From 3734ab38a6661ea1472e8dd08ace4d0f9bf6076f Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:31 +0200 Subject: [PATCH 01/19] configuration.nix: improve wording and formatting --- examples/configuration.nix | 78 +++++++++++++++++++++++--------------- 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index bf5cd84..379b854 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -24,9 +24,9 @@ # modules by commenting out their respective line. ### BITCOIND - # Bitcoind is enabled by default if nix-bitcoin is enabled + # Bitcoind is enabled by default. # - # Enable this option to set pruning to a specified MiB value. + # Set this option to enable pruning with a specified MiB value. # clightning is compatible with pruning. See # https://github.com/ElementsProject/lightning/#pruning for more information. # LND and electrs are not compatible with pruning. @@ -42,8 +42,7 @@ # ''; ### CLIGHTNING - # Enable this module to use clightning, a Lightning Network implementation - # in C. + # Enable clightning, a Lightning Network implementation in C. services.clightning.enable = true; # # Set this to create an onion service by which clightning can accept incoming connections @@ -56,12 +55,13 @@ # services.clightning.plugins.prometheus.enable = true; ### LND - # Uncomment the following line in order to enable lnd, a lightning - # implementation written in Go. In order to avoid collisions with clightning - # you must disable clightning or change the services.clightning.port or - # services.lnd.port to a port other than 9735. + # Set this to enable lnd, a lightning implementation written in Go. # services.lnd.enable = true; # + # NOTE: In order to avoid collisions with clightning you must disable clightning or + # change the services.clightning.port or services.lnd.port to a port other than + # 9735. + # # Set this to create an onion service by which lnd can accept incoming connections # via Tor. # The onion service is automatically announced to peers. @@ -85,33 +85,37 @@ # scp bitcoin-node:/var/lib/lnd/chain/bitcoin/mainnet/channel.backup ./backups/lnd/ ### SPARK WALLET - # Enable this module to use spark-wallet, a minimalistic wallet GUI for + # Set this to enable spark-wallet, a minimalistic wallet GUI for # c-lightning, accessible over the web or through mobile and desktop apps. # Automatically enables clightning. # services.spark-wallet.enable = true; ### ELECTRS - # Enable this module to use electrs, an efficient re-implementation of - # Electrum Server in Rust. + # Set this to enable electrs, an efficient Electrum server implemented in Rust. # services.electrs.enable = true; + # # If you have more than 8GB memory, enable this option so electrs will # sync faster. Only available if hardware wallets are disabled. # services.electrs.high-memory = true; ### BTCPayServer - # Enable this module to use BTCPayServer, a self-hosted, open-source + # Set this to enable BTCPayServer, a self-hosted, open-source # cryptocurrency payment processor. + # services.btcpayserver.enable = true; + # # Privacy Warning: BTCPayServer currently looks up price rates without # proxying them through Tor. This means an outside observer can correlate # your BTCPayServer usage, like invoice creation times, with your IP address. - # services.btcpayserver.enable = true; + # # Enable this option to connect BTCPayServer to clightning. # services.btcpayserver.lightningBackend = "clightning"; + # # Enable this option to connect BTCPayServert to lnd. # services.btcpayserver.lightningBackend = "lnd"; - # The lightning backend service automatically enabled. + # + # The lightning backend service is automatically enabled. # Afterwards you need to go into Store > General Settings > Lightning Nodes - # and click to use "the internal lightning node of this BTCPay Server". + # and select "the internal lightning node of this BTCPay Server". # # Set this to create an onion service to make the btcpayserver web interface # accessible via Tor. @@ -122,16 +126,18 @@ ### LIQUIDD # Enable this module to use Liquid, a sidechain for an inter-exchange # settlement network linking together