Erik Arvstedt
fb36f2abe5
joinmarket-ob-watcher: use consistent mode formatting
...
Remove redundant leading zero.
2021-08-15 11:29:34 +02:00
Erik Arvstedt
f14af1fc48
treewide: use consistent echo message formatting
...
Quote the echo message.
2021-08-15 11:29:34 +02:00
Erik Arvstedt
b8043d3db5
treewide: use consistent bash script indentation
...
Always use two spaces.
2021-08-15 11:29:34 +02:00
Erik Arvstedt
c758d68ea4
lib: rename privileged -> rootScript
...
The naming is now analogous the related function `script`.
2021-08-15 11:29:34 +02:00
Erik Arvstedt
a2454975a5
doas: fix recursive calls to doas
...
Doas was broken for recursive calls like `doas -u operator lncli`
where `lncli` internally calls doas.
2021-08-14 10:46:42 +02:00
Erik Arvstedt
161baa7e68
joinmarket-ob-watcher: allow required 'mbind' system call
2021-08-14 10:46:41 +02:00
Erik Arvstedt
a0e5894f1f
backups: remove illegal option definition
2021-08-14 10:46:41 +02:00
Erik Arvstedt
35fe939cf8
security: update /proc restriction mechanism
...
NixOS option `security.hideProcessInformation` for globally restricting
access to /proc has been removed.
Use per-service restrictions via 'ProtectProc' instead.
Rename
`nix-bitcoin.security.hideProcessInformation` to
`nix-bitcoin.security.dbusHideProcessInformation`
because this option now only implements the dbus restriction.
2021-08-14 10:46:41 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options
2021-08-14 10:46:41 +02:00
Erik Arvstedt
e44f78ebb8
services: set isSystemUser for service users
...
'isSystemUser' has to be explicitly set in NixOS 21.05.
Previously, it was the implicit default.
2021-08-14 10:46:40 +02:00
Erik Arvstedt
a25ceecca5
update to NixOS 21.05
2021-08-12 11:18:26 +02:00
Jonas Nick
1ecd9756f6
Merge fort-nix/nix-bitcoin#369 : BTCPayServer L-BTC Support
...
54810ce1bf
btcpayserver: add L-BTC support (nixbitcoin)
b24c14ec61
liquidd: make regtest capable (nixbitcoin)
b7225f5d11
update nixpkgs-unstable (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 54810ce1bf
Tree-SHA512: 363165d3b977cd4425191bce4246dd9e83daf914bf2adcaf3cf42d0c170f5730e7e79934a97e5f9c071d0f52bf9ee75a3aa710c4c52135ea58bcdd898babcc74
2021-08-10 12:23:46 +00:00
Erik Arvstedt
881a3aa004
joinmarket: use preStart, postStart
2021-08-10 10:12:42 +00:00
nixbitcoin
e2c6eb6681
joinmarket: create bitcoind wallet
...
Starting with 0.21.0, bitcoin no longer automatically creates and loads
a default wallet.
This was being ignored because of a JoinMarket issue [1] in CI builds prior
to this version. Now a watch-only Bitcoin Core wallet is created in ExecStartPost.
[1] https://github.com/JoinMarket-Org/joinmarket-clientserver/issues/812
2021-08-10 10:12:37 +00:00
nixbitcoin
6258d64cb6
joinmarket: run with group 'bitcoin'
...
Don't copy bitcoin-rpcpassword-privileged as root, instead run service
with group "bitcoin".
Same effect, less complexity. Note, PoLP still obeyed for joinmarket-ob-watcher.
2021-08-10 10:12:33 +00:00
nixbitcoin
ed480a35af
joinmarket: 0.8.2 -> 0.8.3
...
Includes
- coincurve: 13.0.0 -> 15.0.0
- Update Darkscience Tor onion address
2021-08-10 10:12:29 +00:00
nixbitcoin
54810ce1bf
btcpayserver: add L-BTC support
2021-08-10 10:04:54 +00:00
nixbitcoin
b24c14ec61
liquidd: make regtest capable
2021-08-10 10:04:22 +00:00
Erik Arvstedt
637a58d826
lnd: improve waiting for active RPC server
...
