enable-tor: disable default onion services for clightning, lnd, btcpayserver

In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
This commit is contained in:
Erik Arvstedt 2021-01-14 13:24:24 +01:00
parent 18c7842e1a
commit 2a240d6f4a
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
5 changed files with 25 additions and 7 deletions

View File

@ -48,7 +48,7 @@ See the [examples directory](examples/README.md).
Features Features
--- ---
A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node
* All applications use Tor for outbound connections and accept inbound connections via onion services. * All applications use Tor for outbound connections and support accepting inbound connections via onion services.
* Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node. * Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node.
NixOS modules NixOS modules

View File

@ -11,7 +11,7 @@ nix-shell
The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\ shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\
By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning` (with an onion service). By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`.
- [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\ - [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
This is the fastest way to set up a node.\ This is the fastest way to set up a node.\

View File

@ -96,6 +96,12 @@
# The lightning backend service automatically enabled. # The lightning backend service automatically enabled.
# Afterwards you need to go into Store > General Settings > Lightning Nodes # Afterwards you need to go into Store > General Settings > Lightning Nodes
# and click to use "the internal lightning node of this BTCPay Server". # and click to use "the internal lightning node of this BTCPay Server".
#
# Set this to create an onion service to make the btcpayserver web interface
# accessible via Tor.
# Security WARNING: Create a btcpayserver administrator account before allowing
# public access to the web interface.
# nix-bitcoin.onionServices.btcpayserver.enable = true;
### LIQUIDD ### LIQUIDD
# Enable this module to use Liquid, a sidechain for an inter-exchange # Enable this module to use Liquid, a sidechain for an inter-exchange
@ -206,5 +212,5 @@
# The nix-bitcoin release version that your config is compatible with. # The nix-bitcoin release version that your config is compatible with.
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
# an error and provide hints for migrating your config to the new release. # an error and provide hints for migrating your config to the new release.
nix-bitcoin.configVersion = "0.0.26"; nix-bitcoin.configVersion = "0.0.30";
} }

View File

@ -26,11 +26,8 @@ in {
# Add onion services for incoming connections # Add onion services for incoming connections
nix-bitcoin.onionServices = { nix-bitcoin.onionServices = {
bitcoind.enable = defaultTrue; bitcoind.enable = defaultTrue;
clightning.enable = defaultTrue;
lnd.enable = defaultTrue;
liquidd.enable = defaultTrue; liquidd.enable = defaultTrue;
electrs.enable = defaultTrue; electrs.enable = defaultTrue;
btcpayserver.enable = defaultTrue;
spark-wallet.enable = defaultTrue; spark-wallet.enable = defaultTrue;
}; };
} }

View File

@ -5,7 +5,19 @@ let
version = config.nix-bitcoin.configVersion; version = config.nix-bitcoin.configVersion;
# Sorted by increasing version numbers # Sorted by increasing version numbers
changes = [ changes = let
mkOnionServiceChange = service: {
version = "0.0.30";
condition = config.services.${service}.enable;
message = ''
The onion service for ${service} has been disabled in the default
configuration (`secure-node.nix`).
To enable the onion service, add the following to your configuration:
nix-bitcon.onionServices.${service}.enable = true;
'';
};
in [
{ {
version = "0.0.26"; version = "0.0.26";
condition = config.services.joinmarket.enable; condition = config.services.joinmarket.enable;
@ -54,6 +66,9 @@ let
https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/v0.8.0/docs/NATIVE-SEGWIT-UPGRADE.md https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/v0.8.0/docs/NATIVE-SEGWIT-UPGRADE.md
''; '';
} }
(mkOnionServiceChange "clightning")
(mkOnionServiceChange "lnd")
(mkOnionServiceChange "btcpayserver")
]; ];
incompatibleChanges = optionals incompatibleChanges = optionals