cryptocurrency exchanges and - # institutions around the world. Liquid is accessed with the elements-cli - # tool run as user operator. + # institutions around the world. # services.liquidd.enable = true; + # + # Liquid can be controlled with command 'elements-cli'. ### RECURRING-DONATIONS - # Enable this module to send recurring donations. This is EXPERIMENTAL; it's + # Set this to enable recurring donations. This is EXPERIMENTAL; it's # not guaranteed that payments are succeeding or that you will notice payment # failure. - # Automatically enables clightning. # services.recurring-donations.enable = true; + # This automatically enables clightning. + # # Specify the receivers of the donations. By default donations are every # Monday at a randomized time. Check `journalctl -eu recurring-donations` or # `lightning-cli listpayments` for successful lightning donations. @@ -142,11 +148,14 @@ # }; ### Hardware wallets - # Enable this module to allow using hardware wallets. See https://github.com/bitcoin-core/HWI - # for more information. Only available if electrs.high-memory is disabled. + # Enable the following to allow using hardware wallets. + # See https://github.com/bitcoin-core/HWI for more information. + # Only available if electrs.high-memory is disabled. + # # Ledger must be initialized through the official ledger live app and the Bitcoin app must # be installed and running on the device. # services.hardware-wallets.ledger = true; + # # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in # `docs/usage.md`. # services.hardware-wallets.trezor = true; @@ -159,37 +168,42 @@ # nix-bitcoin.netns-isolation.enable = true; ### lightning-loop - # Enable this module to use lightninglab's non-custodial off/on chain bridge. + # Set this to enable lightninglab's non-custodial off/on chain bridge. + # services.lightning-loop.enable = true; + # # loopd (lightning-loop daemon) will be started automatically. Users can # interact with off/on chain bridge using `loop in` and `loop out`. # Automatically enables lnd. - # services.lightning-loop.enable = true; + ### lightning-pool - # Enable this module to use Lightning Lab's non-custodial batched uniform + # Set this to enable Lightning Lab's non-custodial batched uniform # clearing-price auction for Lightning Channel Leases. + # services.lightning-pool.enable = true; + # # Use the `pool` command to interact with the lightning-pool service. # Automatically enables lnd. - # services.lightning-pool.enable = true; # # lightning-pool requires that lnd has a publicly reachable address. # Set this to create a public onion service for lnd. # nix-bitcoin.onionServices.lnd.public = true; ### charge-lnd - # Enable this module to use charge-lnd, a simple policy based fee manager for + # Set this to enable charge-lnd, a simple policy based fee manager for # LND. With this tool you can set fees to autobalance, recover channel open # costs, use on-chain fees as reference, or just use static fees. You decide. # services.charge-lnd.enable = true; + # # Define policies as outlined in the project documentation. # services.charge-lnd.policies = '' # ''; ### Backups - # Enable this module to use nix-bitcoin's own backups module. By default, it + # Set this to enable nix-bitcoin's own backup service. By default, it # uses duplicity to incrementally back up all important files in /var/lib to # /var/lib/localBackups once a day. # services.backups.enable = true; + # # You can pull the localBackups folder with # `scp bitcoin-node:/var/lib/localBackups /my-backup-path/` # Alternatively, you can also set a remote target url, for example @@ -207,15 +221,17 @@ # services.backups.with-bulk-data = true; ### JOINMARKET - # Enable this module to allow using JoinMarket's user interactive scripts (including - # tumbler.py). + # Set this to enable the JoinMarket service, including its command-line scripts. + # These scripts have prefix 'jm-', like 'jm-tumbler'. # Note: JoinMarket has full access to bitcoind, including its wallet functionality. # services.joinmarket.enable = true; - # Enable this option to enable the JoinMarket