- Simplify
- Add comment
- Avoid the unneeded default call to sleep
2021-07-29 20:27:34 +02:00
Erik Arvstedt
adeccce06e
lnd: simplify use of curl
2021-07-29 20:27:33 +02:00
Martin Milata
b666bb2903
charge-lnd: add module
2021-07-12 17:36:31 +02:00
Jonas Nick
ce10003747
lnd: allow curl to retry in the create-wallet script
2021-07-08 13:10:16 +00:00
Jonas Nick
a23b9d1c2d
lnd: check that state is RPC_ACTIVE after unlocking
...
The state service is newly introduced in lnd 0.13.0.
2021-07-07 13:15:04 +00:00
Jonas Nick
c75347027b
lnd: don't wait until the RPC port is open after unlocking
...
According to the release notes of lnd 0.13.0 [0] the RPC service is available at
all times.
[0] https://github.com/lightningnetwork/lnd/releases/tag/v0.13.0-beta
2021-07-07 13:12:50 +00:00
Jonas Nick
7914405ced
clboss: add option for using custom package
2021-04-13 14:12:39 +00:00
nixbitcoin
3b938a909f
add hardened-extended preset
2021-04-02 10:59:09 +00:00
Erik Arvstedt
08fe9ba84a
services: add finer-grained address family restrictions
...
Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.
bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.
lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.
lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
2021-03-22 14:35:29 +01:00
Erik Arvstedt
020433cec6
services: add helper fn setAllowedIPAddresses
...
Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
2021-03-22 13:20:45 +01:00
Erik Arvstedt
cdf27d9d0c
bitcoind: improve service timeouts
...
- Improve readability by using minutes
- set `TimeoutStopSec` like in bitcoin/contrib/init/bitcoind.service.
Stopping bitcoind can exceed the default timeout during IBD.
2021-03-16 12:46:19 +01:00
Erik Arvstedt
09cd3ce5e4
lnd: show curl error messages
2021-03-16 12:46:19 +01:00
Jonas Nick
fe118b28ff
examples: add krops deployment method
2021-03-15 18:53:07 +01:00
Erik Arvstedt
03db1a61b1
lnd, joinmarket: don't write to secrets dir
...
Keeping the secrets dir read-only is more simple and robust.
- lnd seed mnemonic creation and joinmarket wallet creation can be
run as the regular service user instead of root.
- It is easier to switch to a third-party secrets deployment
method in the future.
Don't create a seed mnemonic for lnd when a wallet exists.
This avoids creating unused mnemonics and helps simplifying
the migration command in `versioning.nix`.
2021-03-15 18:50:15 +01:00
Erik Arvstedt
55d87490ec
secrets: make configuration more robust
...
- Fail at evaluation when secrets setup is not configured.
Previously, bitcoind failed at runtime due to the missing secrets target.
- Fail at evaluation when conflicting secrets setup methods are used.
This happens when `secretsSetupMethod` has more than one definition.
2021-03-15 12:42:52 +00:00
Erik Arvstedt
b0c223e716
secrets: don't stop services when the secrets target stops
...
With krops or nixops the secrets target is always restarted during
the deployment process.
This previously caused unnecessary restarts of all nix-bitcoin services.
2021-03-15 12:42:52 +00:00
Erik Arvstedt
b701cb5603
secrets: add option 'generateSecrets'
...
Move this feature from a module preset to a regular option, so that it's
easily discoverable and accessible.
Simplify the implementation of `generateSecrets` by adding it to the
existing `setup-secrets` service script.
Also rename option setup-secrets -> setupSecrets.
2021-03-15 12:42:52 +00:00
Jonas Nick
a4dabc7390
Remove nixops examples and documentation
2021-03-15 12:42:47 +00:00
Jonas Nick
1377cf5147
Merge #337 : joinmarket: 0.8.1 -> 0.8.2
...
5ead2a7075
joinmarket: 0.8.1 -> 0.8.2 (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 5ead2a7075
Tree-SHA512: 2ac87f74a1008c058adef81d11049d985a64f435d75ef61584e8debdcc985f78c1d43430c09ee71c247a93908a5ba3a1efdcf91b0666a84b3269509a99685343
2021-03-10 21:24:12 +00:00
nixbitcoin
5ead2a7075
joinmarket: 0.8.1 -> 0.8.2
...
