Merge #221: nbxplorer/btcpayserver: add module

c9c844de80 btcpayserver: add tests (nixbitcoin)
f93c3c8405 backups: add nbxplorer and btcpayserver datadir to includelist (nixbitcoin)
605b37c16e nodeinfo: add btcpayserver onion (nixbitcoin)
15b574faa7 nbxplorer/btcpayserver: add module (nixbitcoin)
46d681a17e lnd: generate custom macaroons (nixbitcoin)
6f032e3c40 lnd: fix mnemonic file access vulnerability (Erik Arvstedt)
b97584f5cb netns: allow return traffic to outgoing connections (nixbitcoin)
99295328b4 temp: mirror erikarvstedt btcpayserver (Calvin Kim)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK c9c844de80

Tree-SHA512: 0020964db37f5c5db3343ddef88f2e7e8d8ad48760ece73125fd9d2feaed0a3789ba3fd3eff98c225a675b49447b1728cd2c9eb4fa495c961e8376b28d32bad9
This commit is contained in:
Jonas Nick 2020-09-15 14:00:10 +00:00
commit a9c163c624
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
24 changed files with 3600 additions and 9 deletions

View File

@ -27,6 +27,10 @@ env:
- PKG=elementsd STABLE=0 - PKG=elementsd STABLE=0
- PKG=electrs STABLE=1 - PKG=electrs STABLE=1
- PKG=electrs STABLE=0 - PKG=electrs STABLE=0
- PKG=nbxplorer STABLE=1
- PKG=nbxplorer STABLE=0
- PKG=btcpayserver STABLE=1
- PKG=btcpayserver STABLE=0
- PKG=liquid-swap STABLE=1 - PKG=liquid-swap STABLE=1
- PKG=lightning-loop STABLE=0 - PKG=lightning-loop STABLE=0
- PKG=nixops19_09 STABLE=1 - PKG=nixops19_09 STABLE=1

View File

@ -76,6 +76,20 @@
# sync faster. Only available if hardware wallets are disabled. # sync faster. Only available if hardware wallets are disabled.
# services.electrs.high-memory = true; # services.electrs.high-memory = true;
### BTCPayServer
# Enable this module to use BTCPayServer, a self-hosted, open-source
# cryptocurrency payment processor.
# Privacy Warning: BTCPayServer currently looks up price rates without
# proxying them through Tor. This means an outside observer can correlate
# your BTCPayServer usage, like invoice creation times, with your IP address.
# services.btcpayserver.enable = true;
# Enable this option to connect BTCPayServer to clightning.
# services.btcpayserver.lightningBackend = "clightning";
# Enable this option to connect BTCPayServert to lnd.
# services.btcpayserver.lightningBackend = "lnd";
# Afterwards you need to go into Store > General Settings > Lightning Nodes
# and click to use "the internal lightning node of this BTCPay Server".
### LIQUIDD ### LIQUIDD
# Enable this module to use Liquid, a sidechain for an inter-exchange # Enable this module to use Liquid, a sidechain for an inter-exchange
# settlement network linking together cryptocurrency exchanges and # settlement network linking together cryptocurrency exchanges and

View File

@ -16,6 +16,8 @@ let
${config.services.liquidd.dataDir} ${config.services.liquidd.dataDir}
${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"} ${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"}
${config.services.lightning-charge.dataDir} ${config.services.lightning-charge.dataDir}
${config.services.nbxplorer.dataDir}
${config.services.btcpayserver.dataDir}
/var/lib/tor /var/lib/tor
# Extra files # Extra files
${cfg.extraFiles} ${cfg.extraFiles}

