From 672a416ede22fad6927ecfe3dfd9726a4ab0bc50 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Wed, 10 Jun 2020 14:36:03 +0000 Subject: [PATCH] liquidd: add netns - Adds liquidd to netns-isolation.services - Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using liquidd with network namespaces - Adds bind option (defaults to localhost) as target of hidden service --- modules/liquid.nix | 33 +++++++++++++++++++++++++++++++++ modules/netns-isolation.nix | 19 +++++++++++++++++++ modules/presets/secure-node.nix | 2 +- 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/modules/liquid.nix b/modules/liquid.nix index 1e58cbb..64cce23 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -15,6 +15,7 @@ let ${optionalString (cfg.validatepegin != null) "validatepegin=${if cfg.validatepegin then "1" else "0"}"} # Connection options + ${optionalString cfg.listen "bind=${cfg.bind}"} ${optionalString (cfg.port != null) "port=${toString cfg.port}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} listen=${if cfg.listen then "1" else "0"} @@ -25,8 +26,11 @@ let (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}") (attrValues cfg.rpc.users) } + ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} + ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip} ${optionalString (cfg.rpcuser != null) "rpcuser=${cfg.rpcuser}"} ${optionalString (cfg.rpcpassword != null) "rpcpassword=${cfg.rpcpassword}"} + ${optionalString (cfg.mainchainrpchost != null) "mainchainrpchost=${cfg.mainchainrpchost}"} # Extra config options (from liquidd nixos service) ${cfg.extraConfig} @@ -80,6 +84,13 @@ in { default = "/var/lib/liquidd"; description = "The data directory for liquidd."; }; + bind = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + Bind to given address and always listen on it. + ''; + }; user = mkOption { type = types.str; @@ -111,6 +122,20 @@ in { }; }; + rpcbind = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + Bind to given address to listen for JSON-RPC connections. + ''; + }; + rpcallowip = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + description = '' + Allow JSON-RPC connections from specified source. + ''; + }; rpcuser = mkOption { type = types.nullOr types.str; default = null; @@ -121,6 +146,14 @@ in { default = null; description = "Password for JSON-RPC connections"; }; + mainchainrpchost = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The address which the daemon will try to connect to the trusted + mainchain daemon to validate peg-ins. + ''; + }; testnet = mkOption { type = types.bool; diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index fb100ef..7e2968a 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -96,6 +96,10 @@ in { id = 14; connections = [ "bitcoind" ]; }; + liquidd = { + id = 15; + connections = [ "bitcoind" ]; + }; }; systemd.services = { @@ -215,6 +219,21 @@ in { ''; }; + # liquidd: Custom netns configs + services.liquidd = mkIf config.services.liquidd.enable { + bind = netns.liquidd.address; + rpcbind = [ + "${netns.liquidd.address}" + "127.0.0.1" + ]; + rpcallowip = [ + "127.0.0.1" + ] ++ lib.lists.concatMap (s: [ + "${netns.${s}.address}" + ]) netns.liquidd.availableNetns; + mainchainrpchost = netns.bitcoind.address; + }; + }) # Custom netns config option values if netns-isolation not enabled (mkIf (!cfg.enable) { diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 50638aa..64a7db0 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -107,7 +107,7 @@ in { enforceTor = true; port = 7042; }; - services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; }; + services.tor.hiddenServices.liquidd = mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.bind; }; # electrs services.electrs = {