Merge fort-nix/nix-bitcoin#428: Add `presets/bitcoind-remote.nix`

6b539627ee add presets/bitcoind-remote.nix (Erik Arvstedt) 5915a34891 configuration.md: fixes (Erik Arvstedt) 1596b3a5d2 minor fixes (Erik Arvstedt) 627b11d21b makeShell: use old nix tooling (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: utACK 6b539627ee Tree-SHA512: 2abdeaef03773631aae54dccdb95c671a0140dfbec28ff554b52400b1656612fb23fd482154716601c1476599a915d6a06af28744d0ee8b61a94ffad3fa68468
2021-12-07 19:40:10 +00:00 · 2021-12-07 19:40:10 +00:00 · 729888c62a
parent 8a7ec27e6d 6b539627ee
commit 729888c62a
6 changed files with 56 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -49,7 +49,7 @@ Get started

 Docs
 ---
-* [Hardware Requirements](docs/hardware.md)
+* [Hardware requirements](docs/hardware.md)
 * [Installation](docs/install.md)
 * [Configuration and maintenance](docs/configuration.md)
 * [Using services](docs/services.md)
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -89,21 +89,21 @@ services.bitcoind = {
 };

 # Open the p2p port in the firewall
-networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.port ];
+networking.firewall.allowedTCPPorts = [ config.services.bitcoind.port ];
 ```

 ## Allow bitcoind RPC connections from LAN

 ```nix
 services.bitcoind = {
-  # Listen to connections on all interfaces
-  address = "0.0.0.0";
+  # Listen to RPC connections on all interfaces
+  rpc.address = "0.0.0.0";

  # Allow RPC connections from external addresses
  rpc.allowip = [
    "10.10.0.0/24" # Allow a subnet
    "10.50.0.3" # Allow a specific address
-    "0.0.0.0" # Allow all addresses
+    "0.0.0.0/0" # Allow all addresses
  ];

  # Set this if you're using the `secure-node.nix` template
@ -111,7 +111,7 @@ services.bitcoind = {
 };

 # Open the RPC port in the firewall
-networking.firewall.allowedTCPPorts = [ config.services.nix-bitcoin.rpc.port ];
+networking.firewall.allowedTCPPorts = [ config.services.bitcoind.rpc.port ];
 ```

 ## Allow connections to electrs
@ -181,9 +181,26 @@ Some services require extra steps:
 Use a bitcoind instance running on another node within a nix-bitcoin config.

 ```nix
+imports = [ <nix-bitcoin/modules/presets/bitcoind-remote.nix> ];
+
 services.bitcoind = {
+  enable = true;
+
  # Address of the other node
  address = "10.10.0.2";
+  rpc.address = "10.10.0.2";
+
+  # Some nix-bitcoin services require whitelisted bitcoind p2p connections
+  # to work reliably.
+  # Search for `whitelistedPort` in this repo to see the affected services.
+  # If you're using one of these services, either add a whitelisted p2p port
+  # on your remote node via `whitebind` and set it here:
+  whitelistedPort = <remote whitebind RPC port>;
+  #
+  # Or use the default p2p port and add `whitelist=<address of this node>` to
+  # your remote bitcoind config:
+  whitelistedPort = config.services.bitcoind.port;
+
  rpc.users = let
    # The fully privileged bitcoind RPC username of the other node
    name = "myrpcuser";
@ -196,8 +213,6 @@ services.bitcoind = {
    # joinmarket-ob-watcher.name = name;
  };
 };
-# Disable the local bitcoind service
-systemd.services.bitcoind.wantedBy = mkForce [];
 ```

 Now save the password of the RPC user to the following files on your nix-bitcoin node:
@ -211,6 +226,8 @@ $secretsDir/bitcoin-rpcpassword-public
 ```
 See: [Secrets dir](#secrets-dir)

+Restart `bitcoind` after updating the secrets: `systemctl restart bitcoind`.
+
 # Temporarily disable a service

 Sometimes you might want to disable a service without removing the service user and
@ -221,7 +238,8 @@ Use the following approach:
 ```
 systemd.services.<service>.wantedBy = mkForce [];
 ```
-This way, the systemd service still exists, but is not automatically started.
+This way, the systemd service still exists, but is not automatically started.\
+Note: This only works for services that are not required by other active services.

 # Appendix

--- a/helper/makeShell.nix
+++ b/helper/makeShell.nix
@ -106,7 +106,8 @@ pkgs.stdenv.mkDerivation {
    )}

    eval-config() {
-      NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" nix eval --raw -f ${nixpkgs}/nixos system.outPath
+      NIXOS_CONFIG="${cfgDir}/krops/krops-configuration.nix" \
+        nix-instantiate --eval ${nixpkgs}/nixos -A system.outPath | tr -d '"'
      echo
    }

--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -398,10 +398,12 @@ in {
          install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
        fi
      '';
+
      # Enable RPC access for group
      postStart = ''
        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
      '';
+
      serviceConfig = nbLib.defaultHardening // {
        Type = "notify";
        NotifyAccess = "all";
--- a/modules/hardware-wallets.nix
+++ b/modules/hardware-wallets.nix
@ -27,8 +27,6 @@ let
  };

  cfg = config.services.hardware-wallets;
-  dataDir = "/var/lib/hardware-wallets/";
-  enabled = cfg.ledger || cfg.trezor;
 in {
  inherit options;

--- a/modules/presets/bitcoind-remote.nix
+++ b/modules/presets/bitcoind-remote.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.bitcoind;
+  secretsDir = config.nix-bitcoin.secretsDir;
+in {
+  services.bitcoind = {
+    # Make the local bitcoin-cli work with the remote node
+    extraConfig = ''
+      rpcuser=${cfg.rpc.users.privileged.name}
+    '';
+  };
+
+  systemd.services.bitcoind = {
+    preStart = lib.mkAfter ''
+      echo "rpcpassword=$(cat ${secretsDir}/bitcoin-rpcpassword-privileged)" >> '${cfg.dataDir}'/bitcoin.conf
+    '';
+    postStart = lib.mkForce "";
+    serviceConfig = {
+      Type = lib.mkForce "oneshot";
+      ExecStart = lib.mkForce "${pkgs.coreutils}/bin/true";
+      RemainAfterExit = true;
+    };
+  };
+}