg.${name}) externalPort;
in nbLib.mkHiddenService {
in nbLib.mkOnionService {
port = if externalPort != null then externalPort else service.port;
toPort = service.port;
toHost = if service.address == "0.0.0.0" then "127.0.0.1" else service.address;
target.port = service.port;
target.addr = if service.address == "0.0.0.0" then "127.0.0.1" else service.address;
}
);
};

2
modules/presets/secure-node.nix
View File

@ -29,7 +29,7 @@ in {
];
# sshd
services.tor.hiddenServices.sshd = nbLib.mkHiddenService { port = 22; };
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
services.bitcoind = {

2
modules/recurring-donations.nix
View File

@ -11,7 +11,7 @@ let
NAME=$1
AMOUNT=$2
echo Attempting to pay $AMOUNT sat to $NAME
INVOICE=$(curl --socks5-hostname ${config.services.tor.client.socksListenAddress} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null
INVOICE=$(curl --socks5-hostname ${config.nix-bitcoin.torClientAddressWithPort} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null
if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then
echo "ERROR: did not get invoice from tallycoin"
return

2
modules/spark-wallet.nix
View File

@ -8,7 +8,7 @@ let
# Use wasabi rate provider because the default (bitstamp) doesn't accept
# connections through Tor
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}";
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
startScript = ''
${optionalString (cfg.getPublicAddressCmd != "") ''
publicURL="--public-url http://$(${cfg.getPublicAddressCmd})"

2
pkgs/lib.nix
View File

@ -80,7 +80,7 @@ let self = {
default = "exec";
};
mkHiddenService = map: {
mkOnionService = map: {
map = [ map ];
version = 3;
};