Commit Graph

601 Commits

Author SHA1 Message Date
Erik Arvstedt
f58d67677e
netns-isolation: separate host and netns setup
- Improves readability

- `netns exec ...` (called via `netnsIptables`) incurs a large
  overhead: In addition to netns switching, a mount namespace
  is setup and populated with the contents of /etc/netns/<ns>/.
  Instead, simply run `nsenter`.
2021-11-08 12:46:28 +01:00
Erik Arvstedt
cb6e5ef702
netns-isolation: fix routing issues due to netns restarting
Previously, restarting a service implied restarting its netns.
For unknown reasons, this sometimes caused the netns-local address
to not be routable from the root netns for up to 20 s.
I.e., the service was sometimes unreachable after restarting.

Now the netns is no longer stopped when the service is stopped.
2021-11-08 12:46:27 +01:00
Jonas Nick
3f844c06f0
Merge fort-nix/nix-bitcoin#418: update nixpkgs
b3e868d0af tests/regtest: disable incompatible `validatepegin` for liquidd (Erik Arvstedt)
c30fe1919b netns-isolation: don't auto-assign IPv6 addrs to peer links (Erik Arvstedt)
6584540828 makeShell: make help message extensible (Erik Arvstedt)
0478354477 versioning: move variable (Erik Arvstedt)
8616254d63 bitcoind-rpc-public-whitelist: remove waitfornewblock (Erik Arvstedt)
083e141e3e tests/btcpayserver: test bitcoind P2P connection in regtest (Erik Arvstedt)
82c92df162 tests/regtest: fix restarting bitcoind (Erik Arvstedt)
49086abcc5 liquidd: use systemd startup notification (Erik Arvstedt)
b83fd845c2 update nixpkgs (nixbitcoin)
852c112603 Use HTTPS URL for spark-wallet GitHub node packages (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK b3e868d0af
  jonasnick:
    utACK b3e868d0af

Tree-SHA512: 300410157a54f90f40abda064ed9b8f2310e3002bd2eac0527404d5402cd7d87c2d2d1d79d68cf1569841645c333b281d706607deae9461e1ef07f6c20427297
2021-11-03 10:25:38 +00:00
cadwgan0
ae1c90997d missing sys import for error path set_onion_address 2021-11-02 23:25:55 -04:00
Erik Arvstedt
b3e868d0af
tests/regtest: disable incompatible validatepegin for liquidd
Otherwise liquidd startup fails. This bug was not covered by our tests,
because we're not combining `regtest` with `secure-node`.
But nixbitcoin.org does, which should suffice for now.
2021-11-02 17:40:43 +01:00
Erik Arvstedt
c30fe1919b
netns-isolation: don't auto-assign IPv6 addrs to peer links
This simplifies the host's address configuration.

This also removes unused addresses that are returned when resolving
container hostnames via nss-mymachines:
`getent ahosts nb-test`
2021-11-02 17:40:43 +01:00
Erik Arvstedt
0478354477
versioning: move variable
The variable is an internal implementation detail. Move it close to
where it's used.
2021-11-02 17:40:43 +01:00
Erik Arvstedt
8616254d63
bitcoind-rpc-public-whitelist: remove waitfornewblock
This is an internal testing function and it's no longer used by electrs.
2021-11-02 17:40:43 +01:00
Erik Arvstedt
49086abcc5
liquidd: use systemd startup notification 2021-11-02 17:40:43 +01:00
nixbitcoin
c2eb81b57e
btcpayserver: fix liquidd whitelistedPort 2021-11-01 11:59:05 +00:00
Jonas Nick
bac8518e7c
secure-node: stop pruning liquidd
There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
2021-10-31 14:37:56 +00:00
Jonas Nick
347a0f3aee
secure-node: add dummy option to determine if the preset is enabled
This is useful for versioning.nix.
2021-10-31 14:00:46 +00:00
Erik Arvstedt
aada35fc7b
minor improvements
- README: add matrix room

- examples/configuration.nix: explain why bitcoind is enabled by default

- btcpayserver: group lnd service settings

- clightning:
  Use public onion port only when the onion service is public

  This allows users to enable the onion service while announcing a
  non-onion public address.

- netns-isolation: move `readOnly` attr to the top

- tests: use mkDefault to allow for easier overriding

- tests/btcpayserver: test web server response
2021-10-30 15:34:48 +02:00
Erik Arvstedt
1da23cd933
bitcoind, liquidd: add whitelisted socket
This allows whitelisting local services without implicitly
whitelisting all inbound onion connections, which would happen when
setting bitcoind/liquidd option `whitelist=localhost`.

Used by electrs and nbxplorer, which requires the unsafe `mempool`
permission.
2021-10-29 18:28:31 +02:00
Erik Arvstedt
8c3a88b2e8
update nixpkgs-unstable
Switch back from nixpkgs master to unstable.

