Merge #221: nbxplorer/btcpayserver: add module
c9c844de80
btcpayserver: add tests (nixbitcoin)f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist (nixbitcoin)605b37c16e
nodeinfo: add btcpayserver onion (nixbitcoin)15b574faa7
nbxplorer/btcpayserver: add module (nixbitcoin)46d681a17e
lnd: generate custom macaroons (nixbitcoin)6f032e3c40
lnd: fix mnemonic file access vulnerability (Erik Arvstedt)b97584f5cb
netns: allow return traffic to outgoing connections (nixbitcoin)99295328b4
temp: mirror erikarvstedt btcpayserver (Calvin Kim) Pull request description: ACKs for top commit: erikarvstedt: ACKc9c844de80
Tree-SHA512: 0020964db37f5c5db3343ddef88f2e7e8d8ad48760ece73125fd9d2feaed0a3789ba3fd3eff98c225a675b49447b1728cd2c9eb4fa495c961e8376b28d32bad9
This commit is contained in:
commit
a9c163c624
@ -27,6 +27,10 @@ env:
|
|||||||
- PKG=elementsd STABLE=0
|
- PKG=elementsd STABLE=0
|
||||||
- PKG=electrs STABLE=1
|
- PKG=electrs STABLE=1
|
||||||
- PKG=electrs STABLE=0
|
- PKG=electrs STABLE=0
|
||||||
|
- PKG=nbxplorer STABLE=1
|
||||||
|
- PKG=nbxplorer STABLE=0
|
||||||
|
- PKG=btcpayserver STABLE=1
|
||||||
|
- PKG=btcpayserver STABLE=0
|
||||||
- PKG=liquid-swap STABLE=1
|
- PKG=liquid-swap STABLE=1
|
||||||
- PKG=lightning-loop STABLE=0
|
- PKG=lightning-loop STABLE=0
|
||||||
- PKG=nixops19_09 STABLE=1
|
- PKG=nixops19_09 STABLE=1
|
||||||
|
@ -76,6 +76,20 @@
|
|||||||
# sync faster. Only available if hardware wallets are disabled.
|
# sync faster. Only available if hardware wallets are disabled.
|
||||||
# services.electrs.high-memory = true;
|
# services.electrs.high-memory = true;
|
||||||
|
|
||||||
|
### BTCPayServer
|
||||||
|
# Enable this module to use BTCPayServer, a self-hosted, open-source
|
||||||
|
# cryptocurrency payment processor.
|
||||||
|
# Privacy Warning: BTCPayServer currently looks up price rates without
|
||||||
|
# proxying them through Tor. This means an outside observer can correlate
|
||||||
|
# your BTCPayServer usage, like invoice creation times, with your IP address.
|
||||||
|
# services.btcpayserver.enable = true;
|
||||||
|
# Enable this option to connect BTCPayServer to clightning.
|
||||||
|
# services.btcpayserver.lightningBackend = "clightning";
|
||||||
|
# Enable this option to connect BTCPayServert to lnd.
|
||||||
|
# services.btcpayserver.lightningBackend = "lnd";
|
||||||
|
# Afterwards you need to go into Store > General Settings > Lightning Nodes
|
||||||
|
# and click to use "the internal lightning node of this BTCPay Server".
|
||||||
|
|
||||||
### LIQUIDD
|
### LIQUIDD
|
||||||
# Enable this module to use Liquid, a sidechain for an inter-exchange
|
# Enable this module to use Liquid, a sidechain for an inter-exchange
|
||||||
# settlement network linking together cryptocurrency exchanges and
|
# settlement network linking together cryptocurrency exchanges and
|
||||||
|
@ -16,6 +16,8 @@ let
|
|||||||
${config.services.liquidd.dataDir}
|
${config.services.liquidd.dataDir}
|
||||||
${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"}
|
${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"}
|
||||||
${config.services.lightning-charge.dataDir}
|
${config.services.lightning-charge.dataDir}
|
||||||
|
${config.services.nbxplorer.dataDir}
|
||||||
|
${config.services.btcpayserver.dataDir}
|
||||||
/var/lib/tor
|
/var/lib/tor
|
||||||
# Extra files
|
# Extra files
|
||||||
${cfg.extraFiles}
|
${cfg.extraFiles}
|
||||||
|
211
modules/btcpayserver.nix
Normal file
211
modules/btcpayserver.nix
Normal file
@ -0,0 +1,211 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services;
|
||||||
|
inherit (config) nix-bitcoin-services;
|
||||||
|
in {
|
||||||
|
options.services = {
|
||||||
|
nbxplorer = {
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.nix-bitcoin.nbxplorer;
|
||||||
|
defaultText = "pkgs.nix-bitcoin.nbxplorer";
|
||||||
|
description = "The package providing nbxplorer binaries.";
|
||||||
|
};
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/nbxplorer";
|
||||||
|
description = "The data directory for nbxplorer.";
|
||||||
|
};
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nbxplorer";
|
||||||
|
description = "The user as which to run nbxplorer.";
|
||||||
|
};
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = cfg.nbxplorer.user;
|
||||||
|
description = "The group as which to run nbxplorer.";
|
||||||
|
};
|
||||||
|
bind = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "127.0.0.1";
|
||||||
|
description = "The address on which to bind.";
|
||||||
|
};
|
||||||
|
enable = mkOption {
|
||||||
|
# This option is only used by netns-isolation
|
||||||
|
internal = true;
|
||||||
|
default = cfg.btcpayserver.enable;
|
||||||
|
};
|
||||||
|
enforceTor = nix-bitcoin-services.enforceTor;
|
||||||
|
};
|
||||||
|
|
||||||
|
btcpayserver = {
|
||||||
|
enable = mkEnableOption "btcpayserver";
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.nix-bitcoin.btcpayserver;
|
||||||
|
defaultText = "pkgs.nix-bitcoin.btcpayserver";
|
||||||
|
description = "The package providing btcpayserver binaries.";
|
||||||
|
};
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/btcpayserver";
|
||||||
|
