From 37b71d87b8edabdb47ec8692361e43acbe25cb59 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Fri, 26 Apr 2019 11:09:55 +0200 Subject: [PATCH] electrs ssl --- docs/usage.md | 14 ++++++++++++-- modules/electrs.nix | 35 ++++++++++++++++++++++++++++++++++- modules/nix-bitcoin.nix | 4 +++- network/network.nix | 17 ++++++++++++++++- secrets/generate_secrets.sh | 6 ++++++ shell.nix | 2 +- 6 files changed, 72 insertions(+), 6 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index be8c0c6..33a1461 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -89,9 +89,19 @@ Connect to electrs 4. Connect to electrs - On electrum wallet machine + On electrum wallet laptop ``` - electrum --oneserver --server=:50001:t + electrum --oneserver --server=:50002:s + ``` + + On electrum android phone + ``` + Three dots in the upper-right-hand corner + Network + Server > Enter + Back + Auto-connect: OFF + One-server mode: ON ``` Connect to nix-bitcoin node through ssh Tor Hidden Service diff --git a/modules/electrs.nix b/modules/electrs.nix index 1d9dc38..bb9795a 100644 --- a/modules/electrs.nix +++ b/modules/electrs.nix @@ -32,6 +32,16 @@ in { default = 50001; description = "Override the default port on which to listen for connections."; }; + onionport = mkOption { + type = types.ints.u16; + default = 50002; + description = "Override the default port on which to listen for connections."; + }; + nginxport = mkOption { + type = types.ints.u16; + default = 50003; + description = "Override the default port on which to listen for connections."; + }; }; config = mkIf cfg.enable { @@ -48,7 +58,7 @@ in { systemd.services.electrs = { description = "Run electrs"; wantedBy = [ "multi-user.target" ]; - requires = [ "bitcoind.service" ]; + requires = [ "bitcoind.service" "nginx.service"]; after = [ "bitcoind.service" ]; # create shell script to start up electrs safely with password parameter preStart = '' @@ -70,5 +80,28 @@ in { PrivateDevices = "true"; }; }; + + services.nginx = { + enable = true; + appendConfig = '' + stream { + upstream electrs { + server 127.0.0.1:${toString config.services.electrs.port}; + } + + server { + listen ${toString config.services.electrs.nginxport} ssl; + proxy_pass electrs; + + ssl_certificate /secrets/ssl_certificate; + ssl_certificate_key /secrets/ssl_certificate_key; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 4h; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + } + } + ''; + }; }; } diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index 8c56d90..ac277f9 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -146,10 +146,12 @@ in { services.spark-wallet.onion-service = true; services.electrs.port = 50001; + services.electrs.onionport = 50002; + services.electrs.nginxport = 50003; services.electrs.high-memory = false; services.tor.hiddenServices.electrs = { map = [{ - port = config.services.electrs.port; toPort = config.services.electrs.port; + port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport; }]; version = 3; }; diff --git a/network/network.nix b/network/network.nix index df97fb5..4059e40 100644 --- a/network/network.nix +++ b/network/network.nix @@ -36,6 +36,20 @@ let group = "clightning"; permissions = "0440"; }; + ssl_certificate_key = { + keyFile = ../secrets/ssl_certificate_key.key; + destDir = "/secrets/"; + user = "nginx"; + group = "root"; + permissions = "0440"; + }; + ssl_certificate = { + keyFile = ../secrets/ssl_certificate.crt; + destDir = "/secrets/"; + user = "nginx"; + group = "root"; + permissions = "0440"; + }; in { network.description = "Bitcoin Core node"; @@ -50,6 +64,7 @@ in { // (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { }) // (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { }) // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { }) - // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { }); + // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { }) + // (if (config.services.electrs.enable) then { inherit ssl_certificate_key ssl_certificate; } else { }); } // (bitcoin-node { inherit config pkgs; }); } diff --git a/secrets/generate_secrets.sh b/secrets/generate_secrets.sh index 672ce05..460de78 100755 --- a/secrets/generate_secrets.sh +++ b/secrets/generate_secrets.sh @@ -17,3 +17,9 @@ echo Write secrets to $SECRETSFILE echo \} } >> $SECRETSFILE echo Done + +echo Generate Self-Signed Cert +openssl genrsa -out secrets/ssl_certificate_key.key 2048 +openssl req -new -key secrets/ssl_certificate_key.key -out secrets/ssl_certificate.csr -subj "/C=KN" +openssl x509 -req -days 1825 -in secrets/ssl_certificate.csr -signkey secrets/ssl_certificate_key.key -out secrets/ssl_certificate.crt +echo Done diff --git a/shell.nix b/shell.nix index 532322b..6eb7852 100644 --- a/shell.nix +++ b/shell.nix @@ -6,7 +6,7 @@ with import nixpkgs { }; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; - buildInputs = [ pkgs.nixops pkgs.figlet pkgs.apg ]; + buildInputs = [ pkgs.nixops pkgs.figlet pkgs.apg pkgs.openssl ]; shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs}:."