Pkg updates:
btcpayserver: 1.2.3 -> 1.2.4
electrs: 0.9.0 -> 0.9.1
elementsd: 0.18.1.12 -> 0.21.0
lightning-pool: 0.5.0-alpha -> 0.5.1-alpha
nbxplorer: 2.2.5 -> 2.2.11

- liquidd:
  add `onionPort` like in bitcoind

- tests/electrs:
  remove KillSignal workaround
2021-10-29 17:59:25 +02:00
Erik Arvstedt
cc3d43f4e9
bitcoind: set onionPort in bitcoind module
This removes the module-level dependency from onion-services to
bitcoind.
Due to the `or false` fallback, there's no dependency added in
the reverse direction.

In particular, this allows us to not add a dependency on liquidd in
the following commit.
2021-10-28 22:24:24 +02:00
Jonas Nick
20d4240919
Merge fort-nix/nix-bitcoin#410: joinmarket: 0.9.2 -> 0.9.3
d5ce1c43a8 test: make joinmarket work with regtest (nixbitcoin)
a10aa21c69 joinmarket: 0.9.2 -> 0.9.3 (nixbitcoin)
721ba1aeba python-packages: separate `specific-versions` pkgs (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK d5ce1c43a8
  jonasnick:
    light utACK d5ce1c43a8

Tree-SHA512: 5ddccbf9a88640086d14051283b59e704364d4d5f3f6aa6c698d88d8a6634ac9a7b525b11cf1670c9aaa6a797635bc23e135972d9bc8c909ec51b58fe57e8f5c
2021-10-28 09:50:22 +00:00
nixbitcoin
d5ce1c43a8
test: make joinmarket work with regtest 2021-10-27 16:08:28 +02:00
nixbitcoin
a10aa21c69
joinmarket: 0.9.2 -> 0.9.3 2021-10-27 16:02:59 +02:00
kon
b6d1928e90 clightning: add public port
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
2021-10-26 21:34:33 +02:00
Jonas Nick
bfe8ac972c
Merge fort-nix/nix-bitcoin#405: bitcoind: add separate p2p socket for tor connections
ec4a4dbe41 btcpayserver: fix whitelist security issue (Erik Arvstedt)
df2070b44a bitcoind: add separate p2p socket for tor connections (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ec4a4dbe41

Tree-SHA512: 457bfb5806dca65507261c1868ca89c86a39f63bd10833b7531fd74dd779816083270c8ccc95ad08a5306e9b31c440904e3cba35464d47c0d87418d0be3e732d
2021-10-21 12:17:17 +00:00
Erik Arvstedt
ec4a4dbe41
btcpayserver: fix whitelist security issue
Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.

Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.

After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
2021-10-21 11:40:40 +02:00
Erik Arvstedt
df2070b44a
bitcoind: add separate p2p socket for tor connections
This re-enables onion tagging while still supporting untagged connections.

Onion sockets are not yet supported in the latest liquidd/elements
version 0.18.1.12 available on nixpkgs.
2021-10-21 11:40:40 +02:00
Jonas Nick
8b1b06311d
Merge fort-nix/nix-bitcoin#406: bitcoind: one-option i2p support
63836127c9 bitcoind: one-option i2p support (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 63836127c9
  jonasnick:
    utACK 63836127c9

Tree-SHA512: be7806657885ba455e7137dfc8c20ea4d58898b04db030a964aafbde1c505041a1f9e700654ad9c75ab2bb9267174bdbe84c9d7e4de63a09508b72fbd5c8f1a1
2021-10-15 11:02:09 +00:00
Jonas Nick
2250b9bcb7
Merge fort-nix/nix-bitcoin#408: joinmarket: 0.9.1 -> 0.9.2
3781a85c9b joinmarket: enable Agora as a third IRC server (nixbitcoin)
ced1637d07 joinmarket: share IRC server definitions between jm and ob-watcher (Erik Arvstedt)
59fc003ebd joinmarket: 0.9.1 -> 0.9.2 (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 3781a85c9b

Tree-SHA512: 5ec919d2291ecf96fb4ca880f3dbeabff13f2bab71822db893ebbaba1b95463666b098ccc1412a1b56f327a231e10c1f2d47feb0f520fce349ab243d398bf7b4
2021-10-15 10:58:01 +00:00
nixbitcoin
3781a85c9b
joinmarket: enable Agora as a third IRC server 2021-10-13 14:45:52 +02:00
Erik Arvstedt
ced1637d07
joinmarket: share IRC server definitions between jm and ob-watcher
Also add server name comments.
2021-10-13 14:44:36 +02:00
kon
40ab4b368a add lnd TimoutSec 2021-10-12 21:56:59 +02:00
nixbitcoin
63836127c9
bitcoind: one-option i2p support 2021-10-12 10:22:09 +00:00
Erik Arvstedt
8938eadf0c
bitcoind: don't tag all incoming connections as 'Tor'
We're also accepting local, non-Tor connections.
2021-10-06 16:55:41 +02:00
Erik Arvstedt
75b89f3957
electrs: adapt to version 0.9.0
- `waitfornewblock` was previously not included in the public RPC
  whitelist because it's reserved for testing and marked as hidden
  in bitcoind.

- electrs changed its verbosity settings. `-vv` is now the best choice
  for normal usage.

- bitcoind option `dataDirReadableByGroup` is now unused.
  Because it can be valuable for other use cases and implementing
  it is intricate, we're keeping it for now.