- add SNICKER to default config
- update package
- ob-watcher: copy vendorized js and css dependencies
- add missing dependency to jmbase
- use cryptography from pinned.nixpkgs-unstable
2021-03-10 13:33:49 +00:00
nixbitcoin
6c9c820862
lightning-loop: 0.11.3-beta -> 0.12.0-beta
2021-03-07 18:28:08 +00:00
kon
eb21012745
pool: add pkg, module & tests
2021-03-01 10:59:35 +01:00
Jonas Nick
f66b2d569b
Merge #333 : electrs: v0.8.7 -> v0.8.8
...
eaa58505a7
electrs: v0.8.7 -> v0.8.8 (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK eaa58505a7
Tree-SHA512: 2de1bc08b4dd4ede38d8b98d58c85eb220003e491a7a16529b5a443576022b7ac067698ef8fa9336ee1af09e3e8db349291403e89ef40167b1ad46b2b0aefd01
2021-02-24 09:01:04 +00:00
nixbitcoin
b1c9e13033
bitcoind: secure-node remove assumevalid
2021-02-23 11:04:31 +00:00
nixbitcoin
eaa58505a7
electrs: v0.8.7 -> v0.8.8
2021-02-23 10:51:43 +00:00
nixbitcoin
4e9059dc07
bitcoind: rename group bitcoinrpc -> bitcoinrpc-public
...
This makes it clear that services with this group can only use
public RPC calls.
2021-02-18 10:42:21 +00:00
nixbitcoin
19e401b028
bitcoind: enable cookie-based authentication
2021-02-18 10:40:09 +00:00
nixbitcoin
ecc601a6d6
onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior
...
This commit fixes an issue with LND, in which if both
nix-bitcoin.onionServices.lnd.public &
services.lnd.restOnionService.enable were enabled, one would try to
create a file named `lnd` and the other would try to create a directory
named `lnd` with a file named `lnd-rest` inside it. This would obiously
cause an error and fail the LND service.
2021-02-17 11:50:47 +00:00
nixbitcoin
e873326bfe
modules: use user & group options
...
I've tried my best to locate all uses of hardcoded usernames, but its
not guaranteed that all have been found/fixed.
2021-02-17 11:50:25 +00:00
nixbitcoin
ccef870b74
spark-wallet: add user & group options
2021-02-17 11:50:07 +00:00
nixbitcoin
85a1722545
lnd: add user & group options
2021-02-17 11:49:51 +00:00
nixbitcoin
42f7e9f874
joinmarket: 0.8.0-a5e8879 -> 0.8.1
...
- Update joinmarket package
- Revert unofficial release settings
- Move Yield Generator config to configFile
- Add new config option max_sweep_fee_change
2021-02-14 16:23:53 +00:00
nixbitcoin
2ca92a34a5
services: use doas if enabled
...
- Remove sudo from recurring-donations path because it's not used by
the service
- Use doas instead of sudo in secure-node.nix
2021-02-09 12:44:04 +00:00
Erik Arvstedt
ce2b445777
treewide: use runuser for dropping privileges
...
When running as root, use runuser instead of sudo.
As opposed to sudo or doas, runuser is a standalone
binary that needs no external configuration.
Also, it's a bit faster.
2021-02-09 12:44:01 +00:00
Erik Arvstedt
803584a288
backups: don't use hardcoded secrets dir
2021-02-07 22:45:38 +01:00
Erik Arvstedt
6a32812412
services: add names for systemd helper scripts
...
The systemd journal now shows a specific script name instead of
the generic name "script" before script output.
2021-02-07 22:45:36 +01:00
Erik Arvstedt
6982699613
services: use consistent layout
...
Use the following order of definitions for all services:
- assertions
- configuration of other services
- environment.systemPackages
- tmpfiles
- own service
- users
- secrets
2021-02-07 22:42:23 +01:00
Erik Arvstedt
a43534dda0
services: improve config file setup
...
- btcpayserver, nbxplorer: Add quotes to the
dataDir arg. (dataDir can contain spaces.)