description = "The data directory for btcpayserver.";
|
||||||
|
};
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "btcpayserver";
|
||||||
|
description = "The user as which to run btcpayserver.";
|
||||||
|
};
|
||||||
|
group = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = cfg.btcpayserver.user;
|
||||||
|
description = "The group as which to run btcpayserver.";
|
||||||
|
};
|
||||||
|
bind = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "127.0.0.1";
|
||||||
|
description = "The address on which to bind.";
|
||||||
|
};
|
||||||
|
lightningBackend = mkOption {
|
||||||
|
type = types.nullOr (types.enum [ "clightning" "lnd" ]);
|
||||||
|
default = null;
|
||||||
|
description = "The lightning node implementation to use.";
|
||||||
|
};
|
||||||
|
enforceTor = nix-bitcoin-services.enforceTor;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.btcpayserver.enable {
|
||||||
|
assertions = let
|
||||||
|
backend = cfg.btcpayserver.lightningBackend;
|
||||||
|
in [
|
||||||
|
{ assertion = (backend != null) -> cfg.${backend}.enable;
|
||||||
|
message = "btcpayserver requires ${backend}.";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
||||||
|
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.nbxplorer = let
|
||||||
|
configFile = builtins.toFile "config" ''
|
||||||
|
network=mainnet
|
||||||
|
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
|
||||||
|
btcrpcurl=http://${builtins.elemAt config.services.bitcoind.rpcbind 0}:8332
|
||||||
|
btcnodeendpoint=${config.services.bitcoind.bind}:8333
|
||||||
|
bind=${cfg.nbxplorer.bind}
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
description = "Run nbxplorer";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "bitcoind.service" ];
|
||||||
|
after = [ "bitcoind.service" ];
|
||||||
|
preStart = ''
|
||||||
|
install -m 600 ${configFile} ${cfg.nbxplorer.dataDir}/settings.config
|
||||||
|
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)" \
|
||||||
|
>> '${cfg.nbxplorer.dataDir}/settings.config'
|
||||||
|
'';
|
||||||
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||||
|
ExecStart = ''
|
||||||
|
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
|
||||||
|
--datadir=${cfg.nbxplorer.dataDir}
|
||||||
|
'';
|
||||||
|
User = cfg.nbxplorer.user;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = cfg.nbxplorer.dataDir;
|
||||||
|
MemoryDenyWriteExecute = "false";
|
||||||
|
} // (if cfg.nbxplorer.enforceTor
|
||||||
|
then nix-bitcoin-services.allowTor
|
||||||
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.btcpayserver = let
|
||||||
|
configFile = builtins.toFile "config" (''
|
||||||
|
network=mainnet
|
||||||
|
socksendpoint=${cfg.tor.client.socksListenAddress}
|
||||||
|
btcexplorerurl=http://${cfg.nbxplorer.bind}:24444/
|
||||||
|
btcexplorercookiefile=${cfg.nbxplorer.dataDir}/Main/.cookie
|
||||||
|
bind=${cfg.btcpayserver.bind}
|
||||||
|
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
|
||||||
|
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/bitcoin/lightning-rpc
|
||||||
|
'');
|
||||||
|
lndConfig =
|
||||||
|
"btclightning=type=lnd-rest;" +
|
||||||
|
"server=https://${toString cfg.lnd.listen}:${toString cfg.lnd.restPort}/;" +
|
||||||
|
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
|
||||||
|
"certthumbprint=";
|
||||||
|
in let self = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "nbxplorer.service" ]
|
||||||
|
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
|
||||||
|
after = self.requires;
|
||||||
|
preStart = ''
|
||||||
|
install -m 600 ${configFile} ${cfg.btcpayserver.dataDir}/settings.config
|
||||||
|
${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
|
||||||
|
{
|
||||||
|
echo -n "${lndConfig}";
|
||||||
|
${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.nix-bitcoin.secretsDir}/lnd-cert \
|
||||||
|
| sed -e 's/.*=//;s/://g';
|
||||||
|
} >> ${cfg.btcpayserver.dataDir}/settings.config
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||||
|
ExecStart = ''
|
||||||
|
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${cfg.btcpayserver.dataDir}/settings.config \
|
||||||
|
--datadir=${cfg.btcpayserver.dataDir}
|
||||||
|
'';
|
||||||
|
User = cfg.btcpayserver.user;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RestartSec = "10s";
|
||||||
|
ReadWritePaths = cfg.btcpayserver.dataDir;
|
||||||
|
MemoryDenyWriteExecute = "false";
|
||||||
|
} // (if cfg.btcpayserver.enforceTor
|
||||||
|
then nix-bitcoin-services.allowTor
|
||||||
|
else nix-bitcoin-services.allowAnyIP
|
||||||
|
);
|
||||||
|
}; in self;
|
||||||
|
|
||||||
|
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||||
|
inherit (cfg.btcpayserver) user;
|
||||||
|
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.${cfg.nbxplorer.user} = {
|
||||||
|
description = "nbxplorer user";
|
||||||
|
group = cfg.nbxplorer.group;
|
||||||
|
extraGroups = [ "bitcoinrpc" ];
|
||||||
|
home = cfg.nbxplorer.dataDir;
|
||||||
|
};
|
||||||
|
users.groups.${cfg.nbxplorer.group} = {};
|
||||||
|
users.users.${cfg.btcpayserver.user} = {
|
||||||
|
description = "btcpayserver user";
|
||||||
|
group = cfg.btcpayserver.group;
|
||||||
|
extraGroups = [ "nbxplorer" ]
|
