From 178a0dcf8f0849a774ff4f08cac282151aa5fb33 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 5 Aug 2021 00:49:00 +0200 Subject: [PATCH] services: use new 'tor' options --- modules/bitcoind.nix | 2 +- modules/btcpayserver.nix | 2 +- modules/clightning.nix | 2 +- modules/joinmarket-ob-watcher.nix | 16 +++++++++------- modules/joinmarket.nix | 21 ++++++++++++--------- modules/lightning-loop.nix | 2 +- modules/lightning-pool.nix | 2 +- modules/liquid.nix | 2 +- modules/lnd-rest-onion-service.nix | 5 +++-- modules/lnd.nix | 2 +- modules/modules.nix | 8 +++++++- modules/netns-isolation.nix | 9 +++++++-- modules/nodeinfo.nix | 6 +++--- modules/onion-services.nix | 8 ++++---- modules/presets/secure-node.nix | 2 +- modules/recurring-donations.nix | 2 +- modules/spark-wallet.nix | 2 +- pkgs/lib.nix | 2 +- 18 files changed, 56 insertions(+), 39 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index e78ca37..3ca5c2a 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -193,7 +193,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = "Connect through SOCKS5 proxy"; }; listen = mkOption { diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index 4b89add..1e1f45f 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -184,7 +184,7 @@ in { network=${config.services.bitcoind.network} bind=${cfg.btcpayserver.address} port=${toString cfg.btcpayserver.port} - socksendpoint=${cfg.tor.client.socksListenAddress} + socksendpoint=${config.nix-bitcoin.torClientAddressWithPort} btcexplorerurl=${nbExplorerUrl} btcexplorercookiefile=${nbExplorerCookie} postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb diff --git a/modules/clightning.nix b/modules/clightning.nix index 0cadfc3..f415a30 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -34,7 +34,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = '' Socks proxy for connecting to Tor nodes (or for all connections if option always-use-proxy is set). ''; diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix index c668dde..f8b6760 100644 --- a/modules/joinmarket-ob-watcher.nix +++ b/modules/joinmarket-ob-watcher.nix @@ -5,7 +5,13 @@ let cfg = config.services.joinmarket-ob-watcher; nbLib = config.nix-bitcoin.lib; nbPkgs = config.nix-bitcoin.pkgs; - torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress); + + socks5Settings = with config.services.tor.client.socksListenAddress; '' + socks5 = true + socks5_host = ${addr} + socks5_port = ${toString port} + ''; + configFile = builtins.toFile "config" '' [BLOCKCHAIN] blockchain_source = no-blockchain @@ -15,18 +21,14 @@ let channel = joinmarket-pit port = 6697 usessl = true - socks5 = true - socks5_host = ${torAddress} - socks5_port = 9050 + ${socks5Settings} [MESSAGING:server2] host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion channel = joinmarket-pit port = 6667 usessl = false - socks5 = true - socks5_host = ${torAddress} - socks5_port = 9050 + ${socks5Settings} ''; in { options.services.joinmarket-ob-watcher = { diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 3dcb291..2d27094 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -10,7 +10,14 @@ let runAsUser = config.nix-bitcoin.runAsUserCmd; inherit (config.services) bitcoind; - torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress); + + torAddress = config.services.tor.client.socksListenAddress; + socks5Settings = '' + socks5 = true + socks5_host = ${torAddress.addr} + socks5_port = ${toString torAddress.port} + ''; + # Based on https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/jmclient/jmclient/configure.py yg = cfg.yieldgenerator; configFile = builtins.toFile "config" '' @@ -34,18 +41,14 @@ let channel = joinmarket-pit port = 6697 usessl = true - socks5 = true - socks5_host = ${torAddress} - socks5_port = 9050 + ${socks5Settings} [MESSAGING:server2] host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion channel = joinmarket-pit port = 6667 usessl = false - socks5 = true - socks5_host = ${torAddress} - socks5_port = 9050 + ${socks5Settings} [LOGGING] console_log_level = INFO @@ -72,8 +75,8 @@ let disable_output_substitution = 0 max_additional_fee_contribution = default min_fee_rate = 1.1 - onion_socks5_host = ${torAddress} - onion_socks5_port = 9050 + onion_socks5_host = ${torAddress.addr} + onion_socks5_port = ${toString torAddress.port} tor_control_host = unix:/run/tor/control hidden_service_ssl = false diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 9d40b9c..18cce78 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -60,7 +60,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = "host:port of SOCKS5 proxy for connnecting to the loop server."; }; extraConfig = mkOption { diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix index 7736d0a..74ba9d5 100644 --- a/modules/lightning-pool.nix +++ b/modules/lightning-pool.nix @@ -54,7 +54,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = "host:port of SOCKS5 proxy for connnecting to the pool auction server."; }; extraConfig = mkOption { diff --git a/modules/liquid.nix b/modules/liquid.nix index 7e375a7..28f2e4f 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -144,7 +144,7 @@ in { }; proxy = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = "Connect through SOCKS5 proxy"; }; listen = mkOption { diff --git a/modules/lnd-rest-onion-service.nix b/modules/lnd-rest-onion-service.nix index 