Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
...
- `discover` is automatically disabled by bitcoind because we're
setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
...
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Erik Arvstedt
35fe939cf8
security: update /proc restriction mechanism
...
NixOS option `security.hideProcessInformation` for globally restricting
access to /proc has been removed.
Use per-service restrictions via 'ProtectProc' instead.
Rename
`nix-bitcoin.security.hideProcessInformation` to
`nix-bitcoin.security.dbusHideProcessInformation`
because this option now only implements the dbus restriction.
2021-08-14 10:46:41 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options
2021-08-14 10:46:41 +02:00
Erik Arvstedt
a25ceecca5
update to NixOS 21.05
2021-08-12 11:18:26 +02:00
nixbitcoin
3b938a909f
add hardened-extended preset
2021-04-02 10:59:09 +00:00
Jonas Nick
a4dabc7390
Remove nixops examples and documentation
2021-03-15 12:42:47 +00:00
kon
eb21012745
pool: add pkg, module & tests
2021-03-01 10:59:35 +01:00
nixbitcoin
b1c9e13033
bitcoind: secure-node remove assumevalid
2021-02-23 11:04:31 +00:00
nixbitcoin
2ca92a34a5
services: use doas if enabled
...
- Remove sudo from recurring-donations path because it's not used by
the service
- Use doas instead of sudo in secure-node.nix
2021-02-09 12:44:04 +00:00
Erik Arvstedt
a344ae95c9
move mkHiddenService to lib
2021-02-04 12:39:54 +00:00
nixbitcoin
8c125ec48c
joinmarket-obwatcher: add pkg & module
2021-01-17 17:40:12 +00:00
Erik Arvstedt
e2922eb4ce
move rpc thread count setting to lightning modules
2021-01-14 13:25:12 +01:00
Erik Arvstedt
757a66b9bd
liquid: move rpcuser definition to module
2021-01-14 13:25:11 +01:00
Erik Arvstedt
0e00c39d47
secure-node: improve layout
2021-01-14 13:25:11 +01:00
Erik Arvstedt
5f7a7962f7
backups: remove redundant option 'program'
...
Not needed until we support other backup backends.
2021-01-14 13:25:11 +01:00
Erik Arvstedt
04d8560f86
secure-node: remove qrencode, tor from systemPackages
...
Keep jq which is useful for analyzing service cli output.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
323a431aba
improve nodeinfo
...
- enable usage outside of secure-node.nix
- use json as the output format
- show ports
- also show local addresses, which is particularly useful when
netns-isolation is enabled
- only show enabled services
2021-01-14 13:25:10 +01:00
Erik Arvstedt
f6b883a9ac
remove webindex
...
This module is outdated and incomplete. We can readd an improved version in
the future.
Move nanopos nginx proxy tests to the nanopos test.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver
...
In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
2021-01-14 13:25:09 +01:00
Erik Arvstedt
bd2a46cb73
spark-wallet: use onionServices
...
Also remove the unneeded definition of ReadWritePaths because the
service doesn't need write access to onion files.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
87fb9f246b
add 'enable-tor' preset
...
Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.
Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
93562f76dd
onionAddresses: remove redundant option 'enable'
...
The service can be disabled via `onion-addresses.access = mkForce {};`
Also remove redundant description.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses
...
This clarifies its function.
2021-01-14 13:25:05 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options
2021-01-14 13:25:05 +01:00
Erik Arvstedt
b5d76ba1b3
electrs: add consistent address options
2021-01-14 13:25:04 +01:00
Erik Arvstedt
8fa32b7f91
btcpayserver: add consistent address options
2021-01-14 13:25:04 +01:00
Erik Arvstedt
e78a609687
clightning: add consistent address options
...
Also remove option 'autolisten'. This option has no effect because
option 'bind-addr' is always set.
2021-01-14 13:25:04 +01:00
Erik Arvstedt
b41a720c28
lnd: add consistent address options
...
Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address.
2021-01-14 13:25:03 +01:00
Erik Arvstedt
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc'
2021-01-14 13:25:03 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options
2021-01-14 13:25:03 +01:00
Jonas Nick
79f4723cda
lightning-charge: remove package and module
2021-01-01 19:16:46 +00:00
Jonas Nick
58de79d401
nanopos: remove package and module
2021-01-01 17:37:30 +00:00
Erik Arvstedt
c8e73c959e
fix 'hardened' profile for NixOS 20.09
...
The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052 )
is ineffective on 20.09.
As a workaround, add a custom 'hardened' preset that uses the default allocator.
2020-12-18 19:56:56 +01:00
nixbitcoin
f29f04c0c4
secure-node: LND no longer requires ControlPort
...
Onion service is now generated through mkHiddenService function.
2020-11-06 08:51:23 +00:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
...
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
5e0e16529c
netns: fix default addressblock value type
...
Also remove redundant definition in secure-node.nix
2020-10-20 18:21:37 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
...
- Remove redundant option mainchainrpchost.
This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module
2020-10-16 16:46:55 +02:00
nixbitcoin
173891fa5b
joinmarket: add module
2020-09-22 13:50:37 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion
2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module
2020-09-15 12:09:12 +00:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
...
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
...
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
...
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
...
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users
2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
...
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
nixbitcoin
e4fb7a52de
backups: add module
2020-08-04 15:25:37 +00:00
nixbitcoin
e650df30d5
bitcoind: bump rpcthread count
2020-08-04 14:46:57 +00:00