- clightning, liquidd: use 'install'
2021-02-07 22:42:22 +01:00
Erik Arvstedt
18f2002cf0
joinmarket-yieldgenerator: improve systemd journal output
...
Journal entries now look like
`joinmarket-yieldgenerator[9795]: User data location: /var/lib/joinmarket`
instead of
`bash[9795]: User data location: /var/lib/joinmarket`
2021-02-07 22:41:46 +01:00
Erik Arvstedt
9d0b8c8f6f
joinmarket-ob-watcher: use DynamicUser
...
DynamicUser simplifies services that don't need a persistent uid/gid,
like joinmarket-ob-watcher.
For existing installations the data dir migration to dynamic users
is automatically handled by systemd.
2021-02-07 22:41:44 +01:00
Erik Arvstedt
e9c98f415c
joinmarket: explain need for tor control socket
2021-02-07 22:41:31 +01:00
Erik Arvstedt
d9c87b6a8f
joinmarket: fix wallet creation
...
- Fix jm-wallet-seed being globally readable.
- Handle seed extraction failures.
If seed extraction fails, remove the newly created wallet.
This guarantees that wallets always have an accompanying seed.
2021-02-07 22:41:31 +01:00
Erik Arvstedt
7458350108
treewide: remove deprecated types.loaOf
2021-02-07 22:41:31 +01:00
Erik Arvstedt
9cf038939c
treewide: use mkEnableOption
2021-02-07 22:41:31 +01:00
Erik Arvstedt
7a97304f13
treewide: remove unit descriptions
...
Systemd's `Description` option is a misnomer (as confessed by `man systemd.unit`):
Its value is used by user-facing tools in place of the unit file name, so this option
could have been more aptly named `label` or `name`.
`Description` should only be set if the unit file name is not sufficient for naming a unit.
This is not the case for our services, except for `systemd.services.nb-netns-bridge`
whose description has been kept.
As an example how this affects users, weird journal lines like
```
nb-test systemd[1]: Starting Run clightningd...
```
are now replaced by
```
nb-test systemd[1]: Starting clightning.service...
```
2021-02-07 22:41:31 +01:00
Erik Arvstedt
a942177ecf
treewide: remove user descriptions
...
User descriptions are stored in the `comment` field in /etc/passwd.
In our case, these are completely redundant and don't add any useful information.
2021-02-07 22:41:30 +01:00
Erik Arvstedt
4f6ff408ef
treewide: remove unneeded string literals
2021-02-07 22:41:29 +01:00
Erik Arvstedt
e6a6c721c1
treewide: streamline 'extraConfig' descriptions
2021-02-07 22:40:11 +01:00
Erik Arvstedt
e774c045de
treewide: fix formatting
2021-02-07 22:40:10 +01:00
Erik Arvstedt
0b5b29a2a3
netns-isolation: simplify permission definition for netns-exec
...
The new definition is equivalent to the old one.
2021-02-07 22:39:06 +01:00
Erik Arvstedt
af2040f4c4
netns-isolation: use 'true' for systemd option
2021-02-07 22:39:05 +01:00
Erik Arvstedt
c246bbb36e
bitcoind, clightning, lnd: improve descriptions
...
bitcoind: The previous description of 'prune' didn't match the int-only
values supported by our option.
2021-02-07 22:39:05 +01:00
Erik Arvstedt
7533f12ef1
bitcoind, clightning, run-tests: minor refactoring
...
bitcoind: use builtins.toFile
clightning: use boolToString
run-tests: remove leftover var
2021-02-07 22:39:05 +01:00
Erik Arvstedt
f0850d3f23
btcpayserver: reorder config settings
...
Move 'bind' and 'port' next to each other and to the top.
2021-02-07 22:39:05 +01:00
Erik Arvstedt
d1c0ea9f85
btcpayserver: add missing systemd postgresql dependency
...
btcpayserver fails if it starts before postgresql.