||||||
|
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
|
||||||
|
home = cfg.btcpayserver.dataDir;
|
||||||
|
};
|
||||||
|
users.groups.${cfg.btcpayserver.group} = {};
|
||||||
|
|
||||||
|
services.bitcoind.rpc.users.btcpayserver = {
|
||||||
|
passwordHMACFromFile = true;
|
||||||
|
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
||||||
|
"setban"
|
||||||
|
"generatetoaddress"
|
||||||
|
"getpeerinfo"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = {
|
||||||
|
user = "bitcoin";
|
||||||
|
group = "nbxplorer";
|
||||||
|
};
|
||||||
|
nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin";
|
||||||
|
};
|
||||||
|
}
|
@ -7,6 +7,7 @@ let
|
|||||||
inherit (config) nix-bitcoin-services;
|
inherit (config) nix-bitcoin-services;
|
||||||
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
|
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
|
||||||
secretsDir = config.nix-bitcoin.secretsDir;
|
secretsDir = config.nix-bitcoin.secretsDir;
|
||||||
|
mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";
|
||||||
configFile = pkgs.writeText "lnd.conf" ''
|
configFile = pkgs.writeText "lnd.conf" ''
|
||||||
datadir=${cfg.dataDir}
|
datadir=${cfg.dataDir}
|
||||||
logdir=${cfg.dataDir}/logs
|
logdir=${cfg.dataDir}/logs
|
||||||
@ -97,6 +98,27 @@ in {
|
|||||||
default = false;
|
default = false;
|
||||||
description = "Announce LND Tor Hidden Service";
|
description = "Announce LND Tor Hidden Service";
|
||||||
};
|
};
|
||||||
|
macaroons = mkOption {
|
||||||
|
default = {};
|
||||||
|
type = with types; attrsOf (submodule {
|
||||||
|
options = {
|
||||||
|
user = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = "User who owns the macaroon.";
|
||||||
|
};
|
||||||
|
permissions = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
example = ''
|
||||||
|
{"entity":"info","action":"read"},{"entity":"onchain","action":"read"}
|
||||||
|
'';
|
||||||
|
description = "List of granted macaroon permissions.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
description = ''
|
||||||
|
Extra macaroon definitions.
|
||||||
|
'';
|
||||||
|
};
|
||||||
extraConfig = mkOption {
|
extraConfig = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
@ -155,6 +177,8 @@ in {
|
|||||||
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
|
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
|
||||||
'';
|
'';
|
||||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||||
|
RuntimeDirectory = "lnd"; # Only used to store custom macaroons
|
||||||
|
RuntimeDirectoryMode = "711";
|
||||||
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
|
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
|
||||||
User = "lnd";
|
User = "lnd";
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
@ -174,17 +198,14 @@ in {
|
|||||||
mnemonic=${secretsDir}/lnd-seed-mnemonic
|
mnemonic=${secretsDir}/lnd-seed-mnemonic
|
||||||
if [[ ! -f $mnemonic ]]; then
|
if [[ ! -f $mnemonic ]]; then
|
||||||
echo Create lnd seed
|
echo Create lnd seed
|
||||||
|
umask u=r,go=
|
||||||
${pkgs.curl}/bin/curl -s \
|
${pkgs.curl}/bin/curl -s \
|
||||||
--cacert ${secretsDir}/lnd-cert \
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
-X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
|
-X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
|
||||||
fi
|
fi
|
||||||
chown lnd: "$mnemonic"
|
chown lnd: "$mnemonic"
|
||||||
chmod 400 "$mnemonic"
|
|
||||||
''}"
|
''}"
|
||||||
"${let
|
"${nix-bitcoin-services.script ''
|
||||||
mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";
|
|
||||||
in nix-bitcoin-services.script ''
|
|
||||||
if [[ ! -f ${mainnetDir}/wallet.db ]]; then
|
if [[ ! -f ${mainnetDir}/wallet.db ]]; then
|
||||||
echo Create lnd wallet
|
echo Create lnd wallet
|
||||||
|
|
||||||
@ -214,6 +235,23 @@ in {
|
|||||||
while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do
|
while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
done
|
done
|
||||||
|
|
||||||
|
''}"
|
||||||
|
# Run fully privileged for chown
|
||||||
|
"+${nix-bitcoin-services.script ''
|
||||||
|
umask ug=r,o=
|
||||||
|
${lib.concatMapStrings (macaroon: ''
|
||||||
|
echo "Create custom macaroon ${macaroon}"
|
||||||
|
macaroonPath="$RUNTIME_DIRECTORY/${macaroon}.macaroon"
|
||||||
|
${pkgs.curl}/bin/curl -s \
|
||||||
|
-H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \
|
||||||
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
|
-X POST \
|
||||||
|
-d '{"permissions":[${cfg.macaroons.${macaroon}.permissions}]}' \
|
||||||
|
https://127.0.0.1:${restPort}/v1/macaroon |\
|
||||||
|
${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
|
||||||
|
chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
|
||||||
|
'') (attrNames cfg.macaroons)}
|
||||||
''}"
|
''}"
|
||||||
];
|
];
|
||||||
} // (if cfg.enforceTor
|
} // (if cfg.enforceTor
|
||||||
@ -232,6 +270,7 @@ in {
|
|||||||
lnd-wallet-password.user = "lnd";
|
lnd-wallet-password.user = "lnd";
|
||||||
lnd-key.user = "lnd";
|
lnd-key.user = "lnd";
|
||||||
lnd-cert.user = "lnd";
|
lnd-cert.user = "lnd";
|
||||||
|
lnd-cert.permissions = "0444"; # world readable
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
./netns-isolation.nix
