From 2a240d6f4a2bc624772b2065f07b1f1a55bf4eb0 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 14 Jan 2021 13:24:24 +0100 Subject: [PATCH] enable-tor: disable default onion services for clightning, lnd, btcpayserver In case of btcpayserver the default onion service is a security risk because any visitor can register an admin account on a freshly setup node. --- README.md | 2 +- examples/README.md | 2 +- examples/configuration.nix | 8 +++++++- modules/presets/enable-tor.nix | 3 --- modules/versioning.nix | 17 ++++++++++++++++- 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 62d2970..8489d97 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ See the [examples directory](examples/README.md). Features --- A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node -* All applications use Tor for outbound connections and accept inbound connections via onion services. +* All applications use Tor for outbound connections and support accepting inbound connections via onion services. * Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node. NixOS modules diff --git a/examples/README.md b/examples/README.md index 1280afb..328c6aa 100644 --- a/examples/README.md +++ b/examples/README.md @@ -11,7 +11,7 @@ nix-shell The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\ -By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning` (with an onion service). +By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`. - [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\ This is the fastest way to set up a node.\ diff --git a/examples/configuration.nix b/examples/configuration.nix index d3484ed..1d358db 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -96,6 +96,12 @@ # The lightning backend service automatically enabled. # Afterwards you need to go into Store > General Settings > Lightning Nodes # and click to use "the internal lightning node of this BTCPay Server". + # + # Set this to create an onion service to make the btcpayserver web interface + # accessible via Tor. + # Security WARNING: Create a btcpayserver administrator account before allowing + # public access to the web interface. + # nix-bitcoin.onionServices.btcpayserver.enable = true; ### LIQUIDD # Enable this module to use Liquid, a sidechain for an inter-exchange @@ -206,5 +212,5 @@ # The nix-bitcoin release version that your config is compatible with. # When upgrading to a backwards-incompatible release, nix-bitcoin will display an # an error and provide hints for migrating your config to the new release. - nix-bitcoin.configVersion = "0.0.26"; + nix-bitcoin.configVersion = "0.0.30"; } diff --git a/modules/presets/enable-tor.nix b/modules/presets/enable-tor.nix index 2d5ffd3..cdbd4d6 100644 --- a/modules/presets/enable-tor.nix +++ b/modules/presets/enable-tor.nix @@ -26,11 +26,8 @@ in { # Add onion services for incoming connections nix-bitcoin.onionServices = { bitcoind.enable = defaultTrue; - clightning.enable = defaultTrue; - lnd.enable = defaultTrue; liquidd.enable = defaultTrue; electrs.enable = defaultTrue; - btcpayserver.enable = defaultTrue; spark-wallet.enable = defaultTrue; }; } diff --git a/modules/versioning.nix b/modules/versioning.nix index 3803c86..f06a593 100644 --- a/modules/versioning.nix +++ b/modules/versioning.nix @@ -5,7 +5,19 @@ let version = config.nix-bitcoin.configVersion; # Sorted by increasing version numbers - changes = [ + changes = let + mkOnionServiceChange = service: { + version = "0.0.30"; + condition = config.services.${service}.enable; + message = '' + The onion service for ${service} has been disabled in the default + configuration (`secure-node.nix`). + + To enable the onion service, add the following to your configuration: + nix-bitcon.onionServices.${service}.enable = true; + ''; + }; + in [ { version = "0.0.26"; condition = config.services.joinmarket.enable; @@ -54,6 +66,9 @@ let https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/v0.8.0/docs/NATIVE-SEGWIT-UPGRADE.md ''; } + (mkOnionServiceChange "clightning") + (mkOnionServiceChange "lnd") + (mkOnionServiceChange "btcpayserver") ]; incompatibleChanges = optionals