2021-02-07 22:39:05 +01:00
nixbitcoin
ebd478fd0d
lnd: add option 'restOnionService'
2021-02-05 09:17:14 +01:00
Erik Arvstedt
a344ae95c9
move mkHiddenService to lib
2021-02-04 12:39:54 +00:00
Erik Arvstedt
a26ed03d77
rename nix-bitcoin-services.nix -> lib.nix
2021-02-04 12:39:48 +00:00
Martin Milata
86d7db9940
bitcoind: add uptime to the public api whitelist
...
It is needed by lnd to check bitcoind health status since lnd-0.12.0.
2021-02-02 22:32:20 +01:00
Erik Arvstedt
b114d0c3b1
bitcoind: use systemd startup notification
2021-01-31 22:26:49 +01:00
Erik Arvstedt
332d0e70c8
bitcoind: support onion address announcing
2021-01-31 22:26:49 +01:00
Erik Arvstedt
9662c19ab1
onionServices: use actual user name of services
...
Previously, onionAddresses definitions in onionServices were of the form
onionAddresses.access.<service> = [<service>];
This caused failures for configurations where a service user name was
overridden or for bitcoind whose default user is 'bitcoin' instead of 'bitcoind'.
Now set the equivalent of:
onionAddresses.access.<actualServiceUser> = [<service>];
Implement this via a new option `onionAddresses.services` to make things more
readable and to work around an infinite recursion error in onionServices.
2021-01-31 22:26:49 +01:00
Erik Arvstedt
5c09845e6f
bitcoind: tag incoming connections as onion on enforceTor
2021-01-31 22:26:49 +01:00
Jonas Nick
035438d427
Merge #290 : JoinMarket Orderbook Watcher
...
8c125ec48c
joinmarket-obwatcher: add pkg & module (nixbitcoin)
915df059f4
joinmarket: 0.8.0-bcfa7eb -> 0.8.0-a5e8879 (Erik Arvstedt)
254246cf39
joinmarket: use installPhase (Erik Arvstedt)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 8c125ec48c
Tree-SHA512: 5e4ba14a2a90c505b7cd7e09c33548d06ec466502c48f8d551a4437c5542dab427ec7f9cb7a15c849cc7ce11685c493b9773ec08591e1980ebe2a84abef17141
2021-01-17 20:00:13 +00:00
nixbitcoin
8c125ec48c
joinmarket-obwatcher: add pkg & module
2021-01-17 17:40:12 +00:00
kon
9480ada135
nodeinfo fix lnd
2021-01-17 17:13:09 +01:00
Jonas Nick
c6c14889eb
Merge #293 : Module refactorings, onionServices
...
e2922eb4ce
move rpc thread count setting to lightning modules (Erik Arvstedt)
352fc4e8fe
liquid: remove insecure and redundant option 'rpcpassword' (Erik Arvstedt)
757a66b9bd
liquid: move rpcuser definition to module (Erik Arvstedt)
0e00c39d47
secure-node: improve layout (Erik Arvstedt)
5f7a7962f7
backups: remove redundant option 'program' (Erik Arvstedt)
04d8560f86
secure-node: remove qrencode, tor from systemPackages (Erik Arvstedt)
323a431aba
improve nodeinfo (Erik Arvstedt)
f6b883a9ac
remove webindex (Erik Arvstedt)
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver (Erik Arvstedt)
18c7842e1a
modules: show warnings for obsolete options (Erik Arvstedt)
45c40c4eb9
versioning: simplify assertion evaluation (Erik Arvstedt)
bed00fe937
lnd: use onionServices for address announcing (Erik Arvstedt)
3980cd5a41
clightning: use onionServices for address announcing (Erik Arvstedt)
bd2a46cb73
spark-wallet: use onionServices (Erik Arvstedt)
87fb9f246b
add 'enable-tor' preset (Erik Arvstedt)
05b5402bb1
add nix-bitcoin.onionServices (Erik Arvstedt)
fffe988248
onionAddresses: add readonly option 'dataDir' (Erik Arvstedt)
5f34b094d3
onionAddresses: improve script (Erik Arvstedt)
b266f23251
onionAddresses: use service 'script' option (Erik Arvstedt)
6d13b26d0a
onionAddresses: add more precise type for option 'access' (Erik Arvstedt)
93562f76dd
onionAddresses: remove redundant option 'enable' (Erik Arvstedt)
43c247e3fe
onionAddresses: use StateDirectory instead of tmpfiles (Erik Arvstedt)
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses (Erik Arvstedt)
55073eee70
remove nix-bitcoin.pkgs.lib (Erik Arvstedt)
09e0042aa8