|
./netns-isolation.nix
|
||||||
./security.nix
|
./security.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
|
./btcpayserver.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
disabledModules = [ "services/networking/bitcoind.nix" ];
|
disabledModules = [ "services/networking/bitcoind.nix" ];
|
||||||
|
@ -160,6 +160,8 @@ in {
|
|||||||
${ipNetns} route add default via ${bridgeIp}
|
${ipNetns} route add default via ${bridgeIp}
|
||||||
${netnsIptables} -w -P INPUT DROP
|
${netnsIptables} -w -P INPUT DROP
|
||||||
${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
|
${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
|
||||||
|
# allow return traffic to outgoing connections initiated by the service itself
|
||||||
|
${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
'' + (optionalString (config.services.${n}.enforceTor or false)) ''
|
'' + (optionalString (config.services.${n}.enforceTor or false)) ''
|
||||||
${netnsIptables} -w -P OUTPUT DROP
|
${netnsIptables} -w -P OUTPUT DROP
|
||||||
${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
|
${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
|
||||||
@ -230,6 +232,16 @@ in {
|
|||||||
id = 22;
|
id = 22;
|
||||||
connections = [ "lnd" ];
|
connections = [ "lnd" ];
|
||||||
};
|
};
|
||||||
|
nbxplorer = {
|
||||||
|
id = 23;
|
||||||
|
connections = [ "bitcoind" ];
|
||||||
|
};
|
||||||
|
btcpayserver = {
|
||||||
|
id = 24;
|
||||||
|
connections = [ "nbxplorer" ]
|
||||||
|
++ optional (config.services.btcpayserver.lightningBackend == "lnd") "lnd";
|
||||||
|
# communicates with clightning over rpc socket
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.bitcoind = {
|
services.bitcoind = {
|
||||||
@ -299,6 +311,9 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.lightning-loop.cliExec = mkCliExec "lightning-loop";
|
services.lightning-loop.cliExec = mkCliExec "lightning-loop";
|
||||||
|
|
||||||
|
services.nbxplorer.bind = netns.nbxplorer.address;
|
||||||
|
services.btcpayserver.bind = netns.btcpayserver.address;
|
||||||
}
|
}
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
@ -48,6 +48,12 @@ let
|
|||||||
echo ELECTRS_ONION="$ELECTRS_ONION"
|
echo ELECTRS_ONION="$ELECTRS_ONION"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver
|
||||||
|
if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
|
||||||
|
BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
|
||||||
|
echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
|
||||||
|
fi
|
||||||
|
|
||||||
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
|
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
|
||||||
if [ -e "$SSHD_ONION_FILE" ]; then
|
if [ -e "$SSHD_ONION_FILE" ]; then
|
||||||
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
SSHD_ONION="$(cat $SSHD_ONION_FILE)"
|
||||||
|
@ -128,6 +128,12 @@ in {
|
|||||||
port = cfg.electrs.port; toHost = cfg.electrs.address;
|
port = cfg.electrs.port; toHost = cfg.electrs.address;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
# btcpayserver
|
||||||
|
# disable tor enforcement until btcpayserver can fetch rates over Tor
|
||||||
|
services.btcpayserver.enforceTor = false;
|
||||||
|
services.nbxplorer.enforceTor = true;
|
||||||
|
services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.bind; });
|
||||||
|
|
||||||
services.spark-wallet = {
|
services.spark-wallet = {
|
||||||
onion-service = true;
|
onion-service = true;
|
||||||
enforceTor = true;
|
enforceTor = true;
|
||||||
@ -171,7 +177,7 @@ in {
|
|||||||
nix-bitcoin.netns-isolation.allowedUser = operatorName;
|
nix-bitcoin.netns-isolation.allowedUser = operatorName;
|
||||||
# Give operator access to onion hostnames
|
# Give operator access to onion hostnames
|
||||||
services.onion-chef.enable = true;
|
services.onion-chef.enable = true;
|
||||||
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
|
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
|
||||||
|
|
||||||
security.sudo.configFile =
|
security.sudo.configFile =
|
||||||
(optionalString cfg.lnd.enable ''
|
(optionalString cfg.lnd.enable ''
|
||||||
|
66
pkgs/btcpayserver/default.nix
Normal file
66
pkgs/btcpayserver/default.nix
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
{ lib, stdenv, fetchFromGitHub, fetchurl, linkFarmFromDrvs, makeWrapper,
|
||||||
|
dotnetPackages, dotnetCorePackages, writeScript, bash
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
deps = import ./deps.nix {
|
||||||
|
fetchNuGet = { name, version, sha256 }: fetchurl {
|
||||||
|
name = "nuget-${name}-${version}.nupkg";
|
||||||
|
url = "https://www.nuget.org/api/v2/package/${name}/${version}";
|
||||||
|
inherit sha256;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
dotnetSdk = dotnetCorePackages.sdk_3_1;
|
||||||
|
in
|
||||||
|
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
pname = "btcpayserver";
|
||||||
|
version = "1.0.5.5";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = pname;
|
||||||
|
repo = pname;
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "11h1nrmb7f44msbhhiz9ddqh5ss2kz6d8ysnvd070x3xj5krgnxz";
|
||||||
|
};
|
||||||
|
|
||||||
|
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget ];