Yield Generator Bot. You will be able to + # + # Set this to enable the JoinMarket Yield Generator Bot. You will be able to # earn sats by providing CoinJoin liquidity. This makes it impossible to use other # scripts that access your wallet. # services.joinmarket.yieldgenerator.enable = true; - # Enable this option to enable the JoinMarket order book watcher. + # + # Set this to enable the JoinMarket order book watcher. # services.joinmarket-ob-watcher.enable = true; # FIXME: Define your hostname. From c041079ae1f022673456cd086ba4524a4abd5276 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:32 +0200 Subject: [PATCH 02/19] configuration.nix: reorder sections Move backups and netns-isolation to the end. --- examples/configuration.nix | 41 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index 379b854..edc0fa6 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -160,13 +160,6 @@ # `docs/usage.md`. # services.hardware-wallets.trezor = true; - ### netns-isolation (EXPERIMENTAL) - # Enable this module to use Network Namespace Isolation. This feature places - # every service in its own network namespace and only allows truly necessary - # connections between network namespaces, making sure services are isolated on - # a network-level as much as possible. - # nix-bitcoin.netns-isolation.enable = true; - ### lightning-loop # Set this to enable lightninglab's non-custodial off/on chain bridge. # services.lightning-loop.enable = true; @@ -175,7 +168,6 @@ # interact with off/on chain bridge using `loop in` and `loop out`. # Automatically enables lnd. - ### lightning-pool # Set this to enable Lightning Lab's non-custodial batched uniform # clearing-price auction for Lightning Channel Leases. @@ -198,6 +190,20 @@ # services.charge-lnd.policies = '' # ''; + ### JOINMARKET + # Set this to enable the JoinMarket service, including its command-line scripts. + # These scripts have prefix 'jm-', like 'jm-tumbler'. + # Note: JoinMarket has full access to bitcoind, including its wallet functionality. + # services.joinmarket.enable = true; + # + # Set this to enable the JoinMarket Yield Generator Bot. You will be able to + # earn sats by providing CoinJoin liquidity. This makes it impossible to use other + # scripts that access your wallet. + # services.joinmarket.yieldgenerator.enable = true; + # + # Set this to enable the JoinMarket order book watcher. + # services.joinmarket-ob-watcher.enable = true; + ### Backups # Set this to enable nix-bitcoin's own backup service. By default, it # uses duplicity to incrementally back up all important files in /var/lib to @@ -220,19 +226,12 @@ # and electrs data directory, enable # services.backups.with-bulk-data = true; - ### JOINMARKET - # Set this to enable the JoinMarket service, including its command-line scripts. - # These scripts have prefix 'jm-', like 'jm-tumbler'. - # Note: JoinMarket has full access to bitcoind, including its wallet functionality. - # services.joinmarket.enable = true; - # - # Set this to enable the JoinMarket Yield Generator Bot. You will be able to - # earn sats by providing CoinJoin liquidity. This makes it impossible to use other - # scripts that access your wallet. - # services.joinmarket.yieldgenerator.enable = true; - # - # Set this to enable the JoinMarket order book watcher. - # services.joinmarket-ob-watcher.enable = true; + ### netns-isolation (EXPERIMENTAL) + # Enable this module to use Network Namespace Isolation. This feature places + # every service in its own network namespace and only allows truly necessary + # connections between network namespaces, making sure services are isolated on + # a network-level as much as possible. + # nix-bitcoin.netns-isolation.enable = true; # FIXME: Define your hostname. networking.hostName = "host"; From 1c3735b60073388e0898e6302ab1f8f297e14dbe Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:33 +0200 Subject: [PATCH 03/19] examples/README: add nixbitcoin.org server repo --- examples/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/examples/README.md b/examples/README.md index b9bcfeb..445f846 100644 --- a/examples/README.md +++ b/examples/README.md @@ -68,3 +68,10 @@ c systemctl status bitcoind }' container --run c nodeinfo ``` See [`run-tests.sh`](../test/run-tests.sh) for a complete documentation. + + +### Real-world example +Check the [server repo](https://github.com/fort-nix/nixbitcoin.org) for https://nixbitcoin.org +to see the configuration of a nix-bitcoin node that's used in production. + +The commands in `shell.nix` allow you to locally run the node in a VM or container. From c758d68ea44411e7913de9d58832b93c0cfed1d6 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:34 +0200 Subject: [PATCH 04/19] lib: rename privileged -> rootScript The naming is now analogous the related function `script`. --- modules/lnd.nix | 2 +- pkgs/lib.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/lnd.nix b/modules/lnd.nix index d5c29e1..bdac2f3 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -244,7 +244,7 @@ in { done '') # Setting macaroon permission for other users needs root permissions - (nbLib.privileged "lnd-create-macaroons" '' + (nbLib.rootScript "lnd-create-macaroons" '' umask ug=r,o= ${lib.concatMapStrings (macaroon: '' echo "Create custom macaroon ${macaroon}" diff --git a/pkgs/lib.nix b/pkgs/lib.nix index 660820b..09c00c0 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -70,7 +70,7 @@ let self = { ''; # Used for ExecStart* - privileged = name: src: "+${self.script name src}"; + rootScript = name: src: "+${self.script name src}"; cliExec = mkOption { # Used by netns-isolation to execute the cli in the service's private netns From b8043d3db56694737d6ffd6e53ce58e380ab8daf Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:35 +0200 Subject: [PATCH 05/19] treewide: use consistent bash script indentation Always use two spaces. --- modules/bitcoind.nix | 10 +++++----- modules/lnd.nix | 4 ++-- modules/secrets/secrets.nix | 22 +++++++++++----------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 3ca5c2a..e2365ab 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -374,11 +374,11 @@ in { cd ${cfg.cli}/bin echo "Importing node banlist..." cat ${./banlist.cli.txt} | while read line; do - if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then - # unexpected error - echo "$err" - exit 1 - fi + if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then + # unexpected error + echo "$err" + exit 1 + fi done ''; serviceConfig = nbLib.defaultHardening // { diff --git a/modules/lnd.nix b/modules/lnd.nix index bdac2f3..9b49ca1 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -207,8 +207,8 @@ in { (nbLib.script "lnd-create-wallet" '' attempts=250 while ! { exec 3>/dev/tcp/${cfg.restAddress}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do - ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } - sleep 0.1 + ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } + sleep 0.1 done if [[ ! -f ${networkDir}/wallet.db ]]; then diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 30618e8..64a0554 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -110,17 +110,17 @@ in ''} setupSecret() { - file="$1" - user="$2" - group="$3" - permissions="$4" - if [[ ! -e $file ]]; then - echo "Error: Secret file '$file' is missing" - exit 1 - fi - chown "$user:$group" "$file" - chmod "$permissions" "$file" - processedFiles+=("$file") + file="$1" + user="$2" + group="$3" + permissions="$4" + if [[ ! -e $file ]]; then + echo "Error: Secret file '$file' is missing" + exit 1 + fi + chown "$user:$group" "$file" + chmod "$permissions" "$file" + processedFiles+=("$file") } dir="${cfg.secretsDir}" From f14af1fc486fc1f62eaa54b6482e84d542185799 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:36 +0200 Subject: [PATCH 06/19] treewide: use consistent echo message formatting Quote the echo message. --- modules/lnd.nix | 8 ++++---- modules/recurring-donations.nix | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/lnd.nix b/modules/lnd.nix index 9b49ca1..e4b591a 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -214,24 +214,24 @@ in { if [[ ! -f ${networkDir}/wallet.db ]]; then mnemonic="${cfg.dataDir}/lnd-seed-mnemonic" if [[ ! -f "$mnemonic" ]]; then - echo Create lnd seed + echo "Create lnd seed" umask u=r,go= ${curl} -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" fi - echo Create lnd wallet + echo "Create lnd wallet" ${curl} --output /dev/null \ -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \ \"cipher_seed_mnemonic\": $(cat "$mnemonic" | tr -d '\n')}" \ ${restUrl}/initwallet # Guarantees that RPC calls with cfg.cli succeed after the service is started - echo Wait until wallet is created + echo "Wait until wallet is created" while [[ ! -f ${networkDir}/admin.macaroon ]]; do sleep 0.1 done else - echo Unlock lnd wallet + echo "Unlock lnd wallet" ${curl} \ -H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${networkDir}/admin.macaroon')" \ -X POST \ diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 63a5333..7d0680b 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -10,7 +10,7 @@ let pay_tallycoin() { NAME=$1 AMOUNT=$2 - echo Attempting to pay $AMOUNT sat to $NAME + echo "Attempting to pay $AMOUNT sat to $NAME" INVOICE=$(curl --socks5-hostname ${config.nix-bitcoin.torClientAddressWithPort} -d "satoshi_amount=$AMOUNT&payment_method=ln&id=$NAME&type=profile" -X POST https://api.tallyco.in/v1/payment/request/ | jq -r '.lightning_pay_request') 2> /dev/null if [ -z "$INVOICE" ] || [ "$INVOICE" = "null" ]; then echo "ERROR: did not get invoice from tallycoin" @@ -23,10 +23,10 @@ let return fi if [ $DECODED_AMOUNT -eq $AMOUNT ]; then - echo Paying with invoice "$INVOICE" + echo "Paying with invoice $INVOICE" $LNCLI pay "$INVOICE" else - echo ERROR: requested amount and invoice amount do not match. $AMOUNT vs $DECODED_AMOUNT + echo "ERROR: requested amount and invoice amount do not match. $AMOUNT vs $DECODED_AMOUNT" return fi } From fb36f2abe530e2183b99824f3979a110d2cec685 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:37 +0200 Subject: [PATCH 07/19] joinmarket-ob-watcher: use consistent mode formatting Remove redundant leading zero. --- modules/joinmarket-ob-watcher.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix index 82499ef..2f4fdc0 100644 --- a/modules/joinmarket-ob-watcher.nix +++ b/modules/joinmarket-ob-watcher.nix @@ -74,7 +74,7 @@ in { serviceConfig = nbLib.defaultHardening // rec { DynamicUser = true; StateDirectory = "joinmarket-ob-watcher"; - StateDirectoryMode = "0770"; + StateDirectoryMode = "770"; WorkingDirectory = cfg.dataDir; # The service creates dir 'logs' in the working dir ExecStart = '' ${nbPkgs.joinmarket}/bin/ob-watcher --datadir=${cfg.dataDir} \ From 1ef8cbb38477a9385e3f2d118d68e81a36bf8d6d Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:38 +0200 Subject: [PATCH 08/19] joinmarket: fix allowRunAsUsers setting This option requires user names instead of groups. --- modules/joinmarket.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 2d27094..289bf2e 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -282,7 +282,7 @@ in { users.groups.${cfg.group} = {}; nix-bitcoin.operator = { groups = [ cfg.group ]; - allowRunAsUsers = [ cfg.group ]; + allowRunAsUsers = [ cfg.user ]; }; nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; From 6de9aba8541e20e246a2666c02703c019be15418 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:39 +0200 Subject: [PATCH 09/19] run-tests: quote scriptDir scriptDir may contain spaces. --- test/run-tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/run-tests.sh b/test/run-tests.sh index 15e7283..7117ec9 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -277,7 +277,7 @@ examples() { ./deploy-qemu-vm.sh ./deploy-krops.sh " - (cd $scriptDir/../examples && nix-shell --run "$script") + (cd "$scriptDir/../examples" && nix-shell --run "$script") } all() { From 4ece606e8b328fbdfd9b0cfeb69dbfd86df90730 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:40 +0200 Subject: [PATCH 10/19] examples/minimal-configuration: improve comment --- examples/minimal-configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/minimal-configuration.nix b/examples/minimal-configuration.nix index e7c2757..4cc6fac 100644 --- a/examples/minimal-configuration.nix +++ b/examples/minimal-configuration.nix @@ -15,7 +15,8 @@ name = "main"; # Set this to your system's main user }; - # The system's main unprivileged user + # The system's main unprivileged user. This setting is usually part of your + # existing NixOS configuration. users.users.main = { isNormalUser = true; password = "a"; From f9a0fd7a17bb638166a9b2452e8a0409ad776734 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:41 +0200 Subject: [PATCH 11/19] nodeinfo: fix indentation --- modules/nodeinfo.