Commit Graph

63 Commits

Author SHA1 Message Date
Erik Arvstedt
f61e928139
services: support 0.0.0.0/:: in address options
Previously, client services didn't decode these special INADDR_ANY
addresses and failed to connect.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
c8774375d3
modules: use consistent service variables
Benefits of adding top-level variables for used services:
- Makes it obvious which other services are referenced by a service
- Less code

We already do this in many other places.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
ad97c268c6
modules: move user/group options to bottom
These are insignificant, generic options; place them above readonly options.
We already do this in other services.

Also move user/group config to bottom in spark-wallet.
2021-09-13 13:41:47 +02:00
Erik Arvstedt
27c45b82cc
modules: move options to the top
This greatly improves readability and makes it easier to discover options.

This commit was genereated by running the following script inside the
repo root dir:

#!/usr/bin/env ruby

def transform(src)
  return false if src.include?('inherit options;')

  success = false

  options = nil
  src.sub!(/^  options.*?^  }.*?;/m) do |match|
    options = match
    "  inherit options;"
  end
  return false if !options

  src.sub!(/^with lib;\s*let\n+/m) do |match|
    success = true
    <<~EOF
      with lib;
      let
      #{options}

    EOF
  end

  success
end

Dir['modules/**/*.nix'].each do |f|
  src = File.read(f)
  if transform(src)
    puts "Changed file #{f}"
    File.write(f, src)
  end
end
2021-09-13 13:41:47 +02:00
Erik Arvstedt
a2466b1127
secrets: allow extending generate-secrets
`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.
2021-09-12 11:29:54 +02:00
Erik Arvstedt
a8a8b9ce4d
backups: backup NixOS uid, gid mappings
Now that service uid, gid mappings are included in the backups, along
with the service data dirs, we can remove 'chown -R' for
clightning and liquidd data dirs.

Note that we used 'chown -R' only for these two services, while this
approach would have been relevant for all services with data dirs.
2021-08-15 22:40:35 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options 2021-08-14 10:46:41 +02:00
Erik Arvstedt
e44f78ebb8
services: set isSystemUser for service users
'isSystemUser' has to be explicitly set in NixOS 21.05.
Previously, it was the implicit default.
2021-08-14 10:46:40 +02:00
nixbitcoin
b24c14ec61
liquidd: make regtest capable 2021-08-10 10:04:22 +00:00
Erik Arvstedt
020433cec6
services: add helper fn setAllowedIPAddresses
Also use 'allowLocalIPAddresses' instead of 'allowTor' in bitcoind-import-banlist
which doesn't use Tor.
2021-03-22 13:20:45 +01:00
nixbitcoin
4e9059dc07
bitcoind: rename group bitcoinrpc -> bitcoinrpc-public
This makes it clear that services with this group can only use
public RPC calls.
2021-02-18 10:42:21 +00:00
nixbitcoin
e873326bfe
modules: use user & group options
I've tried my best to locate all uses of hardcoded usernames, but its
not guaranteed that all have been found/fixed.
2021-02-17 11:50:25 +00:00
Erik Arvstedt
a43534dda0
services: improve config file setup
- btcpayserver, nbxplorer: Add quotes to the
  dataDir arg. (dataDir can contain spaces.)

- clightning, liquidd: use 'install'
2021-02-07 22:42:22 +01:00
Erik Arvstedt
7458350108
treewide: remove deprecated types.loaOf 2021-02-07 22:41:31 +01:00
Erik Arvstedt
7a97304f13
treewide: remove unit descriptions
Systemd's `Description` option is a misnomer (as confessed by `man systemd.unit`):
Its value is used by user-facing tools in place of the unit file name, so this option
could have been more aptly named `label` or `name`.
`Description` should only be set if the unit file name is not sufficient for naming a unit.
This is not the case for our services, except for `systemd.services.nb-netns-bridge`
whose description has been kept.