|
||||||
|
|
||||||
|
# Due to a bug in btcpayserver, we can't just `dotnet publish` to create a binary.
|
||||||
|
# Build with `dotnet build` instead and add a custom `dotnet run` script.
|
||||||
|
buildPhase = ''
|
||||||
|
export HOME=$TMP/home
|
||||||
|
export DOTNET_CLI_TELEMETRY_OPTOUT=1
|
||||||
|
export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
|
||||||
|
|
||||||
|
nuget sources Add -Name tmpsrc -Source $TMP/nuget
|
||||||
|
nuget init ${linkFarmFromDrvs "deps" deps} $TMP/nuget
|
||||||
|
|
||||||
|
dotnet restore --source $TMP/nuget BTCPayServer/BTCPayServer.csproj
|
||||||
|
dotnet build -c Release BTCPayServer/BTCPayServer.csproj
|
||||||
|
'';
|
||||||
|
|
||||||
|
runScript = ''
|
||||||
|
#!${bash}/bin/bash
|
||||||
|
DOTNET_CLI_TELEMETRY_OPTOUT=1 exec ${dotnetSdk}/bin/dotnet run --no-launch-profile --no-build \
|
||||||
|
-c Release -p @@SHARE@@/BTCPayServer/BTCPayServer.csproj -- "$@"
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
cd ..
|
||||||
|
share=$out/share/$pname
|
||||||
|
mkdir -p $share
|
||||||
|
mv -T source $share
|
||||||
|
install -D -m500 <(echo "$runScript" | sed "s|@@SHARE@@|$share|") $out/bin/$pname
|
||||||
|
'';
|
||||||
|
|
||||||
|
dontStrip = true;
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Self-hosted, open-source cryptocurrency payment processor";
|
||||||
|
homepage = "https://btcpayserver.org";
|
||||||
|
maintainers = with maintainers; [ kcalvinalvin earvstedt ];
|
||||||
|
license = lib.licenses.mit;
|
||||||
|
platforms = lib.platforms.linux;
|
||||||
|
};
|
||||||
|
}
|
1937
pkgs/btcpayserver/deps.nix
Normal file
1937
pkgs/btcpayserver/deps.nix
Normal file
File diff suppressed because it is too large
Load Diff
6
pkgs/btcpayserver/update.sh
Executable file
6
pkgs/btcpayserver/update.sh
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||||
|
|
||||||
|
"$scriptDir"/../nbxplorer/util/update-common.sh btcpayserver "$scriptDir"/deps.nix
|
@ -1,5 +1,5 @@
|
|||||||
{ pkgs ? import <nixpkgs> {} }:
|
{ pkgs ? import <nixpkgs> {} }:
|
||||||
{
|
let self = {
|
||||||
lightning-charge = pkgs.callPackage ./lightning-charge { };
|
lightning-charge = pkgs.callPackage ./lightning-charge { };
|
||||||
nanopos = pkgs.callPackage ./nanopos { };
|
nanopos = pkgs.callPackage ./nanopos { };
|
||||||
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
||||||
@ -12,8 +12,13 @@
|
|||||||
nixops19_09 = pkgs.callPackage ./nixops { };
|
nixops19_09 = pkgs.callPackage ./nixops { };
|
||||||
netns-exec = pkgs.callPackage ./netns-exec { };
|
netns-exec = pkgs.callPackage ./netns-exec { };
|
||||||
lightning-loop = pkgs.callPackage ./lightning-loop { };
|
lightning-loop = pkgs.callPackage ./lightning-loop { };
|
||||||
|
btcpayserver = pkgs.callPackage ./btcpayserver { inherit (self) linkFarmFromDrvs; };
|
||||||
|
nbxplorer = pkgs.callPackage ./nbxplorer { inherit (self) linkFarmFromDrvs; };
|
||||||
|
|
||||||
|
# Temporary backport for btcpayserver
|
||||||
|
linkFarmFromDrvs = pkgs.linkFarmFromDrvs or self.pinned.nixpkgsUnstable.linkFarmFromDrvs;
|
||||||
|
|
||||||
pinned = import ./pinned.nix;
|
pinned = import ./pinned.nix;
|
||||||
|
|
||||||
lib = import ./lib.nix { inherit (pkgs) lib; };
|
lib = import ./lib.nix { inherit (pkgs) lib; };
|
||||||
}
|
}; in self
|
||||||
|
@ -11,6 +11,7 @@ makeHMAC() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
makePasswordSecret bitcoin-rpcpassword-privileged
|
makePasswordSecret bitcoin-rpcpassword-privileged
|
||||||
|
makePasswordSecret bitcoin-rpcpassword-btcpayserver
|
||||||
makePasswordSecret bitcoin-rpcpassword-public
|
makePasswordSecret bitcoin-rpcpassword-public
|
||||||
makePasswordSecret lnd-wallet-password
|
makePasswordSecret lnd-wallet-password
|
||||||
makePasswordSecret liquid-rpcpassword
|
makePasswordSecret liquid-rpcpassword
|
||||||
@ -20,6 +21,7 @@ makePasswordSecret backup-encryption-password
|
|||||||
|
|
||||||
[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
|
[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
|
||||||
[[ -e bitcoin-HMAC-public ]] || makeHMAC public
|
[[ -e bitcoin-HMAC-public ]] || makeHMAC public
|
||||||
|
[[ -e bitcoin-HMAC-btcpayserver ]] || makeHMAC btcpayserver
|
||||||
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
|
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
|
||||||
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
|
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
|
||||||
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||||
|
54
pkgs/nbxplorer/default.nix
Normal file
54
pkgs/nbxplorer/default.nix
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
{ lib, stdenv, fetchFromGitHub, fetchurl, linkFarmFromDrvs, makeWrapper,
