Merge fort-nix/nix-bitcoin#414: Update nixpkgs-unstable, fix whitelisting local services

aada35fc7b minor improvements (Erik Arvstedt)
1da23cd933 bitcoind, liquidd: add whitelisted socket (Erik Arvstedt)
8c3a88b2e8 update nixpkgs-unstable (Erik Arvstedt)
cc3d43f4e9 bitcoind: set onionPort in bitcoind module (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK aada35fc7b

Tree-SHA512: cd9ea2386bd28b0b1fc6a9c1691022f9c4ce40bb92acc6606b4ca55cf8cc57fe20e9bd3d19255c345c4015b1a13d2f292c035c2a05a421031859026f50c7ce20
This commit is contained in:
Jonas Nick 2021-10-30 15:36:43 +00:00
commit 3e018d0263
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
13 changed files with 97 additions and 57 deletions

View File

@ -101,6 +101,7 @@ Docs
Troubleshooting Troubleshooting
--- ---
If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue. If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.\
There's also a `#nix-bitcoin` IRC channel on [libera](https://libera.chat). There's also a Matrix room at [#general:nixbitcoin.org](https://matrix.to/#/#general:nixbitcoin.org)
and a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).\
We are always happy to help. We are always happy to help.

View File

@ -24,7 +24,7 @@
# modules by commenting out their respective line. # modules by commenting out their respective line.
### BITCOIND ### BITCOIND
# Bitcoind is enabled by default. # Bitcoind is enabled by default via secure-node.nix.
# #
# Set this option to enable pruning with a specified MiB value. # Set this option to enable pruning with a specified MiB value.
# clightning is compatible with pruning. See # clightning is compatible with pruning. See

View File

@ -33,16 +33,16 @@
}, },
"nixpkgsUnstable": { "nixpkgsUnstable": {
"locked": { "locked": {
"lastModified": 1633514490, "lastModified": 1635295995,
"narHash": "sha256-wQrUBgyF4EXlz9HgEHrQEj9vbgh6+nO8iXc3XCTQkLA=", "narHash": "sha256-sGYiXjFlxTTMNb4NSkgvX+knOOTipE6gqwPUQpxNF+c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1c1b567985bd1be77601657562ed20299d169529", "rev": "22a500a3f87bbce73bd8d777ef920b43a636f018",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master", "ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

View File

@ -6,7 +6,7 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
nixpkgsUnstable.url = "github:NixOS/nixpkgs/master"; nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };

View File

@ -17,12 +17,35 @@ let
}; };
onionPort = mkOption { onionPort = mkOption {
type = types.nullOr types.port; type = types.nullOr types.port;
default = null; # When the bitcoind onion service is enabled, add an onion-tagged socket
# to distinguish local connections from Tor connections
default = if (config.nix-bitcoin.onionServices.bitcoind.enable or false) then 8334 else null;
description = '' description = ''
Port to listen for Tor peer connections. Port to listen for Tor peer connections.
If set, inbound connections to this port are tagged as onion peers. If set, inbound connections to this port are tagged as onion peers.
''; '';
}; };
listen = mkOption {
type = types.bool;
default = false;
description = ''
Listen for peer connections at `address:port`
and `address:onionPort` (if `onionPort` is set).
'';
};
listenWhitelisted = mkOption {
type = types.bool;
default = false;
description = ''
Listen for peer connections at `address:whitelistedPort`.
Peers connected through this socket are automatically whitelisted.
'';
};
whitelistedPort = mkOption {
type = types.port;
default = 8335;
description = "See `listenWhitelisted`.";
};
getPublicAddressCmd = mkOption { getPublicAddressCmd = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
@ -145,11 +168,6 @@ let
With `only-outgoing`, incoming i2p connections are disabled. With `only-outgoing`, incoming i2p connections are disabled.
''; '';
}; };
listen = mkOption {
type = types.bool;
default = false;
description = "Accept incoming connections.";
};
dataDirReadableByGroup = mkOption { dataDirReadableByGroup = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -271,15 +289,17 @@ let
${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"} ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
# Connection options # Connection options
listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
${optionalString cfg.listen ${optionalString cfg.listen
"bind=${cfg.address}:${toString cfg.port}"} "bind=${cfg.address}:${toString cfg.port}"}
${optionalString (cfg.listen && cfg.onionPort != null) ${optionalString (cfg.listen && cfg.onionPort != null)
"bind=${cfg.address}:${toString cfg.onionPort}=onion"} "bind=${cfg.address}:${toString cfg.onionPort}=onion"}
${optionalString cfg.listenWhitelisted
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"} ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"} ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
listen=${if cfg.listen then "1" else "0"}
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"} ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes} ${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}

View File

@ -116,25 +116,20 @@ in {
"getpeerinfo" "getpeerinfo"
]; ];
}; };
# Enable p2p connections listenWhitelisted = true;
listen = true;
extraConfig = ''
whitelist=download@${nbLib.address cfg.nbxplorer.address}
'';
}; };
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true; services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
enable = true;
macaroons.btcpayserver = {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
};
services.liquidd = mkIf cfg.btcpayserver.lbtc { services.liquidd = mkIf cfg.btcpayserver.lbtc {
enable = true; enable = true;
# Enable p2p connections listenWhitelisted = true;
listen = true;
}; };
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "btcpaydb" ]; ensureDatabases = [ "btcpaydb" ];
@ -154,14 +149,14 @@ in {
network=${bitcoind.network} network=${bitcoind.network}
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name} btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port} btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.port} btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
bind=${cfg.nbxplorer.address} bind=${cfg.nbxplorer.address}
port=${toString cfg.nbxplorer.port} port=${toString cfg.nbxplorer.port}
${optionalString cfg.btcpayserver.lbtc '' ${optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc chains=btc,lbtc
lbtcrpcuser=${liquidd.rpcuser} lbtcrpcuser=${liquidd.rpcuser}
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port} lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.port} lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address bitcoind.whitelistedPort}
''} ''}
''; '';
in { in {