211
modules/btcpayserver.nix Normal file
View File

@ -0,0 +1,211 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services;
inherit (config) nix-bitcoin-services;
in {
options.services = {
nbxplorer = {
package = mkOption {
type = types.package;
default = pkgs.nix-bitcoin.nbxplorer;
defaultText = "pkgs.nix-bitcoin.nbxplorer";
description = "The package providing nbxplorer binaries.";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/nbxplorer";
description = "The data directory for nbxplorer.";
};
user = mkOption {
type = types.str;
default = "nbxplorer";
description = "The user as which to run nbxplorer.";
};
group = mkOption {
type = types.str;
default = cfg.nbxplorer.user;
description = "The group as which to run nbxplorer.";
};
bind = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The address on which to bind.";
};
enable = mkOption {
# This option is only used by netns-isolation
internal = true;
default = cfg.btcpayserver.enable;
};
enforceTor = nix-bitcoin-services.enforceTor;
};
btcpayserver = {
enable = mkEnableOption "btcpayserver";
package = mkOption {
type = types.package;
default = pkgs.nix-bitcoin.btcpayserver;
defaultText = "pkgs.nix-bitcoin.btcpayserver";
description = "The package providing btcpayserver binaries.";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/btcpayserver";
description = "The data directory for btcpayserver.";
};
user = mkOption {
type = types.str;
default = "btcpayserver";
description = "The user as which to run btcpayserver.";
};
group = mkOption {
type = types.str;
default = cfg.btcpayserver.user;
description = "The group as which to run btcpayserver.";
};
bind = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The address on which to bind.";
};
lightningBackend = mkOption {
type = types.nullOr (types.enum [ "clightning" "lnd" ]);
default = null;
description = "The lightning node implementation to use.";
};
enforceTor = nix-bitcoin-services.enforceTor;
};
};
config = mkIf cfg.btcpayserver.enable {
assertions = let
backend = cfg.btcpayserver.lightningBackend;
in [
{ assertion = (backend != null) -> cfg.${backend}.enable;
message = "btcpayserver requires ${backend}.";
}
];
systemd.tmpfiles.rules = [
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
];
systemd.services.nbxplorer = let
configFile = builtins.toFile "config" ''
network=mainnet
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
btcrpcurl=http://${builtins.elemAt config.services.bitcoind.rpcbind 0}:8332
btcnodeendpoint=${config.services.bitcoind.bind}:8333
bind=${cfg.nbxplorer.bind}
'';
in {
description = "Run nbxplorer";
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ];
after = [ "bitcoind.service" ];
preStart = ''
install -m 600 ${configFile} ${cfg.nbxplorer.dataDir}/settings.config
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)" \
>> '${cfg.nbxplorer.dataDir}/settings.config'
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = ''
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
--datadir=${cfg.nbxplorer.dataDir}
'';
User = cfg.nbxplorer.user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.nbxplorer.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.nbxplorer.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
};
systemd.services.btcpayserver = let
configFile = builtins.toFile "config" (''
network=mainnet
socksendpoint=${cfg.tor.client.socksListenAddress}
btcexplorerurl=http://${cfg.nbxplorer.bind}:24444/
btcexplorercookiefile=${cfg.nbxplorer.dataDir}/Main/.cookie
bind=${cfg.btcpayserver.bind}
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/bitcoin/lightning-rpc
'');
lndConfig =
"btclightning=type=lnd-rest;" +
"server=https://${toString cfg.lnd.listen}:${toString cfg.lnd.restPort}/;" +
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
"certthumbprint=";
in let self = {
wantedBy = [ "multi-user.target" ];
requires = [ "nbxplorer.service" ]
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
after = self.requires;
preStart = ''
install -m 600 ${configFile} ${cfg.btcpayserver.dataDir}/settings.config
${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
{
echo -n "${lndConfig}";
${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.nix-bitcoin.secretsDir}/lnd-cert \
| sed -e 's/.*=//;s/://g';
} >> ${cfg.btcpayserver.dataDir}/settings.config
''}
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${cfg.btcpayserver.dataDir}/settings.config \
--datadir=${cfg.btcpayserver.dataDir}
'';
User = cfg.btcpayserver.user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = cfg.btcpayserver.dataDir;
MemoryDenyWriteExecute = "false";
} // (if cfg.btcpayserver.enforceTor
then nix-bitcoin-services.allowTor
else nix-bitcoin-services.allowAnyIP
);
}; in self;
services.lnd.macaroons.btcpayserver = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
users.users.${cfg.nbxplorer.user} = {
description = "nbxplorer user";
group = cfg.nbxplorer.group;
extraGroups = [ "bitcoinrpc" ];
home = cfg.nbxplorer.dataDir;
};
users.groups.${cfg.nbxplorer.group} = {};
users.users.${cfg.btcpayserver.user} = {
description = "btcpayserver user";
group = cfg.btcpayserver.group;
extraGroups = [ "nbxplorer" ]
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
home = cfg.btcpayserver.dataDir;
};
users.groups.${cfg.btcpayserver.group} = {};
services.bitcoind.rpc.users.btcpayserver = {
passwordHMACFromFile = true;
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
"setban"
"generatetoaddress"
"getpeerinfo"
];
};
nix-bitcoin.secrets.bitcoin-rpcpassword-btcpayserver = {
user = "bitcoin";
group = "nbxplorer";
};
nix-bitcoin.secrets.bitcoin-HMAC-btcpayserver.user = "bitcoin";
};
}