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/nodeinfo.nix b/modules/nodeinfo.nix index 782446b..c395bfb 100644 --- a/modules/nodeinfo.nix +++ b/modules/nodeinfo.nix @@ -94,13 +94,13 @@ let """) ''; - mkIfOnionPort = name: fn: - if onionServices ? ${name} then - fn (toString (builtins.elemAt onionServices.${name}.map 0).port) - else - ""; + mkIfOnionPort = name: fn: + if onionServices ? ${name} then + fn (toString (builtins.elemAt onionServices.${name}.map 0).port) + else + ""; - inherit (config.services.tor.relay) onionServices; + inherit (config.services.tor.relay) onionServices; in { options = { nix-bitcoin.nodeinfo = { From ca3c7a281b56ccdc9e71addc70a6570732831a5c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:42 +0200 Subject: [PATCH 12/19] secrets: mark option 'secretsSetupMethod' as internal --- modules/secrets/secrets.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 64a0554..6c7e0a9 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -60,6 +60,7 @@ in }; secretsSetupMethod = mkOption { + internal = true; type = types.str; default = throw '' Error: No secrets setup method has been defined. From 13b4650e845e31185c0a1cdadc2e7009ef3a9e0a Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:43 +0200 Subject: [PATCH 13/19] versioning: add usage comment --- modules/versioning.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/versioning.nix b/modules/versioning.nix index 445edf8..6b0121e 100644 --- a/modules/versioning.nix +++ b/modules/versioning.nix @@ -1,5 +1,10 @@ { config, pkgs, lib, ... }: +# Workflow for releasing a new nix-bitcoin version with incompatible changes: +# Let V be the version of the upcoming, incompatible release. +# 1. Add change descriptions with `version = V` at the end of the `changes` list below. +# 2. Set `nix-bitcoin.configVersion = V` in ../examples/configuration.nix. + with lib; let version = config.nix-bitcoin.configVersion; From fdc278a0b89f9445ea2ed0a98234c5f36ca89929 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:44 +0200 Subject: [PATCH 14/19] lib: fix comment --- pkgs/lib.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/lib.nix b/pkgs/lib.nix index 09c00c0..c7a7480 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -3,7 +3,7 @@ lib: pkgs: with lib; # See `man systemd.exec` and `man systemd.resource-control` for an explanation -# of the systemd-related options available through this module. +# of the systemd-related options available through this file. let self = { # These settings roughly follow systemd's "strict" security profile defaultHardening = { From cce9a3f6b2ecf0fa28f4d35f02c9af9d82b16185 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:45 +0200 Subject: [PATCH 15/19] modules: move nix-bitcoin options to file 'nix-bitcoin.nix' This allows modules.nix to consist only of a list of modules. --- examples/minimal-configuration.nix | 2 +- modules/modules.nix | 56 +--------------------------- modules/nix-bitcoin.nix | 59 +++++++++++++++++++++++++++--- 3 files changed, 55 insertions(+), 62 deletions(-) diff --git a/examples/minimal-configuration.nix b/examples/minimal-configuration.nix index 4cc6fac..71dd4a5 100644 --- a/examples/minimal-configuration.nix +++ b/examples/minimal-configuration.