bitcoind: add netns

- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
  network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns

modules/bitcoind.nix

@@ -18,6 +18,7 @@ let
     ${optionalString (cfg.assumevalid != null) "assumevalid=${cfg.assumevalid}"}
 
     # Connection options
+    ${optionalString cfg.listen "bind=${cfg.bind}"}
     ${optionalString (cfg.port != null) "port=${toString cfg.port}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     listen=${if cfg.listen then "1" else "0"}
@@ -30,6 +31,8 @@ let
       (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}")
       (attrValues cfg.rpc.users)
     }
+    ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
+    ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
     ${optionalString (cfg.rpcuser != null) "rpcuser=${cfg.rpcuser}"}
     ${optionalString (cfg.rpcpassword != null) "rpcpassword=${cfg.rpcpassword}"}
 
@@ -68,6 +71,13 @@ in {
         default = "/var/lib/bitcoind";
         description = "The data directory for bitcoind.";
       };
+      bind = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = ''
+          Bind to given address and always listen on it.
+        '';
+      };
       user = mkOption {
         type = types.str;
         default = "bitcoin";
@@ -117,6 +127,20 @@ in {
           '';
         };
       };
+      rpcbind = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1" ];
+        description = ''
+          Bind to given address to listen for JSON-RPC connections.
+        '';
+      };
+      rpcallowip = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1" ];
+        description = ''
+          Allow JSON-RPC connections from specified source.
+        '';
+      };
       rpcuser = mkOption {
           type = types.nullOr types.str;
           default = "bitcoinrpc";

modules/netns-isolation.nix

@@ -85,6 +85,9 @@ in {
       };
 
       nix-bitcoin.netns-isolation.services = {
+        bitcoind = {
+          id = 12;
+        };
       };
 
       systemd.services = {
@@ -107,6 +110,8 @@ in {
             RemainAfterExit = "yes";
           };
         };
+
+        bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
       } //
       (let
         makeNetnsServices = n: v: let
@@ -159,6 +164,20 @@ in {
         services // (makeNetnsServices n netns.${n})
       ) {} (builtins.attrNames netns));
 
+      # bitcoin: Custom netns configs
+      services.bitcoind = {
+        bind = netns.bitcoind.address;
+        rpcbind = [
+          "${netns.bitcoind.address}"
+          "127.0.0.1"
+        ];
+        rpcallowip = [
+          "127.0.0.1"
+        ] ++ lib.lists.concatMap (s: [
+          "${netns.${s}.address}"
+        ]) netns.bitcoind.availableNetns;
+      };
+
     })
     # Custom netns config option values if netns-isolation not enabled
     (mkIf (!cfg.enable) {

modules/presets/secure-node.nix

@@ -71,7 +71,7 @@ in {
       addresstype = "bech32";
       dbCache = 1000;
     };
-    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; };
+    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
 
     # clightning
     services.clightning = {