Erik Arvstedt
b1a5f5e7b9
don't add service-only pkgs to systemPackages
...
These packages are not useful in shell environemnts.
2020-11-09 22:10:07 +01:00
Erik Arvstedt
e39ad358a4
lnd: remove unused bitcoind from PATH
2020-11-09 22:10:07 +01:00
nixbitcoin
59e128a994
joinmarket: add payjoin configuration
2020-11-06 08:51:25 +00:00
nixbitcoin
f29f04c0c4
secure-node: LND no longer requires ControlPort
...
Onion service is now generated through mkHiddenService function.
2020-11-06 08:51:23 +00:00
Erik Arvstedt
0972af55f1
netns: fix setup service restarts
2020-11-03 21:55:13 +01:00
Erik Arvstedt
63a464431b
netns: fail when netns already exists
...
Under normal circumstances, service-specific netns should never exist
before the netns setup service starts.
An existing netns is a genuine error that should not be silently ignored.
2020-11-03 21:55:13 +01:00
Erik Arvstedt
b4b607dfa5
netns: simplify firewall setup
2020-10-29 22:36:20 +01:00
Erik Arvstedt
25639cec42
netns: fix error msg when starting netns
...
Previously, the failing initial `netns delete` resulted in a
"Cannot remove namespace file ..." error visible in the journal
and status output.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
67068afd6b
netns: fix error when stopping netns
...
A short time after `netns delete` finishes, the peer link in the main
netns is automatically removed.
When `link del` is run before that, it fails with
`Cannot find device "nb-veth-br-*"` and the netns service enters a failed state.
2020-10-29 21:21:30 +01:00
Erik Arvstedt
8da01fe8a6
lightning-loop: allow RPC access from main netns
...
Note that this also exposes the REST server, which is secured by
macaroon auth like the RPC server.
2020-10-29 21:21:29 +01:00
Erik Arvstedt
d76b080b74
lightning-loop: add RPC and REST server options
2020-10-29 21:21:29 +01:00
Erik Arvstedt
e66636ef0e
liquidd: use type str for rpcbind
2020-10-29 21:21:29 +01:00
Erik Arvstedt
de23fdd377
lnd: use type str for rpclisten, restlisten
2020-10-29 21:21:28 +01:00
Erik Arvstedt
8b053326cc
bitcoind: use type str for rpcbind
...
Extra RPC bind addresses can still be added via extraConfig.
2020-10-29 21:21:28 +01:00
Erik Arvstedt
6903e8afcc
netns-liquidd: allow RPC access from main netns
2020-10-29 21:21:28 +01:00
Erik Arvstedt
82f4901880
netns-lnd: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
58d24e735d
netns-bitcoind: allow RPC access from main netns
2020-10-29 21:21:27 +01:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
...
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
0cc8caa737
lnd: only set tor.active on enforceTor
...
This also enables the test scenario 'netnsRegtest' introduced in a
later commit by fixing the following bug:
For unknown reasons, when tor.active=true and tor is not running, lnd
fails with a tor connection error on netns-isolation, but runs fine
without netns-isolation.
2020-10-29 21:21:26 +01:00
Erik Arvstedt
5e0e16529c
netns: fix default addressblock value type
...
Also remove redundant definition in secure-node.nix
2020-10-20 18:21:37 +02:00
Jonas Nick
6933b0ef47
Merge #251 : Services: Auto-enable dependencies
...
67e49fe41567e49fe415
2020-10-20 11:17:10 +00:00
Erik Arvstedt
67e49fe415
services: auto-enable dependencies
2020-10-19 14:55:59 +02:00
nixbitcoin
486f385fdd
lightning-loop: 0.9.0 -> 0.10.0
...
Includes macaroon authentication
2020-10-19 08:59:14 +00:00
Jonas Nick
06cba7b519
Merge #249 : Add regtest support
...
