greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

services: use new 'tor' options

Browse Source
This commit is contained in:
Erik Arvstedt 2021-08-05 00:49:00 +02:00
parent e44f78ebb8
commit 178a0dcf8f
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
18 changed files with 56 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/bitcoind.nix
View File

@ -193,7 +193,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Connect through SOCKS5 proxy"; description = "Connect through SOCKS5 proxy";
}; };
listen = mkOption { listen = mkOption {

2
modules/btcpayserver.nix
View File

@ -184,7 +184,7 @@ in {
network=${config.services.bitcoind.network} network=${config.services.bitcoind.network}
bind=${cfg.btcpayserver.address} bind=${cfg.btcpayserver.address}
port=${toString cfg.btcpayserver.port} port=${toString cfg.btcpayserver.port}
socksendpoint=${cfg.tor.client.socksListenAddress} socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
btcexplorerurl=${nbExplorerUrl} btcexplorerurl=${nbExplorerUrl}
btcexplorercookiefile=${nbExplorerCookie} btcexplorercookiefile=${nbExplorerCookie}
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb

2
modules/clightning.nix
View File

@ -34,7 +34,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = '' description = ''
Socks proxy for connecting to Tor nodes (or for all connections if option always-use-proxy is set). Socks proxy for connecting to Tor nodes (or for all connections if option always-use-proxy is set).
''; '';

16
modules/joinmarket-ob-watcher.nix
View File

@ -5,7 +5,13 @@ let
cfg = config.services.joinmarket-ob-watcher; cfg = config.services.joinmarket-ob-watcher;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs; nbPkgs = config.nix-bitcoin.pkgs;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
socks5Settings = with config.services.tor.client.socksListenAddress; ''
socks5 = true
socks5_host = ${addr}
socks5_port = ${toString port}
'';
configFile = builtins.toFile "config" '' configFile = builtins.toFile "config" ''
[BLOCKCHAIN] [BLOCKCHAIN]
blockchain_source = no-blockchain blockchain_source = no-blockchain
@ -15,18 +21,14 @@ let
channel = joinmarket-pit channel = joinmarket-pit
port = 6697 port = 6697
usessl = true usessl = true
socks5 = true ${socks5Settings}
socks5_host = ${torAddress}
socks5_port = 9050
[MESSAGING:server2] [MESSAGING:server2]
host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion
channel = joinmarket-pit channel = joinmarket-pit
port = 6667 port = 6667
usessl = false usessl = false
socks5 = true ${socks5Settings}
socks5_host = ${torAddress}
socks5_port = 9050
''; '';
in { in {
options.services.joinmarket-ob-watcher = { options.services.joinmarket-ob-watcher = {

21
modules/joinmarket.nix
View File

@ -10,7 +10,14 @@ let
runAsUser = config.nix-bitcoin.runAsUserCmd; runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services) bitcoind; inherit (config.services) bitcoind;
torAddress = builtins.head (builtins.split ":" config.services.tor.client.socksListenAddress);
torAddress = config.services.tor.client.socksListenAddress;
socks5Settings = ''
socks5 = true
socks5_host = ${torAddress.addr}
socks5_port = ${toString torAddress.port}
'';
# Based on https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/jmclient/jmclient/configure.py # Based on https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/jmclient/jmclient/configure.py
yg = cfg.yieldgenerator; yg = cfg.yieldgenerator;
configFile = builtins.toFile "config" '' configFile = builtins.toFile "config" ''
@ -34,18 +41,14 @@ let
channel = joinmarket-pit channel = joinmarket-pit
port = 6697 port = 6697
usessl = true usessl = true
socks5 = true ${socks5Settings}
socks5_host = ${torAddress}
socks5_port = 9050
[MESSAGING:server2] [MESSAGING:server2]
host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion host = ncwkrwxpq2ikcngxq3dy2xctuheniggtqeibvgofixpzvrwpa77tozqd.onion
channel = joinmarket-pit channel = joinmarket-pit
port = 6667 port = 6667
usessl = false usessl = false
socks5 = true ${socks5Settings}
socks5_host = ${torAddress}
socks5_port = 9050
[LOGGING] [LOGGING]
console_log_level = INFO console_log_level = INFO
@ -72,8 +75,8 @@ let
disable_output_substitution = 0 disable_output_substitution = 0
max_additional_fee_contribution = default max_additional_fee_contribution = default
min_fee_rate = 1.1 min_fee_rate = 1.1
onion_socks5_host = ${torAddress} onion_socks5_host = ${torAddress.addr}
onion_socks5_port = 9050 onion_socks5_port = ${toString torAddress.port}
tor_control_host = unix:/run/tor/control tor_control_host = unix:/run/tor/control
hidden_service_ssl = false hidden_service_ssl = false

