From a5e10a82d89d3f486be61ac6902ec86fd64cb6d4 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Mon, 19 Aug 2019 20:39:13 +0000 Subject: [PATCH 1/3] Simplify clightning preStart --- modules/clightning.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/clightning.nix b/modules/clightning.nix index ba05966..b7aa4b9 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -79,12 +79,10 @@ in { after = [ "bitcoind.service" ]; preStart = '' mkdir -m 0770 -p ${cfg.dataDir} - rm -f ${cfg.dataDir}/config - chown 'clightning:clightning' '${cfg.dataDir}' cp ${configFile} ${cfg.dataDir}/config - chown 'clightning:clightning' '${cfg.dataDir}/config' - chmod +w ${cfg.dataDir}/config - chmod o-rw ${cfg.dataDir}/config + chown -R 'clightning:clightning' '${cfg.dataDir}' + # give group read access to allow using lightning-cli + chmod u=rw,g=r,o= ${cfg.dataDir}/config # The RPC socket has to be removed otherwise we might have stale sockets rm -f ${cfg.dataDir}/lightning-rpc echo "bitcoin-rpcpassword=$(cat /secrets/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config' From 7771a4c931f06c75f9f1f27091a67a28cd1cd0a8 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Mon, 19 Aug 2019 20:44:10 +0000 Subject: [PATCH 2/3] Refer to systemd man pages for hardening options --- modules/nix-bitcoin-services.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix index 12132f3..9820dbe 100644 --- a/modules/nix-bitcoin-services.nix +++ b/modules/nix-bitcoin-services.nix @@ -1,3 +1,6 @@ +# See `man systemd.exec` and `man systemd.resource-control` for an explanation +# of the various systemd options available through this module. + { config, lib, pkgs, ... }: with lib; @@ -41,6 +44,3 @@ in ''; }; } - - - From 67a464d0972ce51b57b1501289a94a4b1a8b924d Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Mon, 19 Aug 2019 20:51:29 +0000 Subject: [PATCH 3/3] Mention problems with hardened kernel and NUCs in README --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8e3d8b0..2d02ff0 100644 --- a/README.md +++ b/README.md @@ -64,9 +64,10 @@ Hardware requirements --- * Disk space: 300 GB (235GB for Bitcoin blockchain + some room) * Bitcoin Core pruning is not supported at the moment because it's not supported by c-lightning. It's possible to use pruning but you need to know what you're doing. -* RAM: 2GB of memory. ECC memory is better. +* RAM: 2GB of memory. ECC memory is better. Additionally, it's recommended to use DDR4 memory with targeted row refresh (TRR) enabled (https://rambleed.com/). -Tested hardware includes [pcengine's apu2c4](https://pcengines.ch/apu2c4.htm), [GB-BACE-3150](https://www.gigabyte.com/Mini-PcBarebone/GB-BACE-3150-rev-10), [GB-BACE-3160](https://www.gigabyte.com/de/Mini-PcBarebone/GB-BACE-3160-rev-10#ov) +Tested hardware includes [pcengine's apu2c4](https://pcengines.ch/apu2c4.htm), [GB-BACE-3150](https://www.gigabyte.com/Mini-PcBarebone/GB-BACE-3150-rev-10), [GB-BACE-3160](https://www.gigabyte.com/de/Mini-PcBarebone/GB-BACE-3160-rev-10#ov). +Some hardware (including Intel NUCs) may not be compatible with the hardened kernel turned on by default (see https://github.com/fort-nix/nix-bitcoin/issues/39#issuecomment-517366093 for a workaround). Usage ---