Commit Graph

723 Commits

Author SHA1 Message Date
Jonas Nick
e13c532dbf
tests: move common code of scenarios python scripts to the top 2020-08-02 20:59:11 +00:00
Jonas Nick
0baeb2acce
Merge #209: Lightning loop
e9204946d4 lightning-loop: add tests (nixbitcoin)
491d83a658 lightning-loop: add module (nixbitcoin)
8f3588b13f lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b lightning-loop: add pkg (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e9204946d4

Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
Jonas Nick
9e453bab86
Merge #202: RPC Whitelist
5086fc3234 bitcoin: drive-by prune fix (nixbitcoin)
21c0fb440d rpcwhitelist: add feature test (nixbitcoin)
1bf45a9547 bitcoind: add rpcwhitelist feature (nixbitcoin)
5a978a2836 bitcoind: switch from rpcpassword to rpcauth (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 5086fc3234

Tree-SHA512: f456f3409b3bc22dc9ad1296fa00f7e8a442b4072cd4deda067bf2f951eb7d4302283b816ebf769abaa7017e26b19b734f66604cd435d99b810ce535735f7c08
2020-07-28 17:38:07 +00:00
nixbitcoin
e9204946d4
lightning-loop: add tests 2020-07-28 15:55:54 +00:00
nixbitcoin
491d83a658
lightning-loop: add module 2020-07-28 15:55:52 +00:00
nixbitcoin
8f3588b13f
lnd: higher attempt limit for less-powerful machines
Opening main database sometimes takes longer than 50 ExecStartPost
restPort connection attempts.
2020-07-28 15:55:50 +00:00
nixbitcoin
1bb801ad7b
lightning-loop: add pkg 2020-07-28 15:55:48 +00:00
nixbitcoin
5086fc3234
bitcoin: drive-by prune fix 2020-07-28 14:32:54 +00:00
nixbitcoin
21c0fb440d
rpcwhitelist: add feature test 2020-07-28 14:32:52 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
Jonas Nick
272b8568e7
Merge #213: Fix systemd leak
6a8e29e016 tests: add dbus-hardening and hideProcessInformation (nixbitcoin)
0248e6493f systemd: lock down systemctl status (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 6a8e29e016

Tree-SHA512: 1ee8ce42f71e1a8977f5a84053b10f5f7f56da395d4f801447d2d344540640fc496ef0ff341cb32ca92ac064d43d04f118bf580c42d31022e6ed84815b8f72c6
2020-07-28 12:58:07 +00:00
nixbitcoin
6a8e29e016
tests: add dbus-hardening and hideProcessInformation 2020-07-28 11:37:16 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
Jonas Nick
6e694890eb
Merge #203: Remove electrs tls
6365412312 test-script: remove nginx tls proxy test (nixbitcoin)
4dbc348921 electrs: remove TLSProxy (nixbitcoin)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 079a0c892f8e25d6ba0267cc99022550f4cfe74bad3f9270733ecda09350595a11aec8d40b89df6e6ad7cca1e26b7e480a265bf6e2d01d0fe912ca3ece00f655
2020-07-21 15:04:22 +00:00
nixbitcoin
6365412312
test-script: remove nginx tls proxy test 2020-07-21 13:58:32 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
Jonas Nick
6856b8cb42
Merge #210: bitcoind: postStart wait until bitcoind can receive rpc calls
02853067a1 bitcoind: postStart wait until bitcoind can receive rpc calls (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 02853067a1

Tree-SHA512: 601b04957a26853c04d768b074006f0716edb131698afde2afb94cb0c862dddb745b93ef39ed014f95a01545eb60d370fd82201d0a898c7dac4c19622d25dafe
2020-07-21 13:26:51 +00:00
nixbitcoin
02853067a1
bitcoind: postStart wait until bitcoind can receive rpc calls 2020-07-21 13:23:07 +00:00
Jonas Nick
aad0fe6e45
Merge #187: Network Namespaces
681728294b tests: run scenarios as multiple Travis jobs (nixbitcoin)
43ce847e2b tests: allow running integration tests with different configurations (nixbitcoin)
8783f38fba tests: add netns to testing framework (nixbitcoin)
25adce29e5 secure-node: only mkHiddenServices if services are enabled (nixbitcoin)
c542b92e55 nginx: add netns (nixbitcoin)
ef89607704 recurring-donations: add netns (nixbitcoin)
582cb86d74 nanopos: add netns (nixbitcoin)
7369f0a7ec lightning-charge: add netns (nixbitcoin)
c4ab73d51f spark-wallet: add netns (nixbitcoin)
d6296acaba electrs: add netns (nixbitcoin)
c0b02ac93a liquid: add netns cli script (nixbitcoin)
672a416ede liquidd: add netns (nixbitcoin)
4b8ca52647 lnd: add netns cli script (nixbitcoin)
c55296433d lnd: add netns (nixbitcoin)
f3d2aaa5d4 lnd: prepare for netns and bring in line with clightning (nixbitcoin)
3c0c446547 clightning: add netns (nixbitcoin)
ae1230e13b clightning: remove bitcoin-rpcuser option (nixbitcoin)
65b5dab3d4 clightning: add announce-tor (nixbitcoin)
515aae2825 bitcoind: add netns and nonetns cli scripts (nixbitcoin)
75ca6f186c bitcoind: add netns (nixbitcoin)
e5e07b91f7 netns-isolation: netns architecture (nixbitcoin)
4a7199a3da netns-exec: add c program to execute commands in netns (Jonas Nick)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 681728294b