|
||||||
|
dotnetPackages, dotnetCorePackages
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
deps = import ./deps.nix {
|
||||||
|
fetchNuGet = { name, version, sha256 }: fetchurl {
|
||||||
|
name = "nuget-${name}-${version}.nupkg";
|
||||||
|
url = "https://www.nuget.org/api/v2/package/${name}/${version}";
|
||||||
|
inherit sha256;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
dotnetSdk = dotnetCorePackages.sdk_3_1;
|
||||||
|
in
|
||||||
|
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
pname = "nbxplorer";
|
||||||
|
version = "2.1.42";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "dgarage";
|
||||||
|
repo = "NBXplorer";
|
||||||
|
rev = "v${version}";
|
||||||
|
sha256 = "01q6n7095rrha00xs3l7igzfb9rd743z8crxa2dcz4q5srapfzpi";
|
||||||
|
};
|
||||||
|
|
||||||
|
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];
|
||||||
|
|
||||||
|
buildPhase = ''
|
||||||
|
export HOME=$TMP/home
|
||||||
|
export DOTNET_CLI_TELEMETRY_OPTOUT=1
|
||||||
|
export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
|
||||||
|
|
||||||
|
nuget sources Add -Name tmpsrc -Source $TMP/nuget
|
||||||
|
nuget init ${linkFarmFromDrvs "deps" deps} $TMP/nuget
|
||||||
|
|
||||||
|
dotnet restore --source $TMP/nuget NBXplorer/NBXplorer.csproj
|
||||||
|
dotnet publish --no-restore --output $out/share/$pname -c Release NBXplorer/NBXplorer.csproj
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
makeWrapper $out/share/$pname/NBXplorer $out/bin/$pname \
|
||||||
|
--set DOTNET_ROOT "${dotnetSdk}"
|
||||||
|
'';
|
||||||
|
|
||||||
|
dontStrip = true;
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Minimalist UTXO tracker for HD Cryptocurrency Wallets";
|
||||||
|
maintainers = with maintainers; [ kcalvinalvin earvstedt ];
|
||||||
|
license = lib.licenses.mit;
|
||||||
|
platforms = lib.platforms.linux;
|
||||||
|
};
|
||||||
|
}
|
1072
pkgs/nbxplorer/deps.nix
Normal file
1072
pkgs/nbxplorer/deps.nix
Normal file
File diff suppressed because it is too large
Load Diff
6
pkgs/nbxplorer/update.sh
Executable file
6
pkgs/nbxplorer/update.sh
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||||
|
|
||||||
|
getVersionFromTags=1 "$scriptDir"/util/update-common.sh nbxplorer "$scriptDir"/deps.nix
|
45
pkgs/nbxplorer/util/create-deps.sh
Executable file
45
pkgs/nbxplorer/util/create-deps.sh
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/usr/bin/env nix-shell
|
||||||
|
#!nix-shell -i bash -p dotnet-sdk_3
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Writes deps for dotnet package in $pkgSrc to $depsFile.
|
||||||
|
# Expects $pkgSrc to contain a single .sln file.
|
||||||
|
|
||||||
|
pkgSrc=$1
|
||||||
|
depsFile=$2
|
||||||
|
|
||||||
|
sln=$(cd "$pkgSrc"; find * -maxdepth 0 -name '*.sln' | head -1)
|
||||||
|
[[ $sln ]] || { echo "No .sln file in $pkgSrc" ; exit 1; }
|
||||||
|
|
||||||
|
tmpdir=$(mktemp -d /tmp/$pkgName-src.XXX)
|
||||||
|
trap "rm -rf $tmpdir" EXIT
|
||||||
|
echo "Using tmp dir: $tmpdir"
|
||||||
|
cp -rT "$pkgSrc" "$tmpdir"
|
||||||
|
chmod -R +w "$tmpdir"
|
||||||
|
|
||||||
|
pushd "$tmpdir" > /dev/null
|
||||||
|
mkdir home
|
||||||
|
echo "Running dotnet restore for $sln"
|
||||||
|
HOME=home DOTNET_CLI_TELEMETRY_OPTOUT=1 \
|
||||||
|
dotnet restore -v normal --no-cache "$sln" > restore_log
|
||||||
|
|
||||||
|
echo "{ fetchNuGet }: [" > "$depsFile"
|
||||||
|
while read pkgSpec; do
|
||||||
|
{ read name; read version; } < <(
|
||||||
|
# Ignore build version part: 1.0.0-beta2+77df2220 -> 1.0.0-beta2
|
||||||
|
sed -nE 's/.*<id>([^<]*).*/\1/p; s/.*<version>([^<+]*).*/\1/p' "$pkgSpec"
|
||||||
|
)
|
||||||
|
sha256=$(nix-hash --type sha256 --flat --base32 "$(dirname "$pkgSpec")"/*.nupkg)
|
||||||
|
cat >> "$depsFile" <<EOF
|
||||||
|
(fetchNuGet {
|
||||||
|
name = "$name";
|
||||||
|
version = "$version";
|
||||||
|
sha256 = "$sha256";
|
||||||
|
})
|
||||||
|
EOF
|
||||||
|
done < <(find home/.nuget/packages -name '*.nuspec' | LC_ALL=C sort)
|
||||||
|
echo "]" >> "$depsFile"
|
||||||
|
|
||||||
|
echo "Created $depsFile"
|
||||||
|
|
||||||
|
popd > /dev/null
|
50
pkgs/nbxplorer/util/update-common.sh
Executable file
50
pkgs/nbxplorer/util/update-common.sh
Executable file
@ -0,0 +1,50 @@
|
|||||||
|
#!/usr/bin/env nix-shell
|
||||||
|
#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# This script uses the following env vars:
|
||||||
|
# getVersionFromTags
|
||||||
|
# onlyCreateDeps
|
||||||
|
|
||||||
|
pkgName=$1
|
||||||
|
depsFile=$2
|
||||||
|
|
||||||
|
: ${getVersionFromTags:=}
|
||||||
|
: ${onlyCreateDeps:=}
|
||||||
|
|
||||||
|
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
|
||||||
|
nbPkgs=$(realpath "$scriptDir"/../..)