View File

@ -7,6 +7,7 @@ let
inherit (config) nix-bitcoin-services; inherit (config) nix-bitcoin-services;
onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []); onion-chef-service = (if cfg.announce-tor then [ "onion-chef.service" ] else []);
secretsDir = config.nix-bitcoin.secretsDir; secretsDir = config.nix-bitcoin.secretsDir;
mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";
configFile = pkgs.writeText "lnd.conf" '' configFile = pkgs.writeText "lnd.conf" ''
datadir=${cfg.dataDir} datadir=${cfg.dataDir}
logdir=${cfg.dataDir}/logs logdir=${cfg.dataDir}/logs
@ -97,6 +98,27 @@ in {
default = false; default = false;
description = "Announce LND Tor Hidden Service"; description = "Announce LND Tor Hidden Service";
}; };
macaroons = mkOption {
default = {};
type = with types; attrsOf (submodule {
options = {
user = mkOption {
type = types.str;
description = "User who owns the macaroon.";
};
permissions = mkOption {
type = types.str;
example = ''
{"entity":"info","action":"read"},{"entity":"onchain","action":"read"}
'';
description = "List of granted macaroon permissions.";
};
};
});
description = ''
Extra macaroon definitions.
'';
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -155,6 +177,8 @@ in {
${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"} ${optionalString cfg.announce-tor "echo externalip=$(cat /var/lib/onion-chef/lnd/lnd) >> '${cfg.dataDir}/lnd.conf'"}
''; '';
serviceConfig = nix-bitcoin-services.defaultHardening // { serviceConfig = nix-bitcoin-services.defaultHardening // {
RuntimeDirectory = "lnd"; # Only used to store custom macaroons
RuntimeDirectoryMode = "711";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf";
User = "lnd"; User = "lnd";
Restart = "on-failure"; Restart = "on-failure";
@ -174,17 +198,14 @@ in {
mnemonic=${secretsDir}/lnd-seed-mnemonic mnemonic=${secretsDir}/lnd-seed-mnemonic
if [[ ! -f $mnemonic ]]; then if [[ ! -f $mnemonic ]]; then
echo Create lnd seed echo Create lnd seed
umask u=r,go=
${pkgs.curl}/bin/curl -s \ ${pkgs.curl}/bin/curl -s \
--cacert ${secretsDir}/lnd-cert \ --cacert ${secretsDir}/lnd-cert \
-X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic" -X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi fi
chown lnd: "$mnemonic" chown lnd: "$mnemonic"
chmod 400 "$mnemonic"
''}" ''}"
"${let "${nix-bitcoin-services.script ''
mainnetDir = "${cfg.dataDir}/chain/bitcoin/mainnet";
in nix-bitcoin-services.script ''
if [[ ! -f ${mainnetDir}/wallet.db ]]; then if [[ ! -f ${mainnetDir}/wallet.db ]]; then
echo Create lnd wallet echo Create lnd wallet
@ -214,6 +235,23 @@ in {
while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do
sleep 0.1 sleep 0.1
done done
''}"
# Run fully privileged for chown
"+${nix-bitcoin-services.script ''
umask ug=r,o=
${lib.concatMapStrings (macaroon: ''
echo "Create custom macaroon ${macaroon}"
macaroonPath="$RUNTIME_DIRECTORY/${macaroon}.macaroon"
${pkgs.curl}/bin/curl -s \
-H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${mainnetDir}/admin.macaroon')" \
--cacert ${secretsDir}/lnd-cert \
-X POST \
-d '{"permissions":[${cfg.macaroons.${macaroon}.permissions}]}' \
https://127.0.0.1:${restPort}/v1/macaroon |\
${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
'') (attrNames cfg.macaroons)}
''}" ''}"
]; ];
} // (if cfg.enforceTor } // (if cfg.enforceTor
@ -232,6 +270,7 @@ in {
lnd-wallet-password.user = "lnd"; lnd-wallet-password.user = "lnd";
lnd-key.user = "lnd"; lnd-key.user = "lnd";
lnd-cert.user = "lnd"; lnd-cert.user = "lnd";
lnd-cert.permissions = "0444"; # world readable
}; };
}; };
} }