spark-wallet: add consistent address options (Erik Arvstedt)
39f16c0b4a
liquidd: add consistent address options (Erik Arvstedt)
b5d76ba1b3
electrs: add consistent address options (Erik Arvstedt)
8fa32b7f91
btcpayserver: add consistent address options (Erik Arvstedt)
e78a609687
clightning: add consistent address options (Erik Arvstedt)
b41a720c28
lnd: add consistent address options (Erik Arvstedt)
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc' (Erik Arvstedt)
5b7e0d09b2
bitcoind: add consistent address options (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK e2922eb4ce
jonasnick:
ACK e2922eb4ce
Tree-SHA512: a85b33efe66048f06699b3997f83c9427f70f278fa66d30ee9a29c91f50723ff8bd1ffb9d968d7f08818742c8c6afb0b40dbfc14b95a4b8c3302caf9bede4198
2021-01-14 20:42:23 +00:00
Erik Arvstedt
e2922eb4ce
move rpc thread count setting to lightning modules
2021-01-14 13:25:12 +01:00
Erik Arvstedt
352fc4e8fe
liquid: remove insecure and redundant option 'rpcpassword'
2021-01-14 13:25:11 +01:00
Erik Arvstedt
757a66b9bd
liquid: move rpcuser definition to module
2021-01-14 13:25:11 +01:00
Erik Arvstedt
0e00c39d47
secure-node: improve layout
2021-01-14 13:25:11 +01:00
Erik Arvstedt
5f7a7962f7
backups: remove redundant option 'program'
...
Not needed until we support other backup backends.
2021-01-14 13:25:11 +01:00
Erik Arvstedt
04d8560f86
secure-node: remove qrencode, tor from systemPackages
...
Keep jq which is useful for analyzing service cli output.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
323a431aba
improve nodeinfo
...
- enable usage outside of secure-node.nix
- use json as the output format
- show ports
- also show local addresses, which is particularly useful when
netns-isolation is enabled
- only show enabled services
2021-01-14 13:25:10 +01:00
Erik Arvstedt
f6b883a9ac
remove webindex
...
This module is outdated and incomplete. We can readd an improved version in
the future.
Move nanopos nginx proxy tests to the nanopos test.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver
...
In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
2021-01-14 13:25:09 +01:00
Erik Arvstedt
18c7842e1a
modules: show warnings for obsolete options
2021-01-14 13:25:09 +01:00
Erik Arvstedt
45c40c4eb9
versioning: simplify assertion evaluation
2021-01-14 13:25:09 +01:00
Erik Arvstedt
bed00fe937
lnd: use onionServices for address announcing
2021-01-14 13:25:09 +01:00
Erik Arvstedt
3980cd5a41
clightning: use onionServices for address announcing
2021-01-14 13:25:08 +01:00
Erik Arvstedt
bd2a46cb73
spark-wallet: use onionServices
...
Also remove the unneeded definition of ReadWritePaths because the
service doesn't need write access to onion files.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
87fb9f246b
add 'enable-tor' preset
...
Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.
Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
05b5402bb1
add nix-bitcoin.onionServices
2021-01-14 13:25:07 +01:00
Erik Arvstedt
fffe988248
onionAddresses: add readonly option 'dataDir'
...
Used by 'onionServices' in a later commit for services that announce
their onion address.
2021-01-14 13:25:07 +01:00
Erik Arvstedt
5f34b094d3
onionAddresses: improve script
...
- use -e to check for existence of /var/lib/tor/state, use shorter
polling interval
- clear existing dataDir contents to avoid accumulating obsolete data
- use concatMapStrings instead of foldl'
2021-01-14 13:25:07 +01:00
Erik Arvstedt
b266f23251
onionAddresses: use service 'script' option
...
This also makes the script stop on errors.
2021-01-14 13:25:07 +01:00
Erik Arvstedt
6d13b26d0a
onionAddresses: add more precise type for option 'access'
2021-01-14 13:25:06 +01:00
Erik Arvstedt
93562f76dd
onionAddresses: remove redundant option 'enable'
...