2
modules/lightning-loop.nix
View File

@ -60,7 +60,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "host:port of SOCKS5 proxy for connnecting to the loop server."; description = "host:port of SOCKS5 proxy for connnecting to the loop server.";
}; };
extraConfig = mkOption { extraConfig = mkOption {

2
modules/lightning-pool.nix
View File

@ -54,7 +54,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "host:port of SOCKS5 proxy for connnecting to the pool auction server."; description = "host:port of SOCKS5 proxy for connnecting to the pool auction server.";
}; };
extraConfig = mkOption { extraConfig = mkOption {

2
modules/liquid.nix
View File

@ -144,7 +144,7 @@ in {
}; };
proxy = mkOption { proxy = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Connect through SOCKS5 proxy"; description = "Connect through SOCKS5 proxy";
}; };
listen = mkOption { listen = mkOption {

5
modules/lnd-rest-onion-service.nix
View File

@ -40,8 +40,9 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.tor = { services.tor = {
enable = true; enable = true;
hiddenServices.lnd-rest = nbLib.mkHiddenService { relay.onionServices.lnd-rest = nbLib.mkOnionService {
toHost = lnd.restAddress; target.addr = lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort; port = lnd.restPort;
}; };
}; };

2
modules/lnd.nix
View File

@ -83,7 +83,7 @@ in {
}; };
tor-socks = mkOption { tor-socks = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = if cfg.enforceTor then config.services.tor.client.socksListenAddress else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Socks proxy for connecting to Tor nodes"; description = "Socks proxy for connecting to Tor nodes";
}; };
macaroons = mkOption { macaroons = mkOption {

8
modules/modules.nix
View File

@ -49,13 +49,19 @@ with lib;
default = import ../pkgs/lib.nix lib pkgs; default = import ../pkgs/lib.nix lib pkgs;
}; };
torClientAddressWithPort = mkOption {
readOnly = true;
default = with config.services.tor.client.socksListenAddress;
"${addr}:${toString port}";
};
# Torify binary that works with custom Tor SOCKS addresses # Torify binary that works with custom Tor SOCKS addresses
# Related issue: https://github.com/NixOS/nixpkgs/issues/94236 # Related issue: https://github.com/NixOS/nixpkgs/issues/94236
torify = mkOption { torify = mkOption {
readOnly = true; readOnly = true;
default = pkgs.writeScriptBin "torify" '' default = pkgs.writeScriptBin "torify" ''
${pkgs.tor}/bin/torify \ ${pkgs.tor}/bin/torify \
--address ${head (splitString ":" config.services.tor.client.socksListenAddress)} \ --address ${config.services.tor.client.socksListenAddress.addr} \
"$@" "$@"
''; '';
}; };