View File

@ -18,6 +18,7 @@
./netns-isolation.nix ./netns-isolation.nix
./security.nix ./security.nix
./backups.nix ./backups.nix
./btcpayserver.nix
]; ];
disabledModules = [ "services/networking/bitcoind.nix" ]; disabledModules = [ "services/networking/bitcoind.nix" ];

View File

@ -160,6 +160,8 @@ in {
${ipNetns} route add default via ${bridgeIp} ${ipNetns} route add default via ${bridgeIp}
${netnsIptables} -w -P INPUT DROP ${netnsIptables} -w -P INPUT DROP
${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A INPUT -s 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
# allow return traffic to outgoing connections initiated by the service itself
${netnsIptables} -w -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
'' + (optionalString (config.services.${n}.enforceTor or false)) '' '' + (optionalString (config.services.${n}.enforceTor or false)) ''
${netnsIptables} -w -P OUTPUT DROP ${netnsIptables} -w -P OUTPUT DROP
${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT ${netnsIptables} -w -A OUTPUT -d 127.0.0.1,${bridgeIp},${v.address} -j ACCEPT
@ -230,6 +232,16 @@ in {
id = 22; id = 22;
connections = [ "lnd" ]; connections = [ "lnd" ];
}; };
nbxplorer = {
id = 23;
connections = [ "bitcoind" ];
};
btcpayserver = {
id = 24;
connections = [ "nbxplorer" ]
++ optional (config.services.btcpayserver.lightningBackend == "lnd") "lnd";
# communicates with clightning over rpc socket
};
}; };
services.bitcoind = { services.bitcoind = {
@ -299,6 +311,9 @@ in {
}; };
services.lightning-loop.cliExec = mkCliExec "lightning-loop"; services.lightning-loop.cliExec = mkCliExec "lightning-loop";
services.nbxplorer.bind = netns.nbxplorer.address;
services.btcpayserver.bind = netns.btcpayserver.address;
} }
]); ]);
} }

View File

@ -48,6 +48,12 @@ let
echo ELECTRS_ONION="$ELECTRS_ONION" echo ELECTRS_ONION="$ELECTRS_ONION"
fi fi
BTCPAYSERVER_ONION_FILE=/var/lib/onion-chef/${operatorName}/btcpayserver
if [ -e "$BTCPAYSERVER_ONION_FILE" ]; then
BTCPAYSERVER_ONION="$(cat $BTCPAYSERVER_ONION_FILE)"
echo BTCPAYSERVER_ONION="$BTCPAYSERVER_ONION"
fi
SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
if [ -e "$SSHD_ONION_FILE" ]; then if [ -e "$SSHD_ONION_FILE" ]; then
SSHD_ONION="$(cat $SSHD_ONION_FILE)" SSHD_ONION="$(cat $SSHD_ONION_FILE)"

View File

@ -128,6 +128,12 @@ in {
port = cfg.electrs.port; toHost = cfg.electrs.address; port = cfg.electrs.port; toHost = cfg.electrs.address;
}); });
# btcpayserver
# disable tor enforcement until btcpayserver can fetch rates over Tor
services.btcpayserver.enforceTor = false;
services.nbxplorer.enforceTor = true;
services.tor.hiddenServices.btcpayserver = mkIf cfg.btcpayserver.enable (mkHiddenService { port = 80; toPort = 23000; toHost = cfg.btcpayserver.bind; });
services.spark-wallet = { services.spark-wallet = {
onion-service = true; onion-service = true;
enforceTor = true; enforceTor = true;
@ -171,7 +177,7 @@ in {
nix-bitcoin.netns-isolation.allowedUser = operatorName; nix-bitcoin.netns-isolation.allowedUser = operatorName;
# Give operator access to onion hostnames # Give operator access to onion hostnames
services.onion-chef.enable = true; services.onion-chef.enable = true;
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ]; services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "btcpayserver" "sshd" ];
security.sudo.configFile = security.sudo.configFile =
(optionalString cfg.lnd.enable '' (optionalString cfg.lnd.enable ''