The service can be disabled via `onion-addresses.access = mkForce {};`
Also remove redundant description.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
43c247e3fe
onionAddresses: use StateDirectory instead of tmpfiles
...
Simplifies the dataDir setup.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses
...
This clarifies its function.
2021-01-14 13:25:05 +01:00
Erik Arvstedt
09e0042aa8
spark-wallet: add consistent address options
2021-01-14 13:25:05 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options
2021-01-14 13:25:05 +01:00
Erik Arvstedt
b5d76ba1b3
electrs: add consistent address options
2021-01-14 13:25:04 +01:00
Erik Arvstedt
8fa32b7f91
btcpayserver: add consistent address options
2021-01-14 13:25:04 +01:00
Erik Arvstedt
e78a609687
clightning: add consistent address options
...
Also remove option 'autolisten'. This option has no effect because
option 'bind-addr' is always set.
2021-01-14 13:25:04 +01:00
Erik Arvstedt
b41a720c28
lnd: add consistent address options
...
Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address.
2021-01-14 13:25:03 +01:00
Erik Arvstedt
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc'
2021-01-14 13:25:03 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options
2021-01-14 13:25:03 +01:00
Jonas Nick
41a6be6552
Merge #297 : joinmarket: add enforceTor to firewall scripts on netns-level
...
71ee16d767
joinmarket: add enforceTor to firewall scripts on netns-level (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK 71ee16d767
Tree-SHA512: cef089012807c90034d4b1f259bf6d81bfb83a36e7d2aadd85e817728f646948c12c25d199525d578d44366ee10389cb5081c4d86842b19b06b1066ff8feec19
2021-01-10 23:11:08 +00:00
Jonas Nick
e3a45fcc0c
joinmarket: add rpcWalletFile option
...
The joinmarket docs recommend using a separate wallet to avoid mixing up jm and
default wallet.
2021-01-10 21:52:27 +00:00
nixbitcoin
71ee16d767
joinmarket: add enforceTor to firewall scripts on netns-level
2021-01-04 16:09:20 +00:00
Jonas Nick
79f4723cda
lightning-charge: remove package and module
2021-01-01 19:16:46 +00:00
Jonas Nick
58de79d401
nanopos: remove package and module
2021-01-01 17:37:30 +00:00
Jonas Nick
da674d1ccf
Merge #292 : joinmarket: always synchronize secrets.jm-wallet-password
...
ed636dd070
joinmarket: always synchronize secrets.jm-wallet-password (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ed636dd070
Tree-SHA512: 8024f29f98a87991701dcdb7576c4b3b72c859373153b9281b8a4bba179a33aa39a7496ecd373c0251c8d9c36e1fc7c768a2dcc228aa006bab461f8cbc5d7b0d
2020-12-30 19:18:56 +00:00
nixbitcoin
ed636dd070
joinmarket: always synchronize secrets.jm-wallet-password
...
secrets.jm-wallet-password is always needed by joinmarket, not just when
joinmarket.yieldgenerator.enable
2020-12-30 16:49:50 +00:00
nixbitcoin
edc657d138
btcpayserver: add rootpath option
2020-12-30 16:47:50 +00:00
nixbitcoin
f89498d4fc
clboss: add module
2020-12-22 09:40:00 +00:00
Jonas Nick
7b32a78de2
Merge #284 : Fix containers
...
2bfb4efbd8
make-container: fix usage comment (Erik Arvstedt)
3403795c86
tests: add example scripts (Erik Arvstedt)
ff94985b8b
tests: add test 'hardened' (Erik Arvstedt)
c8e73c959e
fix 'hardened' profile for NixOS 20.09 (Erik Arvstedt)
44b06aea5a
extra-container: 0.5-pre -> 0.5 (Erik Arvstedt)
a359cdfb66
generate-secrets: use pwgen (Erik Arvstedt)
a5a2fc7274
make-container: fix renamed variable (Erik Arvstedt)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 2bfb4efbd8
jonasnick:
utACK 2bfb4efbd8
Tree-SHA512: 421b1fc5bf695d6815f060d129855ae0fecc06f7946ed8ac2bfe53895d7dc9529aad40099fc16844547791010232252f74b1ce32cbc9c6458e6d77f327450e94
2020-12-21 12:24:14 +00:00
Erik Arvstedt
c8e73c959e
fix 'hardened' profile for NixOS 20.09
...