31415f3..1d873cc 100644 --- a/modules/lnd-rest-onion-service.nix +++ b/modules/lnd-rest-onion-service.nix @@ -40,8 +40,9 @@ in { config = mkIf cfg.enable { services.tor = { enable = true; - hiddenServices.lnd-rest = nbLib.mkHiddenService { - toHost = lnd.restAddress; + relay.onionServices.lnd-rest = nbLib.mkOnionService { + target.addr = lnd.restAddress; + target.port = lnd.restPort; port = lnd.restPort; }; }; diff --git a/modules/lnd.nix b/modules/lnd.nix index 33bbce0..d5c29e1 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -83,7 +83,7 @@ in { }; tor-socks = mkOption { type = types.nullOr types.str; - default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; + default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; description = "Socks proxy for connecting to Tor nodes"; }; macaroons = mkOption { diff --git a/modules/modules.nix b/modules/modules.nix index 2ebe733..fbfe272 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -49,13 +49,19 @@ with lib; default = import ../pkgs/lib.nix lib pkgs; }; + torClientAddressWithPort = mkOption { + readOnly = true; + default = with config.services.tor.client.socksListenAddress; + "${addr}:${toString port}"; + }; + # Torify binary that works with custom Tor SOCKS addresses # Related issue: https://github.com/NixOS/nixpkgs/issues/94236 torify = mkOption { readOnly = true; default = pkgs.writeScriptBin "torify" '' ${pkgs.tor}/bin/torify \ - --address ${head (splitString ":" config.services.tor.client.socksListenAddress)} \ + --address ${config.services.tor.client.socksListenAddress.addr} \ "$@" ''; }; diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index 36ba446..83db4cc 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -97,8 +97,13 @@ in { # Base infrastructure { networking.dhcpcd.denyInterfaces = [ "nb-br" "nb-veth*" ]; - services.tor.client.socksListenAddress = "${bridgeIp}:9050"; - networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ]; + services.tor.client.socksListenAddress = { + addr = bridgeIp; + # Default NixOS values. These must be repeated when redefining this option. + port = 9050; + IsolateDestAddr = true; + }; + networking.firewall.interfaces.nb-br.allowedTCPPorts = [ config.services.tor.client.socksListenAddress.port ]; boot.kernel.sysctl."net.ipv4.ip_forward" = true; security.wrappers.netns-exec = { diff --git a/modules/nodeinfo.nix b/modules/nodeinfo.nix index ab27bbd..782446b 100644 --- a/modules/nodeinfo.nix +++ b/modules/nodeinfo.nix @@ -95,12 +95,12 @@ let ''; mkIfOnionPort = name: fn: - if hiddenServices ? ${name} then - fn (toString (builtins.elemAt hiddenServices.${name}.map 0).port) + if onionServices ? ${name} then + fn (toString (builtins.elemAt onionServices.${name}.map 0).port) else ""; - inherit (config.services.tor) hiddenServices; + inherit (config.services.tor.relay) onionServices; in { options = { nix-bitcoin.nodeinfo = { diff --git a/modules/onion-services.nix b/modules/onion-services.nix index a250c0b..a6d39a0 100644 --- a/modules/onion-services.nix +++ b/modules/onion-services.nix @@ -57,14 +57,14 @@ in { # Define hidden services services.tor = { enable = true; - hiddenServices = genAttrs activeServices (name: + relay.onionServices = genAttrs activeServices (name: let service = config.services.${name}; inherit (cfg.${name}) externalPort; - in nbLib.mkHiddenService { + in nbLib.mkOnionService { port = if externalPort != null then externalPort else service.port; - toPort = service.port; - toHost = if service.address == "0.0.0.0" then "127.0.0.1" else service.address; + target.port = service.port; + target.addr = if service.address == "0.0.0.0" then "127.0.0.1" else service.address; } ); }; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 70a850e..25a6d47 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -29,7 +29,7 @@ in { ]; # sshd - services.tor.hiddenServices.sshd = nbLib.mkHiddenService { port = 22; }; + services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; }; nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ]; services.bitcoind = { diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 377af6d..63a5333 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -11,7 +11,7 @@ let NAME=$1 AMOUNT=$2 echo Attempting to pay $AMOUNT sat to $NAME - INVOICE=$(curl --socks5-hostname ${config.services.tor.client.socksListenAddress} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null + INVOICE=$(curl --socks5-hostname ${config.nix-bitcoin.torClientAddressWithPort} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then echo "ERROR: did not get invoice from tallycoin" return diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix index c305337..ca307ce 100644 --- a/modules/spark-wallet.nix +++ b/modules/spark-wallet.nix @@ -8,7 +8,7 @@ let # Use wasabi rate provider because the default (bitstamp) doesn't accept # connections through Tor - torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}"; + torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}"; startScript = '' ${optionalString (cfg.getPublicAddressCmd != "") '' publicURL="--public-url http://$(${cfg.getPublicAddressCmd})" diff --git a/pkgs/lib.nix b/pkgs/lib.nix index a024ef9..1d53289 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -80,7 +80,7 @@ let self = { default = "exec"; }; - mkHiddenService = map: { + mkOnionService = map: { map = [ map ]; version = 3; };