View File

@ -0,0 +1,66 @@
{ lib, stdenv, fetchFromGitHub, fetchurl, linkFarmFromDrvs, makeWrapper,
dotnetPackages, dotnetCorePackages, writeScript, bash
}:
let
deps = import ./deps.nix {
fetchNuGet = { name, version, sha256 }: fetchurl {
name = "nuget-${name}-${version}.nupkg";
url = "https://www.nuget.org/api/v2/package/${name}/${version}";
inherit sha256;
};
};
dotnetSdk = dotnetCorePackages.sdk_3_1;
in
stdenv.mkDerivation rec {
pname = "btcpayserver";
version = "1.0.5.5";
src = fetchFromGitHub {
owner = pname;
repo = pname;
rev = "v${version}";
sha256 = "11h1nrmb7f44msbhhiz9ddqh5ss2kz6d8ysnvd070x3xj5krgnxz";
};
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget ];
# Due to a bug in btcpayserver, we can't just `dotnet publish` to create a binary.
# Build with `dotnet build` instead and add a custom `dotnet run` script.
buildPhase = ''
export HOME=$TMP/home
export DOTNET_CLI_TELEMETRY_OPTOUT=1
export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
nuget sources Add -Name tmpsrc -Source $TMP/nuget
nuget init ${linkFarmFromDrvs "deps" deps} $TMP/nuget
dotnet restore --source $TMP/nuget BTCPayServer/BTCPayServer.csproj
dotnet build -c Release BTCPayServer/BTCPayServer.csproj
'';
runScript = ''
#!${bash}/bin/bash
DOTNET_CLI_TELEMETRY_OPTOUT=1 exec ${dotnetSdk}/bin/dotnet run --no-launch-profile --no-build \
-c Release -p @@SHARE@@/BTCPayServer/BTCPayServer.csproj -- "$@"
'';
installPhase = ''
cd ..
share=$out/share/$pname
mkdir -p $share
mv -T source $share
install -D -m500 <(echo "$runScript" | sed "s|@@SHARE@@|$share|") $out/bin/$pname
'';
dontStrip = true;
meta = with lib; {
description = "Self-hosted, open-source cryptocurrency payment processor";
homepage = "https://btcpayserver.org";
maintainers = with maintainers; [ kcalvinalvin earvstedt ];
license = lib.licenses.mit;
platforms = lib.platforms.linux;
};
}

1937
pkgs/btcpayserver/deps.nix Normal file

File diff suppressed because it is too large Load Diff

6
pkgs/btcpayserver/update.sh Executable file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
"$scriptDir"/../nbxplorer/util/update-common.sh btcpayserver "$scriptDir"/deps.nix

View File

@ -1,5 +1,5 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> {} }:
{ let self = {
lightning-charge = pkgs.callPackage ./lightning-charge { }; lightning-charge = pkgs.callPackage ./lightning-charge { };
nanopos = pkgs.callPackage ./nanopos { }; nanopos = pkgs.callPackage ./nanopos { };
spark-wallet = pkgs.callPackage ./spark-wallet { }; spark-wallet = pkgs.callPackage ./spark-wallet { };
@ -12,8 +12,13 @@
nixops19_09 = pkgs.callPackage ./nixops { }; nixops19_09 = pkgs.callPackage ./nixops { };
netns-exec = pkgs.callPackage ./netns-exec { }; netns-exec = pkgs.callPackage ./netns-exec { };
lightning-loop = pkgs.callPackage ./lightning-loop { }; lightning-loop = pkgs.callPackage ./lightning-loop { };
btcpayserver = pkgs.callPackage ./btcpayserver { inherit (self) linkFarmFromDrvs; };
nbxplorer = pkgs.callPackage ./nbxplorer { inherit (self) linkFarmFromDrvs; };
# Temporary backport for btcpayserver
linkFarmFromDrvs = pkgs.linkFarmFromDrvs or self.pinned.nixpkgsUnstable.linkFarmFromDrvs;
pinned = import ./pinned.nix; pinned = import ./pinned.nix;
lib = import ./lib.nix { inherit (pkgs) lib; }; lib = import ./lib.nix { inherit (pkgs) lib; };
} }; in self

