Merge fort-nix/nix-bitcoin#414: Update nixpkgs-unstable, fix whitelisting local services
aada35fc7b
minor improvements (Erik Arvstedt)1da23cd933
bitcoind, liquidd: add whitelisted socket (Erik Arvstedt)8c3a88b2e8
update nixpkgs-unstable (Erik Arvstedt)cc3d43f4e9
bitcoind: set onionPort in bitcoind module (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACKaada35fc7b
Tree-SHA512: cd9ea2386bd28b0b1fc6a9c1691022f9c4ce40bb92acc6606b4ca55cf8cc57fe20e9bd3d19255c345c4015b1a13d2f292c035c2a05a421031859026f50c7ce20
This commit is contained in:
commit
3e018d0263
@ -101,6 +101,7 @@ Docs
|
||||
|
||||
Troubleshooting
|
||||
---
|
||||
If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.
|
||||
There's also a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).
|
||||
If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue.\
|
||||
There's also a Matrix room at [#general:nixbitcoin.org](https://matrix.to/#/#general:nixbitcoin.org)
|
||||
and a `#nix-bitcoin` IRC channel on [libera](https://libera.chat).\
|
||||
We are always happy to help.
|
||||
|
@ -24,7 +24,7 @@
|
||||
# modules by commenting out their respective line.
|
||||
|
||||
### BITCOIND
|
||||
# Bitcoind is enabled by default.
|
||||
# Bitcoind is enabled by default via secure-node.nix.
|
||||
#
|
||||
# Set this option to enable pruning with a specified MiB value.
|
||||
# clightning is compatible with pruning. See
|
||||
|
@ -33,16 +33,16 @@
|
||||
},
|
||||
"nixpkgsUnstable": {
|
||||
"locked": {
|
||||
"lastModified": 1633514490,
|
||||
"narHash": "sha256-wQrUBgyF4EXlz9HgEHrQEj9vbgh6+nO8iXc3XCTQkLA=",
|
||||
"lastModified": 1635295995,
|
||||
"narHash": "sha256-sGYiXjFlxTTMNb4NSkgvX+knOOTipE6gqwPUQpxNF+c=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1c1b567985bd1be77601657562ed20299d169529",
|
||||
"rev": "22a500a3f87bbce73bd8d777ef920b43a636f018",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "master",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
|
||||
nixpkgsUnstable.url = "github:NixOS/nixpkgs/master";
|
||||
nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
};
|
||||
|
||||
|
@ -17,12 +17,35 @@ let
|
||||
};
|
||||
onionPort = mkOption {
|
||||
type = types.nullOr types.port;
|
||||
default = null;
|
||||
# When the bitcoind onion service is enabled, add an onion-tagged socket
|
||||
# to distinguish local connections from Tor connections
|
||||
default = if (config.nix-bitcoin.onionServices.bitcoind.enable or false) then 8334 else null;
|
||||
description = ''
|
||||
Port to listen for Tor peer connections.
|
||||
If set, inbound connections to this port are tagged as onion peers.
|
||||
'';
|
||||
};
|
||||
listen = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Listen for peer connections at `address:port`
|
||||
and `address:onionPort` (if `onionPort` is set).
|
||||
'';
|
||||
};
|
||||
listenWhitelisted = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Listen for peer connections at `address:whitelistedPort`.
|
||||
Peers connected through this socket are automatically whitelisted.
|
||||
'';
|
||||
};
|
||||
whitelistedPort = mkOption {
|
||||
type = types.port;
|
||||
default = 8335;
|
||||
description = "See `listenWhitelisted`.";
|
||||
};
|
||||
getPublicAddressCmd = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
@ -145,11 +168,6 @@ let
|
||||
With `only-outgoing`, incoming i2p connections are disabled.