The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052 )
is ineffective on 20.09.
As a workaround, add a custom 'hardened' preset that uses the default allocator.
2020-12-18 19:56:56 +01:00
nixbitcoin
fdfafb2f40
joinmarket: 0.7.4 -> 0.8.0-bcfa7eb
...
Update to 0.8.0 with hotfix for genwallet script
Includes module versioning error with migration instructions
2020-12-17 11:12:58 +00:00
Martin Milata
5feb9e3eae
lnd: fix rpc/rest port configuration
2020-12-07 14:38:36 +01:00
Ian Shipman
1d44b99340
add curated clightning plugins
2020-11-18 20:21:34 -06:00
Erik Arvstedt
f1681f5b45
add option nix-bitcoin.pkgs, remove overlay
...
This works around a nixpkgs bug where overlays are ignored in containers.
2020-11-09 22:10:07 +01:00
Erik Arvstedt
b1a5f5e7b9
don't add service-only pkgs to systemPackages
...
These packages are not useful in shell environemnts.
2020-11-09 22:10:07 +01:00
Erik Arvstedt
e39ad358a4
lnd: remove unused bitcoind from PATH
2020-11-09 22:10:07 +01:00
nixbitcoin
59e128a994
joinmarket: add payjoin configuration
2020-11-06 08:51:25 +00:00
nixbitcoin
f29f04c0c4
secure-node: LND no longer requires ControlPort
...
Onion service is now generated through mkHiddenService function.
2020-11-06 08:51:23 +00:00
Erik Arvstedt
0972af55f1
netns: fix setup service restarts
2020-11-03 21:55:13 +01:00
Erik Arvstedt
63a464431b
netns: fail when netns already exists
...
Under normal circumstances, service-specific netns should never exist
before the netns setup service starts.
An existing netns is a genuine error that should not be silently ignored.
2020-11-03 21:55:13 +01:00
Erik Arvstedt
b4b607dfa5
netns: simplify firewall setup
2020-10-29 22:36:20 +01:00
Erik Arvstedt
25639cec42
netns: fix error msg when starting netns
...
Previously, the failing initial `netns delete` resulted in a
"Cannot remove namespace file ..." error visible in the journal
and status output.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
67068afd6b
netns: fix error when stopping netns
...
A short time after `netns delete` finishes, the peer link in the main
netns is automatically removed.
When `link del` is run before that, it fails with
`Cannot find device "nb-veth-br-*"` and the netns service enters a failed state.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
8da01fe8a6
lightning-loop: allow RPC access from main netns
...
Note that this also exposes the REST server, which is secured by
macaroon auth like the RPC server.
2020-10-29 21:21:29 +01:00
Erik Arvstedt
d76b080b74
lightning-loop: add RPC and REST server options
2020-10-29 21:21:29 +01:00
Erik Arvstedt
e66636ef0e
liquidd: use type str for rpcbind
2020-10-29 21:21:29 +01:00
Erik Arvstedt
de23fdd377
lnd: use type str for rpclisten, restlisten
2020-10-29 21:21:28 +01:00
Erik Arvstedt
8b053326cc
bitcoind: use type str for rpcbind
...
Extra RPC bind addresses can still be added via extraConfig.
2020-10-29 21:21:28 +01:00
Erik Arvstedt
6903e8afcc
netns-liquidd: allow RPC access from main netns
2020-10-29 21:21:28 +01:00
Erik Arvstedt
82f4901880
netns-lnd: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
58d24e735d
netns-bitcoind: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
...
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
0cc8caa737
lnd: only set tor.active on enforceTor
...
This also enables the test scenario 'netnsRegtest' introduced in a
later commit by fixing the following bug:
For unknown reasons, when tor.active=true and tor is not running, lnd
fails with a tor connection error on netns-isolation, but runs fine
without netns-isolation.
2020-10-29 21:21:26 +01:00