View File

@ -11,6 +11,7 @@ makeHMAC() {
} }
makePasswordSecret bitcoin-rpcpassword-privileged makePasswordSecret bitcoin-rpcpassword-privileged
makePasswordSecret bitcoin-rpcpassword-btcpayserver
makePasswordSecret bitcoin-rpcpassword-public makePasswordSecret bitcoin-rpcpassword-public
makePasswordSecret lnd-wallet-password makePasswordSecret lnd-wallet-password
makePasswordSecret liquid-rpcpassword makePasswordSecret liquid-rpcpassword
@ -20,6 +21,7 @@ makePasswordSecret backup-encryption-password
[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged [[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
[[ -e bitcoin-HMAC-public ]] || makeHMAC public [[ -e bitcoin-HMAC-public ]] || makeHMAC public
[[ -e bitcoin-HMAC-btcpayserver ]] || makeHMAC btcpayserver
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env [[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env [[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login [[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login

View File

@ -0,0 +1,54 @@
{ lib, stdenv, fetchFromGitHub, fetchurl, linkFarmFromDrvs, makeWrapper,
dotnetPackages, dotnetCorePackages
}:
let
deps = import ./deps.nix {
fetchNuGet = { name, version, sha256 }: fetchurl {
name = "nuget-${name}-${version}.nupkg";
url = "https://www.nuget.org/api/v2/package/${name}/${version}";
inherit sha256;
};
};
dotnetSdk = dotnetCorePackages.sdk_3_1;
in
stdenv.mkDerivation rec {
pname = "nbxplorer";
version = "2.1.42";
src = fetchFromGitHub {
owner = "dgarage";
repo = "NBXplorer";
rev = "v${version}";
sha256 = "01q6n7095rrha00xs3l7igzfb9rd743z8crxa2dcz4q5srapfzpi";
};
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];
buildPhase = ''
export HOME=$TMP/home
export DOTNET_CLI_TELEMETRY_OPTOUT=1
export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1
nuget sources Add -Name tmpsrc -Source $TMP/nuget
nuget init ${linkFarmFromDrvs "deps" deps} $TMP/nuget
dotnet restore --source $TMP/nuget NBXplorer/NBXplorer.csproj
dotnet publish --no-restore --output $out/share/$pname -c Release NBXplorer/NBXplorer.csproj
'';
installPhase = ''
makeWrapper $out/share/$pname/NBXplorer $out/bin/$pname \
--set DOTNET_ROOT "${dotnetSdk}"
'';
dontStrip = true;
meta = with lib; {
description = "Minimalist UTXO tracker for HD Cryptocurrency Wallets";
maintainers = with maintainers; [ kcalvinalvin earvstedt ];
license = lib.licenses.mit;
platforms = lib.platforms.linux;
};
}

1072
pkgs/nbxplorer/deps.nix Normal file

File diff suppressed because it is too large Load Diff

6
pkgs/nbxplorer/update.sh Executable file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
getVersionFromTags=1 "$scriptDir"/util/update-common.sh nbxplorer "$scriptDir"/deps.nix

View File

@ -0,0 +1,45 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p dotnet-sdk_3
set -euo pipefail
# Writes deps for dotnet package in $pkgSrc to $depsFile.
# Expects $pkgSrc to contain a single .sln file.
pkgSrc=$1
depsFile=$2
sln=$(cd "$pkgSrc"; find * -maxdepth 0 -name '*.sln' | head -1)
[[ $sln ]] || { echo "No .sln file in $pkgSrc" ; exit 1; }
tmpdir=$(mktemp -d /tmp/$pkgName-src.XXX)
trap "rm -rf $tmpdir" EXIT
echo "Using tmp dir: $tmpdir"
cp -rT "$pkgSrc" "$tmpdir"
chmod -R +w "$tmpdir"
pushd "$tmpdir" > /dev/null
mkdir home
echo "Running dotnet restore for $sln"
HOME=home DOTNET_CLI_TELEMETRY_OPTOUT=1 \
dotnet restore -v normal --no-cache "$sln" > restore_log
echo "{ fetchNuGet }: [" > "$depsFile"
while read pkgSpec; do
{ read name; read version; } < <(
# Ignore build version part: 1.0.0-beta2+77df2220 -> 1.0.0-beta2
sed -nE 's/.*<id>([^<]*).*/\1/p; s/.*<version>([^<+]*).*/\1/p' "$pkgSpec"
)
sha256=$(nix-hash --type sha256 --flat --base32 "$(dirname "$pkgSpec")"/*.nupkg)
cat >> "$depsFile" <<EOF
(fetchNuGet {
name = "$name";
version = "$version";
sha256 = "$sha256";
})
EOF
done < <(find home/.nuget/packages -name '*.nuspec' | LC_ALL=C sort)
echo "]" >> "$depsFile"
echo "Created $depsFile"
popd > /dev/null