|
||||
'';
|
||||
};
|
||||
listen = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Accept incoming connections.";
|
||||
};
|
||||
dataDirReadableByGroup = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
@ -271,15 +289,17 @@ let
|
||||
${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
|
||||
|
||||
# Connection options
|
||||
listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
|
||||
${optionalString cfg.listen
|
||||
"bind=${cfg.address}:${toString cfg.port}"}
|
||||
${optionalString (cfg.listen && cfg.onionPort != null)
|
||||
"bind=${cfg.address}:${toString cfg.onionPort}=onion"}
|
||||
${optionalString cfg.listenWhitelisted
|
||||
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
|
||||
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
||||
${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
|
||||
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
|
||||
|
||||
listen=${if cfg.listen then "1" else "0"}
|
||||
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
|
||||
${lib.concatMapStrings (node: "addnode=${node}\n") cfg.addnodes}
|
||||
|
||||
|
@ -116,25 +116,20 @@ in {
|
||||
"getpeerinfo"
|
||||
];
|
||||
};
|
||||
# Enable p2p connections
|
||||
listen = true;
|
||||
extraConfig = ''
|
||||
whitelist=download@${nbLib.address cfg.nbxplorer.address}
|
||||
'';
|
||||
listenWhitelisted = true;
|
||||
};
|
||||
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
||||
services.lnd.enable = mkIf (cfg.btcpayserver.lightningBackend == "lnd") true;
|
||||
services.liquidd = mkIf cfg.btcpayserver.lbtc {
|
||||
services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||
enable = true;
|
||||
# Enable p2p connections
|
||||
listen = true;
|
||||
};
|
||||
|
||||
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||
macaroons.btcpayserver = {
|
||||
inherit (cfg.btcpayserver) user;
|
||||
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
||||
};
|
||||
|
||||
};
|
||||
services.liquidd = mkIf cfg.btcpayserver.lbtc {
|
||||
enable = true;
|
||||
listenWhitelisted = true;
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "btcpaydb" ];
|
||||
@ -154,14 +149,14 @@ in {
|
||||
network=${bitcoind.network}
|
||||
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
|
||||
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
|
||||
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.port}
|
||||
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
|
||||
bind=${cfg.nbxplorer.address}
|
||||
port=${toString cfg.nbxplorer.port}
|
||||
${optionalString cfg.btcpayserver.lbtc ''
|
||||
chains=btc,lbtc
|
||||
lbtcrpcuser=${liquidd.rpcuser}
|
||||
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
|
||||
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.port}
|
||||
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address bitcoind.whitelistedPort}
|
||||
''}
|
||||
'';
|
||||
in {
|
||||
|
@ -91,8 +91,10 @@ let
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
# If the clightning onion service is enabled, use the onion port as the public port
|
||||
publicPort = if config.nix-bitcoin.onionServices.clightning.enable or false then
|
||||
# If a public clightning onion service is enabled, use the onion port as the public port
|
||||
publicPort = if (config.nix-bitcoin.onionServices.clightning.enable or false)
|
||||
&& config.nix-bitcoin.onionServices.clightning.public
|
||||
then
|
||||
(builtins.elemAt config.services.tor.relay.onionServices.clightning.map 0).port
|
||||
else
|
||||
cfg.port;
|
||||
|
@ -58,9 +58,7 @@ in {
|
||||
|
||||
services.bitcoind = {
|
||||
enable = true;
|
||||
# Enable p2p connections
|
||||
listen = true;
|
||||
extraConfig = "whitelist=download@${nbLib.address cfg.address}";
|
||||
listenWhitelisted = true;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
@ -88,7 +86,7 @@ in {
|
||||
--electrum-rpc-addr=${cfg.address}:${toString cfg.port} \
|
||||
--monitoring-addr=${cfg.address}:${toString cfg.monitoringPort} \
|
||||
--daemon-rpc-addr=${nbLib.addressWithPort bitcoind.rpc.address bitcoind.rpc.port} \
|
||||
--daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.port} \
|
||||
--daemon-p2p-addr=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} \
|
||||
${cfg.extraArgs}
|
||||
'';
|
||||
User = cfg.user;
|
||||
|
@ -15,6 +15,37 @@ let
|
||||
default = 7042;
|
||||
description = "Override the default port on which to listen for connections.";
|
||||
};
|
||||
onionPort = mkOption {
|
||||
type = types.nullOr types.port;
|
||||
# When the liquidd onion service is enabled, add an onion-tagged socket
|
||||
# to distinguish local connections from Tor connections
|
||||
default = if (config.nix-bitcoin.onionServices.liquidd.enable or false) then 7043 else null;
|
||||
description = ''
|
||||
Port to listen for Tor peer connections.
|
||||
If set, inbound connections to this port are tagged as onion peers.
