Merge #203: Remove electrs tls

6365412312 test-script: remove nginx tls proxy test (nixbitcoin) 4dbc348921 electrs: remove TLSProxy (nixbitcoin) Pull request description: Top commit has no ACKs. Tree-SHA512: 079a0c892f8e25d6ba0267cc99022550f4cfe74bad3f9270733ecda09350595a11aec8d40b89df6e6ad7cca1e26b7e480a265bf6e2d01d0fe912ca3ece00f655
2020-07-21 15:03:45 +00:00 · 2020-07-21 15:03:45 +00:00 · 6e694890eb
commit 6e694890eb
parent 6856b8cb42 6365412312
8 changed files with 14 additions and 112 deletions
--- a/docs/usage.md
+++ b/docs/usage.md
@ -63,7 +63,7 @@ Connect to electrs
 ### Requirements Android
 * Android phone
 * [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
-* [Electrum mobile app](https://electrum.org/#home) installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum)
+* [Electrum mobile app](https://electrum.org/#home) 4.0.1 and newer installed from [direct download](https://electrum.org/#download) or [Google Play](https://play.google.com/store/apps/details?id=org.electrum.electrum)

 ### Requirements Desktop
 * [Tor](https://www.torproject.org/) installed from [source](https://www.torproject.org/docs/tor-doc-unix.html.en) or [repository](https://www.torproject.org/docs/debian.html.en)
@ -94,22 +94,20 @@ Connect to electrs

 4. Connect to electrs

-    On electrum wallet laptop
+    Make sure Tor is running on Desktop or as Orbot on Android.
+
+    On Desktop
    ```
-    electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050
+    electrum --oneserver -1 -s "<ELECTRS_ONION>:50001:t" -p socks5:localhost:9050
    ```

-    On electrum android phone
+    On Android
    ```
    Three dots in the upper-right-hand corner
-    Network
-    Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
-    Ok
-    Server
-    Host: <ELECTRS_ONION>, Port: 50002
-    Ok
-    Auto-connect: OFF
-    One-server mode: ON
+    Network > Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
+    Network > Auto-connect: OFF
+    Network > One-server mode: ON
+    Network > Server: <ELECTRS_ONION>:50001:t
    ```

 Connect to nix-bitcoin node through ssh Tor Hidden Service
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -6,10 +6,6 @@ let
  inherit (config) nix-bitcoin-services;
  secretsDir = config.nix-bitcoin.secretsDir;
 in {
-  imports = [
-    (mkRenamedOptionModule [ "services" "electrs" "nginxport" ] [ "services" "electrs" "TLSProxy" "port" ])
-  ];
-
  options.services.electrs = {
    enable = mkEnableOption "electrs";
    dataDir = mkOption {
@ -17,14 +13,6 @@ in {
      default = "/var/lib/electrs";
      description = "The data directory for electrs.";
    };
-    # Needed until electrs tls proxy is removed
-    host = mkOption {
-      type = types.str;
-      default = "localhost";
-      description = ''
-        The host on which incoming connections arrive.
-      '';
-    };
    user = mkOption {
      type = types.str;
      default = "electrs";
@ -64,18 +52,10 @@ in {
      default = "";
      description = "Extra command line arguments passed to electrs.";
    };
-    TLSProxy = {
-      enable = mkEnableOption "Nginx TLS proxy";
-      port = mkOption {
-        type = types.port;
-        default = 50003;
-        description = "Port on which to listen for TLS client connections.";
-      };
-    };
    enforceTor = nix-bitcoin-services.enforceTor;
  };