View File

@ -0,0 +1,50 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p coreutils curl jq common-updater-scripts dotnet-sdk_3
set -euo pipefail
# This script uses the following env vars:
# getVersionFromTags
# onlyCreateDeps
pkgName=$1
depsFile=$2
: ${getVersionFromTags:=}
: ${onlyCreateDeps:=}
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
nbPkgs=$(realpath "$scriptDir"/../..)
evalNbPkgs() {
nix eval --raw "(with import \"$nbPkgs\" {}; $1)"
}
getRepo() {
url=$(evalNbPkgs $pkgName.src.meta.homepage)
echo $(basename $(dirname $url))/$(basename $url)
}
getLatestVersionTag() {
unstable=$(nix eval --raw "(import \"$nbPkgs/nixpkgs-pinned.nix\").nixpkgs-unstable")
$unstable/pkgs/common-updater/scripts/list-git-tags https://github.com/$(getRepo) 2>/dev/null \
| sort -V | tail -1 | sed 's|^v||'
}
if [[ ! $onlyCreateDeps ]]; then
oldVersion=$(evalNbPkgs "$pkgName.version")
if [[ $getVersionFromTags ]]; then
newVersion=$(getLatestVersionTag)
else
newVersion=$(curl -s "https://api.github.com/repos/$(getRepo)/releases" | jq -r '.[0].name')
fi
if [[ $newVersion == $oldVersion ]]; then
echo "$pkgName is up to date: $newVersion"
else
echo "Please manually update $pkgName: $oldVersion -> $newVersion"
fi
fi
echo "Creating deps.nix"
storeSrc="$(nix-build "$nbPkgs" -A $pkgName.src --no-out-link)"
. "$scriptDir"/create-deps.sh "$storeSrc" "$depsFile"

View File

@ -17,4 +17,5 @@ in
stable = nixBitcoinPkgsStable; stable = nixBitcoinPkgsStable;
unstable = nixBitcoinPkgsUnstable; unstable = nixBitcoinPkgsUnstable;
inherit nixpkgsUnstable;
} }

View File

@ -84,6 +84,13 @@ def run_tests(extra_tests):
) )
) )
assert_running("nbxplorer")
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
extra_tests.pop("nbxplorer")()
assert_running("btcpayserver")
machine.wait_until_succeeds(log_has_string("btcpayserver", "Listening on"))
extra_tests.pop("btcpayserver")()
assert_running("spark-wallet") assert_running("spark-wallet")
extra_tests.pop("spark-wallet")() extra_tests.pop("spark-wallet")()

View File

@ -2,6 +2,19 @@ def electrs():
machine.wait_for_open_port(4224) # prometeus metrics provider machine.wait_for_open_port(4224) # prometeus metrics provider
def nbxplorer():
machine.wait_for_open_port(24444)
def btcpayserver():
machine.wait_for_open_port(23000)
# test lnd custom macaroon
assert_matches(
'sudo -u btcpayserver curl -s --cacert /secrets/lnd-cert --header "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /run/lnd/btcpayserver.macaroon)" -X GET https://127.0.0.1:8080/v1/getinfo | jq',
'"version"',
)
def spark_wallet(): def spark_wallet():
machine.wait_for_open_port(9737) machine.wait_for_open_port(9737)
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
@ -31,6 +44,8 @@ def prestop():
extra_tests = { extra_tests = {
"electrs": electrs, "electrs": electrs,
"nbxplorer": nbxplorer,
"btcpayserver": btcpayserver,
"spark-wallet": spark_wallet, "spark-wallet": spark_wallet,
"lightning-charge": lightning_charge, "lightning-charge": lightning_charge,
"nanopos": nanopos, "nanopos": nanopos,