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: { imports = [ - + ]; nix-bitcoin.generateSecrets = true; diff --git a/modules/modules.nix b/modules/modules.nix index c32bdf0..ce5de0e 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -1,9 +1,7 @@ -{ config, pkgs, lib, ... }: - -with lib; { imports = [ # Core modules + ./nix-bitcoin.nix ./secrets/secrets.nix ./operator.nix @@ -36,56 +34,4 @@ with lib; ]; disabledModules = [ "services/networking/bitcoind.nix" ]; - - options = { - nix-bitcoin = { - pkgs = mkOption { - type = types.attrs; - default = (import ../pkgs { inherit pkgs; }).modulesPkgs; - }; - - lib = mkOption { - readOnly = true; - default = import ../pkgs/lib.nix lib pkgs; - }; - - torClientAddressWithPort = mkOption { - readOnly = true; - default = with config.services.tor.client.socksListenAddress; - "${addr}:${toString port}"; - }; - - # Torify binary that works with custom Tor SOCKS addresses - # Related issue: https://github.com/NixOS/nixpkgs/issues/94236 - torify = mkOption { - readOnly = true; - default = pkgs.writeScriptBin "torify" '' - ${pkgs.tor}/bin/torify \ - --address ${config.services.tor.client.socksListenAddress.addr} \ - "$@" - ''; - }; - - # A helper for using doas instead of sudo when doas is enabled - runAsUserCmd = mkOption { - readOnly = true; - default = if config.security.doas.enable - # TODO: Use absolute path until https://github.com/NixOS/nixpkgs/pull/133622 is available. - then "/run/wrappers/bin/doas -u" - else "sudo -u"; - }; - }; - }; - - config = { - assertions = [ - { assertion = (config.services.lnd.enable -> ( !config.services.clightning.enable || config.services.clightning.port != config.services.lnd.port)); - message = '' - LND and clightning can't both bind to lightning port 9735. Either - disable LND/clightning or change services.clightning.bindPort or - services.lnd.port to a port other than 9735. - ''; - } - ]; - }; } diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index a3f67eb..fc8696b 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -1,9 +1,56 @@ -# This file exists only for backwards compatibility +{ config, pkgs, lib, ... }: -{ lib, ... }: +with lib; { - imports = [ - ./presets/secure-node.nix - (lib.mkRemovedOptionModule [ "services" "nix-bitcoin" "enable" ] "Please directly import ./presets/secure-node.nix") - ]; + options = { + nix-bitcoin = { + pkgs = mkOption { + type = types.attrs; + default = (import ../pkgs { inherit pkgs; }).modulesPkgs; + }; + + lib = mkOption { + readOnly = true; + default = import ../pkgs/lib.nix lib pkgs; + }; + + torClientAddressWithPort = mkOption { + readOnly = true; + default = with config.services.tor.client.socksListenAddress; + "${addr}:${toString port}"; + }; + + # Torify binary that works with custom Tor SOCKS addresses + # Related issue: https://github.com/NixOS/nixpkgs/issues/94236 + torify = mkOption { + readOnly = true; + default = pkgs.writeScriptBin "torify" '' + ${pkgs.tor}/bin/torify \ + --address ${config.services.tor.client.socksListenAddress.addr} \ + "$@" + ''; + }; + + # A helper for using doas instead of sudo when doas is enabled + runAsUserCmd = mkOption { + readOnly = true; + default = if config.security.doas.enable + # TODO: Use absolute path until https://github.com/NixOS/nixpkgs/pull/133622 is available. + then "/run/wrappers/bin/doas -u" + else "sudo -u"; + }; + }; + }; + + config = { + assertions = [ + { assertion = (config.services.lnd.enable -> ( !config.services.clightning.enable || config.services.clightning.port != config.services.lnd.port)); + message = '' + LND and clightning can't both bind to lightning port 9735. Either + disable LND/clightning or change services.clightning.bindPort or + services.lnd.port to a port other than 9735. + ''; + } + ]; + }; } From 9f7d0487691c02ee2849ceb208ebd5c596381760 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:46 +0200 Subject: [PATCH 16/19] modules: move assertion to lnd.nix nix-bitcoin.nix is now no longer dependent on clightning.nix and lnd.nix. Due to condition '!(config.services ? clightning)' lnd.nix still doesn't depend on clightning.nix. Also fix the assertion message by renaming clightning.bindPort to clightning.port. --- modules/lnd.nix | 10 ++++++++++ modules/nix-bitcoin.nix | 12 ------------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/modules/lnd.nix b/modules/lnd.nix index e4b591a..fcadc5c 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -157,6 +157,16 @@ in { { assertion = bitcoind.prune == 0; message = "lnd does not support bitcoind pruning."; } + { assertion = + !