electrs ssl

This commit is contained in:
nixbitcoin 2019-04-26 11:09:55 +02:00
parent 5c26539c48
commit 37b71d87b8
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
6 changed files with 72 additions and 6 deletions

View File

@ -89,9 +89,19 @@ Connect to electrs
4. Connect to electrs 4. Connect to electrs
On electrum wallet machine On electrum wallet laptop
``` ```
electrum --oneserver --server=<ELECTRS_ONION>:50001:t electrum --oneserver --server=<ELECTRS_ONION>:50002:s
```
On electrum android phone
```
Three dots in the upper-right-hand corner
Network
Server > Enter <ELECTRS_ONION>
Back
Auto-connect: OFF
One-server mode: ON
``` ```
Connect to nix-bitcoin node through ssh Tor Hidden Service Connect to nix-bitcoin node through ssh Tor Hidden Service

View File

@ -32,6 +32,16 @@ in {
default = 50001; default = 50001;
description = "Override the default port on which to listen for connections."; description = "Override the default port on which to listen for connections.";
}; };
onionport = mkOption {
type = types.ints.u16;
default = 50002;
description = "Override the default port on which to listen for connections.";
};
nginxport = mkOption {
type = types.ints.u16;
default = 50003;
description = "Override the default port on which to listen for connections.";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -48,7 +58,7 @@ in {
systemd.services.electrs = { systemd.services.electrs = {
description = "Run electrs"; description = "Run electrs";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ]; requires = [ "bitcoind.service" "nginx.service"];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
# create shell script to start up electrs safely with password parameter # create shell script to start up electrs safely with password parameter
preStart = '' preStart = ''
@ -70,5 +80,28 @@ in {
PrivateDevices = "true"; PrivateDevices = "true";
}; };
}; };
services.nginx = {
enable = true;
appendConfig = ''
stream {
upstream electrs {
server 127.0.0.1:${toString config.services.electrs.port};
}
server {
listen ${toString config.services.electrs.nginxport} ssl;
proxy_pass electrs;
ssl_certificate /secrets/ssl_certificate;
ssl_certificate_key /secrets/ssl_certificate_key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
}
}
'';
};
}; };
} }

View File

@ -146,10 +146,12 @@ in {
services.spark-wallet.onion-service = true; services.spark-wallet.onion-service = true;
services.electrs.port = 50001; services.electrs.port = 50001;
services.electrs.onionport = 50002;
services.electrs.nginxport = 50003;
services.electrs.high-memory = false; services.electrs.high-memory = false;
services.tor.hiddenServices.electrs = { services.tor.hiddenServices.electrs = {
map = [{ map = [{
port = config.services.electrs.port; toPort = config.services.electrs.port; port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport;
}]; }];
version = 3; version = 3;
}; };

View File

@ -36,6 +36,20 @@ let
group = "clightning"; group = "clightning";
permissions = "0440"; permissions = "0440";
}; };
ssl_certificate_key = {
keyFile = ../secrets/ssl_certificate_key.key;
destDir = "/secrets/";
user = "nginx";
group = "root";
permissions = "0440";
};
ssl_certificate = {
keyFile = ../secrets/ssl_certificate.crt;
destDir = "/secrets/";
user = "nginx";
group = "root";
permissions = "0440";
};
in { in {
network.description = "Bitcoin Core node"; network.description = "Bitcoin Core node";
@ -50,6 +64,7 @@ in {
// (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { }) // (if (config.services.lightning-charge.enable) then { inherit lightning-charge-api-token; } else { })
// (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { }) // (if (config.services.nanopos.enable) then { inherit lightning-charge-api-token-for-nanopos; } else { })
// (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { }) // (if (config.services.liquidd.enable) then { inherit liquid-rpcpassword; } else { })
// (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { }); // (if (config.services.spark-wallet.enable) then { inherit spark-wallet-login; } else { })
// (if (config.services.electrs.enable) then { inherit ssl_certificate_key ssl_certificate; } else { });
} // (bitcoin-node { inherit config pkgs; }); } // (bitcoin-node { inherit config pkgs; });
} }

View File

@ -17,3 +17,9 @@ echo Write secrets to $SECRETSFILE
echo \} echo \}
} >> $SECRETSFILE } >> $SECRETSFILE
echo Done echo Done
echo Generate Self-Signed Cert
openssl genrsa -out secrets/ssl_certificate_key.key 2048
openssl req -new -key secrets/ssl_certificate_key.key -out secrets/ssl_certificate.csr -subj "/C=KN"
openssl x509 -req -days 1825 -in secrets/ssl_certificate.csr -signkey secrets/ssl_certificate_key.key -out secrets/ssl_certificate.crt
echo Done

View File

@ -6,7 +6,7 @@ with import nixpkgs { };
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "nix-bitcoin-environment"; name = "nix-bitcoin-environment";
buildInputs = [ pkgs.nixops pkgs.figlet pkgs.apg ]; buildInputs = [ pkgs.nixops pkgs.figlet pkgs.apg pkgs.openssl ];
shellHook = '' shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs}:." export NIX_PATH="nixpkgs=${nixpkgs}:."