View File

@ -10,6 +10,8 @@ nanopos_ip = "169.254.1.19"
recurringdonations_ip = "169.254.1.20" recurringdonations_ip = "169.254.1.20"
nginx_ip = "169.254.1.21" nginx_ip = "169.254.1.21"
lightningloop_ip = "169.254.1.22" lightningloop_ip = "169.254.1.22"
nbxplorer_ip = "169.254.1.23"
btcpayserver_ip = "169.254.1.24"
def electrs(): def electrs():
@ -18,6 +20,20 @@ def electrs():
) # prometeus metrics provider ) # prometeus metrics provider
def nbxplorer():
machine.wait_until_succeeds("ip netns exec nb-nbxplorer nc -z %s 24444" % nbxplorer_ip)
def btcpayserver():
machine.wait_until_succeeds("ip netns exec nb-btcpayserver nc -z %s 23000" % btcpayserver_ip)
# test lnd custom macaroon
assert_matches(
'ip netns exec nb-btcpayserver sudo -u btcpayserver curl -s --cacert /secrets/lnd-cert --header "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /run/lnd/btcpayserver.macaroon)" -X GET https://%s:8080/v1/getinfo | jq'
% lnd_ip,
'"version"',
)
def spark_wallet(): def spark_wallet():
machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip) machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
@ -50,6 +66,7 @@ def web_index():
def prestop(): def prestop():
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1" ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1" ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
# Positive ping tests (non-exhaustive) # Positive ping tests (non-exhaustive)
machine.succeed( machine.succeed(
@ -57,6 +74,8 @@ def prestop():
+ "%s %s &&" % (ping_bitcoind, clightning_ip) + "%s %s &&" % (ping_bitcoind, clightning_ip)
+ "%s %s &&" % (ping_bitcoind, lnd_ip) + "%s %s &&" % (ping_bitcoind, lnd_ip)
+ "%s %s &&" % (ping_bitcoind, liquidd_ip) + "%s %s &&" % (ping_bitcoind, liquidd_ip)
+ "%s %s &&" % (ping_bitcoind, nbxplorer_ip)
+ "%s %s &&" % (ping_nbxplorer, btcpayserver_ip)
+ "%s %s &&" % (ping_nanopos, lightningcharge_ip) + "%s %s &&" % (ping_nanopos, lightningcharge_ip)
+ "%s %s &&" % (ping_nanopos, nanopos_ip) + "%s %s &&" % (ping_nanopos, nanopos_ip)
+ "%s %s" % (ping_nanopos, nginx_ip) + "%s %s" % (ping_nanopos, nginx_ip)
@ -77,7 +96,8 @@ def prestop():
+ "%s %s ||" % (ping_nanopos, liquidd_ip) + "%s %s ||" % (ping_nanopos, liquidd_ip)
+ "%s %s ||" % (ping_nanopos, electrs_ip) + "%s %s ||" % (ping_nanopos, electrs_ip)
+ "%s %s ||" % (ping_nanopos, sparkwallet_ip) + "%s %s ||" % (ping_nanopos, sparkwallet_ip)
+ "%s %s" % (ping_nanopos, recurringdonations_ip) + "%s %s ||" % (ping_nanopos, recurringdonations_ip)
+ "%s %s" % (ping_nanopos, btcpayserver_ip)
) )
# test that netns-exec can't be run for unauthorized namespace # test that netns-exec can't be run for unauthorized namespace
@ -94,6 +114,8 @@ def prestop():
extra_tests = { extra_tests = {
"electrs": electrs, "electrs": electrs,
"nbxplorer": nbxplorer,
"btcpayserver": btcpayserver,
"spark-wallet": spark_wallet, "spark-wallet": spark_wallet,
"lightning-charge": lightning_charge, "lightning-charge": lightning_charge,
"nanopos": nanopos, "nanopos": nanopos,

View File

@ -52,6 +52,11 @@ import ./make-test.nix rec {
services.backups.enable = true; services.backups.enable = true;
services.btcpayserver.enable = true;
services.btcpayserver.lightningBackend = "lnd";
# needed to test macaroon creation
environment.systemPackages = with pkgs; [ openssl xxd ];
# to test that unused secrets are made inaccessible by 'setup-secrets' # to test that unused secrets are made inaccessible by 'setup-secrets'
systemd.services.generate-secrets.postStart = '' systemd.services.generate-secrets.postStart = ''
install -o nobody -g nogroup -m777 <(:) /secrets/dummy install -o nobody -g nogroup -m777 <(:) /secrets/dummy