|
||||||
|
|
||||||
|
evalNbPkgs() {
|
||||||
|
nix eval --raw "(with import \"$nbPkgs\" {}; $1)"
|
||||||
|
}
|
||||||
|
|
||||||
|
getRepo() {
|
||||||
|
url=$(evalNbPkgs $pkgName.src.meta.homepage)
|
||||||
|
echo $(basename $(dirname $url))/$(basename $url)
|
||||||
|
}
|
||||||
|
|
||||||
|
getLatestVersionTag() {
|
||||||
|
unstable=$(nix eval --raw "(import \"$nbPkgs/nixpkgs-pinned.nix\").nixpkgs-unstable")
|
||||||
|
$unstable/pkgs/common-updater/scripts/list-git-tags https://github.com/$(getRepo) 2>/dev/null \
|
||||||
|
| sort -V | tail -1 | sed 's|^v||'
|
||||||
|
}
|
||||||
|
|
||||||
|
if [[ ! $onlyCreateDeps ]]; then
|
||||||
|
oldVersion=$(evalNbPkgs "$pkgName.version")
|
||||||
|
if [[ $getVersionFromTags ]]; then
|
||||||
|
newVersion=$(getLatestVersionTag)
|
||||||
|
else
|
||||||
|
newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ $newVersion == $oldVersion ]]; then
|
||||||
|
echo "$pkgName is up to date: $newVersion"
|
||||||
|
else
|
||||||
|
echo "Please manually update $pkgName: $oldVersion -> $newVersion"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Creating deps.nix"
|
||||||
|
storeSrc="$(nix-build "$nbPkgs" -A $pkgName.src --no-out-link)"
|
||||||
|
. "$scriptDir"/create-deps.sh "$storeSrc" "$depsFile"
|
@ -17,4 +17,5 @@ in
|
|||||||
|
|
||||||
stable = nixBitcoinPkgsStable;
|
stable = nixBitcoinPkgsStable;
|
||||||
unstable = nixBitcoinPkgsUnstable;
|
unstable = nixBitcoinPkgsUnstable;
|
||||||
|
inherit nixpkgsUnstable;
|
||||||
}
|
}
|
||||||
|
@ -84,6 +84,13 @@ def run_tests(extra_tests):
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
assert_running("nbxplorer")
|
||||||
|
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
|
||||||
|
extra_tests.pop("nbxplorer")()
|
||||||
|
assert_running("btcpayserver")
|
||||||
|
machine.wait_until_succeeds(log_has_string("btcpayserver", "Listening on"))
|
||||||
|
extra_tests.pop("btcpayserver")()
|
||||||
|
|
||||||
assert_running("spark-wallet")
|
assert_running("spark-wallet")
|
||||||
extra_tests.pop("spark-wallet")()
|
extra_tests.pop("spark-wallet")()
|
||||||
|
|
||||||
|
@ -2,6 +2,19 @@ def electrs():
|
|||||||
machine.wait_for_open_port(4224) # prometeus metrics provider
|
machine.wait_for_open_port(4224) # prometeus metrics provider
|
||||||
|
|
||||||
|
|
||||||
|
def nbxplorer():
|
||||||
|
machine.wait_for_open_port(24444)
|
||||||
|
|
||||||
|
|
||||||
|
def btcpayserver():
|
||||||
|
machine.wait_for_open_port(23000)
|
||||||
|
# test lnd custom macaroon
|
||||||
|
assert_matches(
|
||||||
|
'sudo -u btcpayserver curl -s --cacert /secrets/lnd-cert --header "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /run/lnd/btcpayserver.macaroon)" -X GET https://127.0.0.1:8080/v1/getinfo | jq',
|
||||||
|
'"version"',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def spark_wallet():
|
def spark_wallet():
|
||||||
machine.wait_for_open_port(9737)
|
machine.wait_for_open_port(9737)
|
||||||
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
||||||
@ -31,6 +44,8 @@ def prestop():
|
|||||||
|
|
||||||
extra_tests = {
|
extra_tests = {
|
||||||
"electrs": electrs,
|
"electrs": electrs,
|
||||||
|
"nbxplorer": nbxplorer,
|
||||||
|
"btcpayserver": btcpayserver,
|
||||||
"spark-wallet": spark_wallet,
|
"spark-wallet": spark_wallet,
|
||||||
"lightning-charge": lightning_charge,
|
"lightning-charge": lightning_charge,
|
||||||
"nanopos": nanopos,
|
"nanopos": nanopos,
|
||||||
|
@ -10,6 +10,8 @@ nanopos_ip = "169.254.1.19"
|
|||||||
recurringdonations_ip = "169.254.1.20"
|
recurringdonations_ip = "169.254.1.20"
|
||||||
nginx_ip = "169.254.1.21"
|
nginx_ip = "169.254.1.21"
|
||||||
lightningloop_ip = "169.254.1.22"
|
lightningloop_ip = "169.254.1.22"
|
||||||
|
nbxplorer_ip = "169.254.1.23"
|
||||||
|
btcpayserver_ip = "169.254.1.24"
|
||||||
|
|
||||||
|
|
||||||
def electrs():
|
def electrs():
|
||||||
@ -18,6 +20,20 @@ def electrs():
|
|||||||
) # prometeus metrics provider
|
) # prometeus metrics provider
|
||||||
|
|