View File

@ -91,8 +91,10 @@ let
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
# If the clightning onion service is enabled, use the onion port as the public port # If a public clightning onion service is enabled, use the onion port as the public port
publicPort = if config.nix-bitcoin.onionServices.clightning.enable or false then publicPort = if (config.nix-bitcoin.onionServices.clightning.enable or false)
&& config.nix-bitcoin.onionServices.clightning.public
then
(builtins.elemAt config.services.tor.relay.onionServices.clightning.map 0).port (builtins.elemAt config.services.tor.relay.onionServices.clightning.map 0).port
else else
cfg.port; cfg.port;

View File

@ -58,9 +58,7 @@ in {
services.bitcoind = { services.bitcoind = {
enable = true; enable = true;
# Enable p2p connections listenWhitelisted = true;
listen = true;
extraConfig = "whitelist=download@${nbLib.address cfg.address}";
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
@ -88,7 +86,7 @@ in {
--electrum-rpc-addr=${cfg.address}:${toString cfg.port} \ --electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
--monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \ --monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
--daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \ --daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
--daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \ --daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
${cfg.extraArgs} ${cfg.extraArgs}
''; '';
User = cfg.user; User = cfg.user;

View File

@ -15,6 +15,37 @@ let
default = 7042; default = 7042;
description = "Override the default port on which to listen for connections."; description = "Override the default port on which to listen for connections.";
}; };
onionPort = mkOption {
type = types.nullOr types.port;
# When the liquidd onion service is enabled, add an onion-tagged socket
# to distinguish local connections from Tor connections
default = if (config.nix-bitcoin.onionServices.liquidd.enable or false) then 7043 else null;
description = ''
Port to listen for Tor peer connections.
If set, inbound connections to this port are tagged as onion peers.
'';
};
listen = mkOption {
type = types.bool;
default = false;
description = ''
Listen for peer connections at `address:port`
and `address:onionPort` (if `onionPort` is set).
'';
};
listenWhitelisted = mkOption {
type = types.bool;
default = false;
description = ''
Listen for peer connections at `address:whitelistedPort`.
Peers connected through this socket are automatically whitelisted.
'';
};
whitelistedPort = mkOption {
type = types.port;
default = 7044;
description = "See `listenWhitelisted`.";
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -70,13 +101,6 @@ let
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null; default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
description = "Connect through SOCKS5 proxy"; description = "Connect through SOCKS5 proxy";
}; };
listen = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the liquid service will listen.
'';
};
dbCache = mkOption { dbCache = mkOption {
type = types.nullOr (types.ints.between 4 16384); type = types.nullOr (types.ints.between 4 16384);
default = null; default = null;
@ -153,10 +177,14 @@ let
${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"} ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}
# Connection options # Connection options
${optionalString cfg.listen "bind=${cfg.address}"} listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
port=${toString cfg.port} ${optionalString cfg.listen
"bind=${cfg.address}:${toString cfg.port}"}
${optionalString (cfg.listen && cfg.onionPort != null)
"bind=${cfg.address}:${toString cfg.onionPort}=onion"}
${optionalString cfg.listenWhitelisted
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
listen=${if cfg.listen then "1" else "0"}
# RPC server options # RPC server options
rpcport=${toString cfg.rpc.port} rpcport=${toString cfg.rpc.port}

View File

@ -43,14 +43,14 @@ let
}; };
netns = mkOption { netns = mkOption {
default = netns;
readOnly = true; readOnly = true;
default = netns;
description = "Exposes netns parameters."; description = "Exposes netns parameters.";
}; };
bridgeIp = mkOption { bridgeIp = mkOption {
default = bridgeIp;
readOnly = true; readOnly = true;
default = bridgeIp;
description = "IP of the netns bridge interface."; description = "IP of the netns bridge interface.";
}; };
}; };

View File

@ -118,10 +118,6 @@ in {
externalPort = 80; externalPort = 80;
}; };
}; };
# When the bitcoind onion service is enabled, add an onion-tagged socket
# to distinguish local connections from Tor connections
services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
} }
]; ];
} }

View File

@ -74,16 +74,14 @@ let
tests.charge-lnd = cfg.charge-lnd.enable; tests.charge-lnd = cfg.charge-lnd.enable;
tests.electrs = cfg.electrs.enable; tests.electrs = cfg.electrs.enable;
# Sigterm is broken during IBD in version 0.9.0 https://github.com/romanz/electrs/issues/532
systemd.services.electrs.serviceConfig.KillSignal = "SIGKILL";
tests.liquidd = cfg.liquidd.enable; tests.liquidd = cfg.liquidd.enable;
services.liquidd.extraConfig = mkIf config.test.noConnections "connect=0"; services.liquidd.extraConfig = mkIf config.test.noConnections "connect=0";
tests.btcpayserver = cfg.btcpayserver.enable; tests.btcpayserver = cfg.btcpayserver.enable;
services.btcpayserver = { services.btcpayserver = {
lightningBackend = "lnd"; lightningBackend = mkDefault "lnd";
lbtc = true; lbtc = mkDefault true;
}; };
# Needed to test macaroon creation # Needed to test macaroon creation
environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]); environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);

View File

@ -201,6 +201,8 @@ def _():
f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq", f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq",
'"version"', '"version"',
) )
# Test web server response
assert_matches(f"curl -L {ip('btcpayserver')}:23000", "Welcome to your BTCPay Server")
@test("spark-wallet") @test("spark-wallet")
def _(): def _():