-  config = mkIf cfg.enable (mkMerge [{
+  config = mkIf cfg.enable {
    assertions = [
      { assertion = config.services.bitcoind.prune == 0;
        message = "electrs does not support bitcoind pruning.";
@ -132,53 +112,5 @@ in {
      extraGroups = [ "bitcoinrpc" ] ++ optionals cfg.high-memory [ "bitcoin" ];
    };
    users.groups.${cfg.group} = {};
-  }
-
-  (mkIf cfg.TLSProxy.enable {
-    services.nginx = {
-      enable = true;
-      appendConfig = let
-        address =
-          if cfg.address == "0.0.0.0" then
-            "127.0.0.1"
-          else if cfg.address == "::" then
-            "::1"
-          else
-            cfg.address;
-      in ''
-        stream {
-          upstream electrs {
-            server ${address}:${toString cfg.port};
-          }
-
-          server {
-            listen ${toString cfg.TLSProxy.port} ssl;
-            proxy_pass electrs;
-
-            ssl_certificate ${secretsDir}/nginx-cert;
-            ssl_certificate_key ${secretsDir}/nginx-key;
-            ssl_session_cache shared:SSL:1m;
-            ssl_session_timeout 4h;
-            ssl_protocols TLSv1.2 TLSv1.3;
-            ssl_prefer_server_ciphers on;
-          }
-        }
-      '';
-    };
-    systemd.services = {
-      electrs.wants = [ "nginx.service" ];
-      nginx = {
-        requires = [ "nix-bitcoin-secrets.target" ];
-        after = [ "nix-bitcoin-secrets.target" ];
-      };
-    };
-    nix-bitcoin.secrets = rec {
-      nginx-key = {
-        user = "nginx";
-        group = "root";
-      };
-      nginx-cert = nginx-key;
-    };
-  })
-  ]);
+  };
 }
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -102,8 +102,7 @@ in {
        };
        electrs = {
          id = 16;
-          connections = [ "bitcoind" ]
-          ++ ( optionals config.services.electrs.TLSProxy.enable [ "nginx" ]);
+          connections = [ "bitcoind" ];
        };
        spark-wallet = {
          id = 17;
@ -270,7 +269,6 @@ in {

      # electrs: Custom netns configs
      services.electrs = mkIf config.services.electrs.enable {
-        host =  if config.services.electrs.TLSProxy.enable then netns.nginx.address else netns.electrs.address;
        address = netns.electrs.address;
        daemonrpc = "${netns.bitcoind.address}:${toString config.services.bitcoind.rpc.port}";
      };
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -29,11 +29,6 @@ in {
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };
-    services.electrs.onionport = mkOption {
-      type = types.port;
-      default = 50002;
-      description = "Port on which to listen for tor client connections.";
-    };
    nix-bitcoin.operatorName = mkOption {
      type = types.str;
      default = "operator";
@ -113,14 +108,8 @@ in {
    services.electrs = {
      port = 50001;
      enforceTor = true;
-      TLSProxy.enable = true;
-      TLSProxy.port = 50003;
    };
-    services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {
-      port = cfg.electrs.onionport;
-      toPort = if cfg.electrs.TLSProxy.enable then cfg.electrs.TLSProxy.port else cfg.electrs.port;
-      toHost = cfg.electrs.host;
-    });
+    services.tor.hiddenServices.electrs = mkHiddenService { port = cfg.electrs.port; toHost = cfg.electrs.address; };

    services.spark-wallet = {
      onion-service = true;
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@ -16,13 +16,6 @@ makePasswordSecret spark-wallet-password
 [[ -e nanopos-env          ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
 [[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login

-if [[ ! -e nginx-key || ! -e nginx-cert ]]; then
-    openssl genrsa -out nginx-key 2048
-    openssl req -new -key nginx-key -out nginx.csr -subj '/CN=localhost/O=electrs'
-    openssl x509 -req -days 1825 -in nginx.csr -signkey nginx-key -out nginx-cert
-    rm nginx.csr
-fi
-
 if [[ ! -e lnd-key || ! -e lnd-cert ]]; then
    openssl ecparam -genkey -name prime256v1 -out lnd-key
    openssl req -config $opensslConf -new -sha256 -key lnd-key -out lnd.csr -subj '/CN=localhost/O=lnd'
--- a/pkgs/generate-secrets/update-secrets.sh
+++ b/pkgs/generate-secrets/update-secrets.sh
@ -40,8 +40,6 @@ extractPassword liquidrpcpassword liquid-rpcpassword
 extractPassword lightning-charge-api-token lightning-charge-token
 extractPassword spark-wallet-password

-rename nginx.key nginx-key
-rename nginx.cert nginx-cert
 rename lnd.key lnd-key
 rename lnd.cert lnd-cert

--- a/test/scenarios/default.py
+++ b/test/scenarios/default.py
@ -13,9 +13,6 @@ machine.wait_for_open_port(4224)  # prometeus metrics provider
 # Check RPC connection to bitcoind
 machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
 assert_running("nginx")
-# SSL stratum server via nginx. Only check for open port, no content is served here
-# as electrs isn't ready.
-machine.wait_for_open_port(50003)
 # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
 succeed("systemctl stop electrs")

--- a/test/scenarios/withnetns.py
+++ b/test/scenarios/withnetns.py
@ -27,9 +27,6 @@ machine.wait_until_succeeds(
 # Check RPC connection to bitcoind
 machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
 assert_running("nginx")
-# SSL stratum server via nginx. Only check for open port, no content is served here
-# as electrs isn't ready.
-machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 50003")
 # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
 succeed("systemctl stop electrs")