(config.services ? clightning) + || !config.services.clightning.enable + || config.services.clightning.port != cfg.port; + message = '' + LND and clightning can't both bind to lightning port 9735. Either + disable LND/clightning or change services.clightning.port or + services.lnd.port to a port other than 9735. + ''; + } ]; services.bitcoind = { diff --git a/modules/nix-bitcoin.nix b/modules/nix-bitcoin.nix index fc8696b..48cb7c4 100644 --- a/modules/nix-bitcoin.nix +++ b/modules/nix-bitcoin.nix @@ -41,16 +41,4 @@ with lib; }; }; }; - - config = { - assertions = [ - { assertion = (config.services.lnd.enable -> ( !config.services.clightning.enable || config.services.clightning.port != config.services.lnd.port)); - message = '' - LND and clightning can't both bind to lightning port 9735. Either - disable LND/clightning or change services.clightning.bindPort or - services.lnd.port to a port other than 9735. - ''; - } - ]; - }; } From ee8b83681bd47daa57696846d6342cba46bd0ee3 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:47 +0200 Subject: [PATCH 17/19] modules: document module dependencies --- modules/modules.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/modules.nix b/modules/modules.nix index ce5de0e..0e0ac5a 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -1,4 +1,7 @@ { + # The modules are topologically sorted by their dependencies. + # This means that modules only depend on modules higher in the list + # (unless otherwise noted). imports = [ # Core modules ./nix-bitcoin.nix @@ -11,7 +14,7 @@ ./clightning-plugins ./spark-wallet.nix ./lnd.nix - ./lnd-rest-onion-service.nix + ./lnd-rest-onion-service.nix # Requires onion-addresses.nix ./lightning-loop.nix ./lightning-pool.nix ./charge-lnd.nix From a8a8b9ce4ded39043cf87c5647acaf8e2610a141 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 11:28:48 +0200 Subject: [PATCH 18/19] backups: backup NixOS uid, gid mappings Now that service uid, gid mappings are included in the backups, along with the service data dirs, we can remove 'chown -R' for clightning and liquidd data dirs. Note that we used 'chown -R' only for these two services, while this approach would have been relevant for all services with data dirs. --- modules/backups.nix | 2 ++ modules/clightning.nix | 1 - modules/liquid.nix | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/backups.nix b/modules/backups.nix index 946f526..a7747c6 100644 --- a/modules/backups.nix +++ b/modules/backups.nix @@ -21,6 +21,8 @@ let ${config.services.postgresqlBackup.location}/btcpaydb.sql.gz ${optionalString config.nix-bitcoin.generateSecrets "${config.nix-bitcoin.secretsDir}"} /var/lib/tor + /var/lib/nixos + # Extra files ${cfg.extraFiles} diff --git a/modules/clightning.nix b/modules/clightning.nix index f415a30..93a3b5a 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -111,7 +111,6 @@ in { requires = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; preStart = '' - chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' # The RPC socket has to be removed otherwise we might have stale sockets rm -f ${cfg.networkDir}/lightning-rpc install -m 640 ${configFile} '${cfg.dataDir}/config' diff --git a/modules/liquid.nix b/modules/liquid.nix index 28f2e4f..7804ba0 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -221,7 +221,6 @@ in { after = [ "bitcoind.service" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}' install -m 640 ${configFile} '${cfg.dataDir}/elements.conf' { echo "rpcpassword=$(cat ${secretsDir}/liquid-rpcpassword)" From b0c66c41e13c5def8c31e3ff9ded577fa3e0f65b Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 15 Aug 2021 22:41:25 +0200 Subject: [PATCH 19/19] tests: add container-minimal example --- test/run-tests.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/run-tests.sh b/test/run-tests.sh index 7117ec9..7990308 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -274,6 +274,7 @@ examples() { script=" set -e ./deploy-container.sh + ./deploy-container-minimal.sh ./deploy-qemu-vm.sh ./deploy-krops.sh "