||||||
|
|
||||||
|
def nbxplorer():
|
||||||
|
machine.wait_until_succeeds("ip netns exec nb-nbxplorer nc -z %s 24444" % nbxplorer_ip)
|
||||||
|
|
||||||
|
|
||||||
|
def btcpayserver():
|
||||||
|
machine.wait_until_succeeds("ip netns exec nb-btcpayserver nc -z %s 23000" % btcpayserver_ip)
|
||||||
|
# test lnd custom macaroon
|
||||||
|
assert_matches(
|
||||||
|
'ip netns exec nb-btcpayserver sudo -u btcpayserver curl -s --cacert /secrets/lnd-cert --header "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /run/lnd/btcpayserver.macaroon)" -X GET https://%s:8080/v1/getinfo | jq'
|
||||||
|
% lnd_ip,
|
||||||
|
'"version"',
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def spark_wallet():
|
def spark_wallet():
|
||||||
machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
|
machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
|
||||||
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
||||||
@ -50,6 +66,7 @@ def web_index():
|
|||||||
def prestop():
|
def prestop():
|
||||||
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
||||||
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
||||||
|
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
|
||||||
|
|
||||||
# Positive ping tests (non-exhaustive)
|
# Positive ping tests (non-exhaustive)
|
||||||
machine.succeed(
|
machine.succeed(
|
||||||
@ -57,6 +74,8 @@ def prestop():
|
|||||||
+ "%s %s &&" % (ping_bitcoind, clightning_ip)
|
+ "%s %s &&" % (ping_bitcoind, clightning_ip)
|
||||||
+ "%s %s &&" % (ping_bitcoind, lnd_ip)
|
+ "%s %s &&" % (ping_bitcoind, lnd_ip)
|
||||||
+ "%s %s &&" % (ping_bitcoind, liquidd_ip)
|
+ "%s %s &&" % (ping_bitcoind, liquidd_ip)
|
||||||
|
+ "%s %s &&" % (ping_bitcoind, nbxplorer_ip)
|
||||||
|
+ "%s %s &&" % (ping_nbxplorer, btcpayserver_ip)
|
||||||
+ "%s %s &&" % (ping_nanopos, lightningcharge_ip)
|
+ "%s %s &&" % (ping_nanopos, lightningcharge_ip)
|
||||||
+ "%s %s &&" % (ping_nanopos, nanopos_ip)
|
+ "%s %s &&" % (ping_nanopos, nanopos_ip)
|
||||||
+ "%s %s" % (ping_nanopos, nginx_ip)
|
+ "%s %s" % (ping_nanopos, nginx_ip)
|
||||||
@ -77,7 +96,8 @@ def prestop():
|
|||||||
+ "%s %s ||" % (ping_nanopos, liquidd_ip)
|
+ "%s %s ||" % (ping_nanopos, liquidd_ip)
|
||||||
+ "%s %s ||" % (ping_nanopos, electrs_ip)
|
+ "%s %s ||" % (ping_nanopos, electrs_ip)
|
||||||
+ "%s %s ||" % (ping_nanopos, sparkwallet_ip)
|
+ "%s %s ||" % (ping_nanopos, sparkwallet_ip)
|
||||||
+ "%s %s" % (ping_nanopos, recurringdonations_ip)
|
+ "%s %s ||" % (ping_nanopos, recurringdonations_ip)
|
||||||
|
+ "%s %s" % (ping_nanopos, btcpayserver_ip)
|
||||||
)
|
)
|
||||||
|
|
||||||
# test that netns-exec can't be run for unauthorized namespace
|
# test that netns-exec can't be run for unauthorized namespace
|
||||||
@ -94,6 +114,8 @@ def prestop():
|
|||||||
|
|
||||||
extra_tests = {
|
extra_tests = {
|
||||||
"electrs": electrs,
|
"electrs": electrs,
|
||||||
|
"nbxplorer": nbxplorer,
|
||||||
|
"btcpayserver": btcpayserver,
|
||||||
"spark-wallet": spark_wallet,
|
"spark-wallet": spark_wallet,
|
||||||
"lightning-charge": lightning_charge,
|
"lightning-charge": lightning_charge,
|
||||||
"nanopos": nanopos,
|
"nanopos": nanopos,
|
||||||
|
@ -52,6 +52,11 @@ import ./make-test.nix rec {
|
|||||||
|
|
||||||
services.backups.enable = true;
|
services.backups.enable = true;
|
||||||
|
|
||||||
|
services.btcpayserver.enable = true;
|
||||||
|
services.btcpayserver.lightningBackend = "lnd";
|
||||||
|
# needed to test macaroon creation
|
||||||
|
environment.systemPackages = with pkgs; [ openssl xxd ];
|
||||||
|
|
||||||
# to test that unused secrets are made inaccessible by 'setup-secrets'
|
# to test that unused secrets are made inaccessible by 'setup-secrets'
|
||||||
systemd.services.generate-secrets.postStart = ''
|
systemd.services.generate-secrets.postStart = ''
|
||||||
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
|
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
|
||||||
|
Loading…
Reference in New Issue
Block a user