9
modules/netns-isolation.nix
View File

@ -97,8 +97,13 @@ in {
# Base infrastructure # Base infrastructure
{ {
networking.dhcpcd.denyInterfaces = [ "nb-br" "nb-veth*" ]; networking.dhcpcd.denyInterfaces = [ "nb-br" "nb-veth*" ];
services.tor.client.socksListenAddress = "${bridgeIp}:9050"; services.tor.client.socksListenAddress = {
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ 9050 ]; addr = bridgeIp;
# Default NixOS values. These must be repeated when redefining this option.
port = 9050;
IsolateDestAddr = true;
};
networking.firewall.interfaces.nb-br.allowedTCPPorts = [ config.services.tor.client.socksListenAddress.port ];
boot.kernel.sysctl."net.ipv4.ip_forward" = true; boot.kernel.sysctl."net.ipv4.ip_forward" = true;
security.wrappers.netns-exec = { security.wrappers.netns-exec = {

6
modules/nodeinfo.nix
View File

@ -95,12 +95,12 @@ let
''; '';
mkIfOnionPort = name: fn: mkIfOnionPort = name: fn:
if hiddenServices ? ${name} then if onionServices ? ${name} then
fn (toString (builtins.elemAt hiddenServices.${name}.map 0).port) fn (toString (builtins.elemAt onionServices.${name}.map 0).port)
else else
""; "";
inherit (config.services.tor) hiddenServices; inherit (config.services.tor.relay) onionServices;
in { in {
options = { options = {
nix-bitcoin.nodeinfo = { nix-bitcoin.nodeinfo = {

8
modules/onion-services.nix
View File

@ -57,14 +57,14 @@ in {
# Define hidden services # Define hidden services
services.tor = { services.tor = {
enable = true; enable = true;
hiddenServices = genAttrs activeServices (name: relay.onionServices = genAttrs activeServices (name:
let let
service = config.services.${name}; service = config.services.${name};
inherit (cfg.${name}) externalPort; inherit (cfg.${name}) externalPort;
in nbLib.mkHiddenService { in nbLib.mkOnionService {
port = if externalPort != null then externalPort else service.port; port = if externalPort != null then externalPort else service.port;
toPort = service.port; target.port = service.port;
toHost = if service.address == "0.0.0.0" then "127.0.0.1" else service.address; target.addr = if service.address == "0.0.0.0" then "127.0.0.1" else service.address;
} }
); );
}; };

2
modules/presets/secure-node.nix
View File

@ -29,7 +29,7 @@ in {
]; ];
# sshd # sshd
services.tor.hiddenServices.sshd = nbLib.mkHiddenService { port = 22; }; services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ]; nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
services.bitcoind = { services.bitcoind = {

2
modules/recurring-donations.nix
View File

@ -11,7 +11,7 @@ let
NAME=$1 NAME=$1
AMOUNT=$2 AMOUNT=$2
echo Attempting to pay $AMOUNT sat to $NAME echo Attempting to pay $AMOUNT sat to $NAME
INVOICE=$(curl --socks5-hostname ${config.services.tor.client.socksListenAddress} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null INVOICE=$(curl --socks5-hostname ${config.nix-bitcoin.torClientAddressWithPort} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null
if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then
echo "ERROR: did not get invoice from tallycoin" echo "ERROR: did not get invoice from tallycoin"
return return

2
modules/spark-wallet.nix
View File

@ -8,7 +8,7 @@ let
# Use wasabi rate provider because the default (bitstamp) doesn't accept # Use wasabi rate provider because the default (bitstamp) doesn't accept
# connections through Tor # connections through Tor
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.services.tor.client.socksListenAddress}"; torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
startScript = '' startScript = ''
${optionalString (cfg.getPublicAddressCmd != "") '' ${optionalString (cfg.getPublicAddressCmd != "") ''
publicURL="--public-url http://$(${cfg.getPublicAddressCmd})" publicURL="--public-url http://$(${cfg.getPublicAddressCmd})"

2
pkgs/lib.nix
View File

@ -80,7 +80,7 @@ let self = {
default = "exec"; default = "exec";
}; };
mkHiddenService = map: { mkOnionService = map: {
map = [ map ]; map = [ map ];
version = 3; version = 3;
}; };