- test: keep `nc` connection open because otherwise the electrs
  RPC server would now close the connection before sending a response.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
6d694a6269
backups: allow extraFiles to override default settings
By moving them to the top they take precedence over the remaining
filelist entries.
2021-10-06 11:27:52 +02:00
Erik Arvstedt
0c45415c86
backups: exclude bitcoind, liquidd txindex data 2021-10-06 11:27:52 +02:00
Erik Arvstedt
b73c093d3d
joinmarket-ob-watcher: require nix-bitcoin.service
This caused failures in the tests which were ignored because
ob-watcher was expected to fail for other reasons.
2021-10-06 11:27:47 +02:00
Erik Arvstedt
c8251cdad7
onion-services: don't always enable Tor
Previously, Tor was always enabled because `cfg` was always nonempty
(via definitions at `Set sensible defaults for some services`).
Now only enable Tor if there are active onion services.

Also rename var `services` -> `onionServices` to improve readability in
section `Set getPublicAddressCmd ...` where the same name is also used for
option `config.services`.
2021-10-05 15:11:41 +02:00
Erik Arvstedt
4d5bc810eb
secrets: fix setup-secrets in case of no secrets
Previously, the glob (*) returned '*' when no files existed in the
secrets dir, leading to error `chown: cannot access '*'`.

Now `unprocessedFiles` is empty when there are no secrets.

Also remove the unneeded sorting of `unprocessedFiles` and
remove redundant leading zero in the default mode.
2021-10-04 00:33:27 +02:00
Erik Arvstedt
a92d6a8e80
netns: expose bridgeIp as an option
Previously, this variable was not accessible to other modules.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
- `discover` is automatically disabled by bitcoind because we're
   setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Erik Arvstedt
09169365d8
liquid: remove unused features
- `hexStr` is unused
- Simplify ExecStart options
- Quote `dataDir`
- Remove unneeded `pidFile` setting
2021-10-04 00:33:26 +02:00
Erik Arvstedt
82d910e937
nbxplorer: fix bitcoind, liquidd settings
- Add nbxplorer to whitelists.
  This is recommended by the nbxplorer docs and guarantees that nbxplorer
  can always p2p-connect to bitcoind/liquidd.

- Enable bitcoind/liquidd p2p servers via `listen`.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f61e928139
services: support 0.0.0.0/:: in address options
Previously, client services didn't decode these special INADDR_ANY
addresses and failed to connect.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
1848c3dd98
btcpayserver: minor improvements
- Quote datadir
- Extract liquidd service variable
- Move btcpayserver below liquid in modules list because it depends
  on liquid
2021-10-01 11:52:57 +02:00
Erik Arvstedt
e561637600
minor fixes
- bitcoind: Remove obsolete defaultText
- clightning: Fix description
  Option `address` can't be used to specify a socket path because it's
  used explicitly as an IP address in many places.
- lnd: Break up overlong line
  This is required by commit `services: support 0.0.0.0/:: in `address` options`
- nix-bitcoin.nix: Formatting
- secrets: Improve descriptions
2021-10-01 11:52:56 +02:00
Jonas Nick
5626558222
Merge fort-nix/nix-bitcoin#397: backups: make extraFiles list of strings
c483f1694d examples: correct localBackups scp command (nixbitcoin)
cb54891484 backups: make extraFiles list of strings (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK c483f1694d

Tree-SHA512: cb178382655e70aaf85f5930ec7a2c631c28e4c447d0b5d02d973eb73e3bd902ab091cc496d79efbfba5355b9574cb5ba6dd5a4d395b0cda4e3da715fd88d9c5
2021-09-25 10:34:51 +00:00
nixbitcoin
cb54891484
backups: make extraFiles list of strings 2021-09-24 11:38:47 +00:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Erik Arvstedt
9114ec669a
lnd: improve options formatting 2021-09-16 12:51:00 +02:00
Erik Arvstedt
c8774375d3
modules: use consistent service variables
Benefits of adding top-level variables for used services:
- Makes it obvious which other services are referenced by a service
- Less code

We already do this in many other places.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
ad97c268c6
modules: move user/group options to bottom
These are insignificant, generic options; place them above readonly options.
We already do this in other services.

Also move user/group config to bottom in spark-wallet.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
27c45b82cc
modules: move options to the top
This greatly improves readability and makes it easier to discover options.

This commit was genereated by running the following script inside the
repo root dir:

#!/usr/bin/env ruby

def transform(src)
  return false if src.include?('inherit options;')

  success = false

  options = nil
  src.sub!(/^  options.*?^  }.*?;/m) do |match|
    options = match
    "  inherit options;"
  end
  return false if !options

  src.sub!(/^with lib;\s*let\n+/m) do |match|
    success = true
    <<~EOF
      with lib;
      let
      #{options}

    EOF
  end

  success
end

Dir['modules/**/*.nix'].each do |f|
  src = File.read(f)
  if transform(src)
    puts "Changed file #{f}"
    File.write(f, src)
  end
end
2021-09-13 13:41:47 +02:00