As an example how this affects users, weird journal lines like
```
nb-test systemd[1]: Starting Run clightningd...
```
are now replaced by
```
nb-test systemd[1]: Starting clightning.service...
```
2021-02-07 22:41:31 +01:00
Erik Arvstedt
a942177ecf
treewide: remove user descriptions
User descriptions are stored in the `comment` field in /etc/passwd.
In our case, these are completely redundant and don't add any useful information.
2021-02-07 22:41:30 +01:00
Erik Arvstedt
4f6ff408ef
treewide: remove unneeded string literals 2021-02-07 22:41:29 +01:00
Erik Arvstedt
e6a6c721c1
treewide: streamline 'extraConfig' descriptions 2021-02-07 22:40:11 +01:00
Erik Arvstedt
a26ed03d77
rename nix-bitcoin-services.nix -> lib.nix 2021-02-04 12:39:48 +00:00
Erik Arvstedt
352fc4e8fe
liquid: remove insecure and redundant option 'rpcpassword' 2021-01-14 13:25:11 +01:00
Erik Arvstedt
757a66b9bd
liquid: move rpcuser definition to module 2021-01-14 13:25:11 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options 2021-01-14 13:25:05 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options 2021-01-14 13:25:03 +01:00
Erik Arvstedt
f1681f5b45
add option nix-bitcoin.pkgs, remove overlay
This works around a nixpkgs bug where overlays are ignored in containers.
2020-11-09 22:10:07 +01:00
Erik Arvstedt
e66636ef0e
liquidd: use type str for rpcbind 2020-10-29 21:21:29 +01:00
Erik Arvstedt
8b053326cc
bitcoind: use type str for rpcbind
Extra RPC bind addresses can still be added via extraConfig.
2020-10-29 21:21:28 +01:00
Erik Arvstedt
6903e8afcc
netns-liquidd: allow RPC access from main netns 2020-10-29 21:21:28 +01:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
67e49fe415
services: auto-enable dependencies 2020-10-19 14:55:59 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
- Remove redundant option mainchainrpchost.
  This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
  Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module 2020-10-16 16:46:55 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
practicalswift
df89ceed39 Fix typos 2020-08-04 13:32:06 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
nixbitcoin
c0b02ac93a
liquid: add netns cli script 2020-07-21 09:38:41 +00:00
nixbitcoin
672a416ede
liquidd: add netns
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
Jonas Nick
16e602e2b5
Merge #190: services: use 'port' option type
db48ab9b69 services: use 'port' option type (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK db48ab9b69

Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
2020-06-05 20:40:57 +00:00
Erik Arvstedt
db48ab9b69
services: use 'port' option type 2020-06-02 17:31:28 +02:00
nixbitcoin
a040e52854
All modules: ProtectSystem = strict
Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
2020-05-22 15:47:01 +00:00
nixbitcoin
adc71b892e
Remove PermissionStartOnly where possible and replace with bitcoinrpc
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)

Give reason for PermissionsStartOnly in lightning-charge

Replace PermissionsStartOnly in clightning, electrs and liquid
2020-05-22 15:04:49 +00:00
nixbitcoin
91b6b2c370
All modules with preStart: Use systemd.tmpfiles.rules
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
2020-05-22 14:54:39 +00:00
nixbitcoin
7c70dd43ac
All modules: Give service config precedence over defaultHardening
With '//' the latter takes precedence over the former in case of
equally named attributes.
2020-05-22 08:08:27 +00:00
nixbitcoin
159f551b93
Remove bitcoin, clightning, electrs, liquid user home directory 2020-04-26 14:08:08 +02:00
Erik Arvstedt
37b2faf63c
move systemPackages definitions to services
These are generally useful and shouldn't be limited to secure-node.nix.

Also, only add the hardware-wallets group when hardware wallets are enabled.
2020-04-08 17:35:14 +02:00
Erik Arvstedt
826245484e
make secrets dir location configurable
Users of the nix-bitcoin modules shouldn't be forced to add an extra
dir under root.
The secrets location is unchanged for the default node config.
2020-01-13 00:25:12 +01:00
Erik Arvstedt
b1e13e9415
simplify secrets file format
Each secret file to be deployed is now backed by one local file.
This simplifies 'setup-secrets' and the secret definitions.
Also, with the old format it was not possible to add new secrets
to secrets.nix in a simple way.

Old secrets are automatically converted to the new format when running
nix-shell.

Using the new option 'nix-bitcoin.secrets', secrets are now directly
defined by the services that use them.
2020-01-13 00:25:11 +01:00
Erik Arvstedt
14ecb5511a
liquid: add cli option 2020-01-12 20:02:02 +01:00
Erik Arvstedt
f0a36fe0c7
add 'nix-bitcoin-services' option
1. Makes the content easily accessible for module users
2. Avoids needlessly recalculating the attrset in every client module
2020-01-12 20:02:00 +01:00
Erik Arvstedt
760da232e0
add nix-bitcoin pkgs namespace
Not polluting the main pkgs namespace with internal pkgs makes it
easier to integrate the nix-bitcoin modules into a larger config.

Also, by overriding the nix-bitcoin namespace, users can now easily set the
packages used by services that offer no explicit `package` option, like `clightning`.
2020-01-09 10:43:30 +01:00
Erik Arvstedt
3b842e5fe7
add nix-bitcoin-secrets.target
Remove use of nixops-specific 'keys' group and key services.
Instead:
- Add nix-bitcoin-secrets.target, which should be required by all
  units that depend on secrets. (To keep it simple, it's okay to meet
  the secrets dependency indirectly by e.g. depending on bitcoind.)

  Various secret deployment methods can use this target by
  setting up the secrets before activating the target.
  In case of nixops we just specify that nixops' keys.target comes
  before nix-bitcoin-secrets.target.

  If the target is left undefined in the case of manual secrets
  deployment, systemd will simply ignore unit dependencies on
  the target.

- Allow all users to access the secrets dir.
  The access protection for the individual secret files is unchanged.
  This allows us to drop the unit dependency on the nixops 'keys' group.
2020-01-09 10:43:29 +01:00