From 87fb9f246bd448d890e3958c4be786d81f264b27 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 14 Jan 2021 13:24:18 +0100 Subject: [PATCH] add 'enable-tor' preset Move 'enforceTor' and onion-service definitions from secure-node.nix. Use the onionServices module to define onion services. Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address. --- modules/onion-services.nix | 9 +++++ modules/presets/enable-tor.nix | 35 ++++++++++++++++++ modules/presets/secure-node.nix | 65 ++------------------------------- 3 files changed, 47 insertions(+), 62 deletions(-) create mode 100644 modules/presets/enable-tor.nix diff --git a/modules/onion-services.nix b/modules/onion-services.nix index 7215543..755a4e7 100644 --- a/modules/onion-services.nix +++ b/modules/onion-services.nix @@ -99,5 +99,14 @@ in { getPublicAddressCmd = "cat ${config.nix-bitcoin.onionAddresses.dataDir}/${service}/${service}"; }); } + + # Set sensible defaults for some services + { + nix-bitcoin.onionServices = { + btcpayserver = { + externalPort = 80; + }; + }; + } ]; } diff --git a/modules/presets/enable-tor.nix b/modules/presets/enable-tor.nix new file mode 100644 index 0000000..41c50d2 --- /dev/null +++ b/modules/presets/enable-tor.nix @@ -0,0 +1,35 @@ +{ lib, ... }: +let + defaultTrue = lib.mkDefault true; +in { + services.tor = { + enable = true; + client.enable = true; + }; + + # Use Tor for all outgoing connections + services = { + bitcoind.enforceTor = true; + clightning.enforceTor = true; + lnd.enforceTor = true; + lightning-loop.enforceTor = true; + liquidd.enforceTor = true; + electrs.enforceTor = true; + # disable Tor enforcement until btcpayserver can fetch rates over Tor + # btcpayserver.enforceTor = true; + nbxplorer.enforceTor = true; + spark-wallet.enforceTor = true; + recurring-donations.enforceTor = true; + nix-bitcoin-webindex.enforceTor = true; + }; + + # Add onion services for incoming connections + nix-bitcoin.onionServices = { + bitcoind.enable = defaultTrue; + clightning.enable = defaultTrue; + lnd.enable = defaultTrue; + liquidd.enable = defaultTrue; + electrs.enable = defaultTrue; + btcpayserver.enable = defaultTrue; + }; +} diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 570c6c0..643a25a 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -16,21 +16,9 @@ in { ../modules.nix ../nodeinfo.nix ../nix-bitcoin-webindex.nix + ./enable-tor.nix ]; - options = { - services.clightning.onionport = mkOption { - type = types.port; - default = 9735; - description = "Port on which to listen for tor client connections."; - }; - services.lnd.onionport = mkOption { - type = types.ints.u16; - default = 9735; - description = "Port on which to listen for tor client connections."; - }; - }; - config = { # For backwards compatibility only nix-bitcoin.secretsDir = mkDefault "/secrets"; @@ -39,20 +27,14 @@ in { nix-bitcoin.security.hideProcessInformation = true; - # Tor - services.tor = { - enable = true; - client.enable = true; - - hiddenServices.sshd = mkHiddenService { port = 22; }; - }; + services.tor.hiddenServices.sshd = mkHiddenService { port = 22; }; + nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ]; # bitcoind services.bitcoind = { enable = true; listen = true; dataDirReadableByGroup = mkIf cfg.electrs.high-memory true; - enforceTor = true; assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6"; addnodes = [ "ecoc5q34tmbq54wl.onion" ]; discover = false; @@ -62,22 +44,6 @@ in { # under high bitcoind rpc load rpc.threads = 16; }; - services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.address; }; - - # clightning - services.clightning.enforceTor = true; - services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService { - port = cfg.clightning.onionport; - toHost = cfg.clightning.address; - toPort = cfg.clightning.port; - }); - - # lnd - services.lnd.enforceTor = true; - services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.address; toPort = cfg.lnd.port; }); - - # lightning-loop - services.lightning-loop.enforceTor = true; # liquidd services.liquidd = { @@ -85,33 +51,12 @@ in { prune = 1000; validatepegin = true; listen = true; - enforceTor = true; }; - services.tor.hiddenServices.liquidd = mkIf cfg.liquidd.enable (mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.address; }); - - # electrs - services.electrs = { - enforceTor = true; - }; - services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService { - port = cfg.electrs.port; toHost = cfg.electrs.address; - }); - - # btcpayserver - # disable tor enforcement until btcpayserver can fetch rates over Tor - services.btcpayserver.enforceTor = false; - services.nbxplorer.enforceTor = true; - services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.address; }); services.spark-wallet = { onion-service = true; - enforceTor = true; }; - services.recurring-donations.enforceTor = true; - - services.nix-bitcoin-webindex.enforceTor = true; - # Backups services.backups = { program = "duplicity"; @@ -124,10 +69,6 @@ in { qrencode ]; - nix-bitcoin.onionAddresses = { - access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ]; - }; - nix-bitcoin.operator.enable = true; users.users.${operatorName} = { openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;