Tree-SHA512: 53083067dd94bfb38d06e9b7f0d2deaeb1b95067dc0c6e50d07073405ff5270de54fa56761e861d23eb0f0a9457f0e1e2c46ed71d732c0cfbaa09b6d425e0691
2020-07-21 12:05:50 +00:00
nixbitcoin
681728294b
tests: run scenarios as multiple Travis jobs 2020-07-21 09:39:01 +00:00
nixbitcoin
43ce847e2b
tests: allow running integration tests with different configurations 2020-07-21 09:38:59 +00:00
nixbitcoin
8783f38fba
tests: add netns to testing framework 2020-07-21 09:38:57 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled 2020-07-21 09:38:55 +00:00
nixbitcoin
c542b92e55
nginx: add netns
- Adds nginx to netns-isolation.services
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:53 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
  services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00
nixbitcoin
582cb86d74
nanopos: add netns
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
  services
- Adds charged-url option to allow using nanopos with network
  namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
2020-07-21 09:38:49 +00:00
nixbitcoin
7369f0a7ec
lightning-charge: add netns
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
  services
- Adds extraArgs option to allow using lightning-charge with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:47 +00:00
nixbitcoin
c4ab73d51f
spark-wallet: add netns
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
2020-07-21 09:38:45 +00:00
nixbitcoin
d6296acaba
electrs: add netns
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
  electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:43 +00:00
nixbitcoin
c0b02ac93a
liquid: add netns cli script 2020-07-21 09:38:41 +00:00
nixbitcoin
672a416ede
liquidd: add netns
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
nixbitcoin
4b8ca52647
lnd: add netns cli script 2020-07-21 09:38:37 +00:00
nixbitcoin
c55296433d
lnd: add netns
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00
nixbitcoin
3c0c446547
clightning: add netns
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
  namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
  enabled or not.
2020-07-21 09:38:30 +00:00
nixbitcoin
ae1230e13b
clightning: remove bitcoin-rpcuser option
Simplifies the clightning module.
2020-07-21 09:38:28 +00:00
nixbitcoin
65b5dab3d4
clightning: add announce-tor
From the clightning manpage:

autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or  announce-addr options  are
specified. Setting this to false disables that.

We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.

For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
2020-07-21 09:38:26 +00:00
nixbitcoin
515aae2825
bitcoind: add netns and nonetns cli scripts
nonetns script needed for bitcoind-import-banlist
2020-07-21 09:38:24 +00:00
nixbitcoin
75ca6f186c
bitcoind: add netns
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
  network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
2020-07-21 09:38:22 +00:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
2020-07-21 09:38:20 +00:00
Jonas Nick
4a7199a3da
netns-exec: add c program to execute commands in netns
c program allows executing commands in nb-bitcoind, nb-lnd, nb-liquidd
(the netns's needed for operator cli scripts).
2020-07-21 09:38:16 +00:00
Jonas Nick
5bb9aa5d6d
Merge #201: Update: nixpkgs and elementsd
ae364a68ad hwi: 1.0.3 -> 1.1.2 (nixbitcoin)
fe6e118bb3 elementsd: 0.18.1.3 -> 0.18.1.8 (nixbitcoin)
5ca58a2a26 nixpkgs: update stable and unstable (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ae364a68ad

Tree-SHA512: b8eb4be1ae6496586acb3d0635d6dea676f029a85f17512dccab280aaf3135fccf0455feaf17517e54af85aa5bf92d13df3194ba8893d7c7631d089b9b208b8d
2020-07-19 19:27:11 +00:00
nixbitcoin
ae364a68ad
hwi: 1.0.3 -> 1.1.2
hidapi needed to be added as a custom dependency to be able to build
from unstable.
2020-07-19 13:52:46 +00:00
nixbitcoin
fe6e118bb3
elementsd: 0.18.1.3 -> 0.18.1.8
Also includes `get-sha256.sh` to easily determine verified sha256's
2020-07-19 12:15:39 +00:00
nixbitcoin
5ca58a2a26
nixpkgs: update stable and unstable
Includes bitcoin 0.20.0 and lnd 0.10.3
2020-07-19 12:15:33 +00:00
Jonas Nick
b2d6f0929b
Merge #208: Missing folder added to path in example
56b6ce00af Missing folder added to path in example (Candle)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 56b6ce00af

Tree-SHA512: 1f32f7b528f63218e47285cfb0b899c935312d35bb0c01e6edac0820e2324eb05f1c6803a43692fde30310c8f31e56a39d7c9dddc6ef8014817606205f34c18c
2020-07-10 07:03:49 +00:00
Candle
56b6ce00af
Missing folder added to path in example 2020-07-09 14:51:16 +00:00
Jonas Nick
5563a9e10b
Merge #205: Update jonasnick's gpg key
d63bbd07b7 Update jonasnick's gpg key (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK d63bbd07b7

Tree-SHA512: 67f8b8ce434cadb760745266b41eb1441487f4176b9d6b3f98ecfc3e2d059ffe709cc1c3c07a0641448c3c2faaf813352abcc35cd831f95abbf5899a92ee772d
2020-07-08 12:16:55 +00:00
Jonas Nick
d63bbd07b7
Update jonasnick's gpg key
The subkey used for signing releases recently expired (which is ignored when
verifying with gpg). The primary key would expire soon. Therefore this commit
adds a key with extended expiry date of both primary key and subkey.
2020-07-08 12:03:57 +00:00