|
||||
'';
|
||||
};
|
||||
listen = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Listen for peer connections at `address:port`
|
||||
and `address:onionPort` (if `onionPort` is set).
|
||||
'';
|
||||
};
|
||||
listenWhitelisted = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Listen for peer connections at `address:whitelistedPort`.
|
||||
Peers connected through this socket are automatically whitelisted.
|
||||
'';
|
||||
};
|
||||
whitelistedPort = mkOption {
|
||||
type = types.port;
|
||||
default = 7044;
|
||||
description = "See `listenWhitelisted`.";
|
||||
};
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
@ -70,13 +101,6 @@ let
|
||||
default = if cfg.enforceTor then config.nix-bitcoin.torClientAddressWithPort else null;
|
||||
description = "Connect through SOCKS5 proxy";
|
||||
};
|
||||
listen = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, the liquid service will listen.
|
||||
'';
|
||||
};
|
||||
dbCache = mkOption {
|
||||
type = types.nullOr (types.ints.between 4 16384);
|
||||
default = null;
|
||||
@ -153,10 +177,14 @@ let
|
||||
${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"}
|
||||
|
||||
# Connection options
|
||||
${optionalString cfg.listen "bind=${cfg.address}"}
|
||||
port=${toString cfg.port}
|
||||
listen=${if (cfg.listen || cfg.listenWhitelisted) then "1" else "0"}
|
||||
${optionalString cfg.listen
|
||||
"bind=${cfg.address}:${toString cfg.port}"}
|
||||
${optionalString (cfg.listen && cfg.onionPort != null)
|
||||
"bind=${cfg.address}:${toString cfg.onionPort}=onion"}
|
||||
${optionalString cfg.listenWhitelisted
|
||||
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
|
||||
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
||||
listen=${if cfg.listen then "1" else "0"}
|
||||
|
||||
# RPC server options
|
||||
rpcport=${toString cfg.rpc.port}
|
||||
|
@ -43,14 +43,14 @@ let
|
||||
};
|
||||
|
||||
netns = mkOption {
|
||||
default = netns;
|
||||
readOnly = true;
|
||||
default = netns;
|
||||
description = "Exposes netns parameters.";
|
||||
};
|
||||
|
||||
bridgeIp = mkOption {
|
||||
default = bridgeIp;
|
||||
readOnly = true;
|
||||
default = bridgeIp;
|
||||
description = "IP of the netns bridge interface.";
|
||||
};
|
||||
};
|
||||
|
@ -118,10 +118,6 @@ in {
|
||||
externalPort = 80;
|
||||
};
|
||||
};
|
||||
|
||||
# When the bitcoind onion service is enabled, add an onion-tagged socket
|
||||
# to distinguish local connections from Tor connections
|
||||
services.bitcoind.onionPort = mkIf (cfg.bitcoind.enable or false) 8334;
|
||||
}
|
||||
];
|
||||
}
|
||||
|
@ -74,16 +74,14 @@ let
|
||||
tests.charge-lnd = cfg.charge-lnd.enable;
|
||||
|
||||
tests.electrs = cfg.electrs.enable;
|
||||
# Sigterm is broken during IBD in version 0.9.0 https://github.com/romanz/electrs/issues/532
|
||||
systemd.services.electrs.serviceConfig.KillSignal = "SIGKILL";
|
||||
|
||||
tests.liquidd = cfg.liquidd.enable;
|
||||
services.liquidd.extraConfig = mkIf config.test.noConnections "connect=0";
|
||||
|
||||
tests.btcpayserver = cfg.btcpayserver.enable;
|
||||
services.btcpayserver = {
|
||||
lightningBackend = "lnd";
|
||||
lbtc = true;
|
||||
lightningBackend = mkDefault "lnd";
|
||||
lbtc = mkDefault true;
|
||||
};
|
||||
# Needed to test macaroon creation
|
||||
environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);
|
||||
|
@ -201,6 +201,8 @@ def _():
|
||||
f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq",
|
||||
'"version"',
|
||||
)
|
||||
# Test web server response
|
||||
assert_matches(f"curl -L {ip('btcpayserver')}:23000", "Welcome to your BTCPay Server")
|
||||
|
||||
@test("spark-wallet")
|
||||
def _():
|
||||
|
Loading…
Reference in New Issue
Block a user