9951f10e741f96ca67c5eb42fc8e0606b2ec5b02975b30c90e031df4231f848c4c6eda96b08f5d60bd2145dc77001f8fe8d36f4715ac2a46efd141a175ec85bea21935c252ecb1a8629223937aee006247d611b5ef127b186c3c0f32f3c99ec24ac5d363abd32cde30ddadaed3da9e928e20979951f10e74
2020-10-17 13:04:27 +00:00
Erik Arvstedt
d3ece59919
add module 'versioning'
2020-10-16 23:23:00 +02:00
Erik Arvstedt
06b2ec5b02
joinmarket: add regtest support
2020-10-16 18:01:52 +02:00
Erik Arvstedt
975b30c90e
joinmarket: don't hardcode bitcoind rpc port
2020-10-16 18:01:52 +02:00
Erik Arvstedt
031df4231f
joinmarket: move comment out of config file
2020-10-16 18:01:52 +02:00
Erik Arvstedt
848c4c6eda
joinmarket: add variable 'bitcoind'
2020-10-16 18:01:52 +02:00
Erik Arvstedt
96b08f5d60
btcpayserver: add regtest support
2020-10-16 18:01:52 +02:00
Erik Arvstedt
bd2145dc77
btcpayserver: add 'port' option
2020-10-16 18:01:51 +02:00
Erik Arvstedt
001f8fe8d3
btcpayserver: use option bitcoind.rpc.port
2020-10-16 18:01:51 +02:00
Erik Arvstedt
6f4715ac2a
electrs: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
46efd141a1
lightning-loop: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
75ec85bea2
lnd: add regtest support
2020-10-16 18:01:51 +02:00
Erik Arvstedt
1935c252ec
lnd: remove redundant option 'bitcoind-host'
...
Also set bitcoind rpc port.
2020-10-16 18:01:51 +02:00
Erik Arvstedt
b1a8629223
lnd: add variable 'bitcoind'
2020-10-16 18:01:51 +02:00
Erik Arvstedt
937aee0062
spark-wallet: add regtest support
2020-10-16 18:01:50 +02:00
Erik Arvstedt
47d611b5ef
spark-wallet: use tor rate provider only when enforceTor
2020-10-16 18:01:50 +02:00
Erik Arvstedt
127b186c3c
spark-wallet: simplify start script
...
Also:
- quote paths
- use long form args
2020-10-16 18:01:50 +02:00
Erik Arvstedt
0f32f3c99e
clightning: add regtest support
2020-10-16 18:01:50 +02:00
Erik Arvstedt
c24ac5d363
clightning: remove redundant option 'bitcoin-rpcconnect'
2020-10-16 18:01:50 +02:00
Erik Arvstedt
abd32cde30
clightning: enable config file read access for group
...
Enables lightning-cli group access when nonstandard config options are set.
2020-10-16 18:01:50 +02:00
Erik Arvstedt
ddadaed3da
clightning: always use bind-addr in config
...
bind-addr can't be null.
2020-10-16 18:01:50 +02:00
Erik Arvstedt
9e928e2097
bitcoind: add regtest support
...
Remove unsupported option 'testnet'.
2020-10-16 18:01:49 +02:00
Erik Arvstedt
7d1797cec7
clightning: add option 'extraConfig'
2020-10-16 16:46:56 +02:00
Erik Arvstedt
e0117d56d1
spark-wallet: fix always-on onion-chef setting
...
Previously, the service failed when onion-service was disabled.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
...
- Remove redundant option mainchainrpchost.
This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module
2020-10-16 16:46:55 +02:00
Erik Arvstedt
2dd1a741f7
modules: group imports
2020-10-16 16:46:55 +02:00
Erik Arvstedt
36358066e4
spark-wallet: don't disable tor when onion-service is disabled
...
This fixes modules-only usage.
We can leave enabling tor and tor.client to secure-node.nix, on which
spark-wallet has a strict dependency.
2020-10-16 15:53:33 +02:00
Erik Arvstedt
24069aa2c6
electrs: add option 'monitoringPort'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
611cfe5a28
electrs: remove redundant daemonrpc option
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a19d3b07c2
electrs: add variable 'bitcoind'
2020-09-30 11:26:41 +02:00
Erik Arvstedt
a6dde36b87
electrs: use consistent args formatting
...
One line per arg.
2020-09-30 11:26:40 +02:00
Jonas Nick
c051544d46
Merge #234 : loop: v0.8.1 -> v0.9.0
...
a89a3e934f24b506ff8ae7c5f956ea4a503f57bda89a3e934f24b506ff8aa89a3e934fa89a3e934f
2020-09-29 17:53:09 +00:00
nixbitcoin
73f4275d2a
backups: add btcpayserver database
2020-09-24 17:12:08 +00:00
nixbitcoin
e7c5f956ea
lightning-loop: update module
...
* commandlineArgs -> configFile
* introduce tls certs
* loop dataDir
* fix formatting and descriptions
Warning: Manual migration of existing loop data directory necessary
2020-09-24 16:40:11 +00:00
Jonas Nick
4cf31f8612
Merge #164 : Add JoinMarket Clientserver
...
dd882753e6d0701f518cd6d3e8ff62cce27da2ec173891fa5b263525d724f00d1d24c5dd882753e6
2020-09-22 17:16:08 +00:00
Jonas Nick
36c9c39d80
Deprecate lightning-charge and nanopos
...
Because we have btcpayserver now, nanopos is not really needed any more. Nanopos
was meant to be just a PoC. Lightning charge can be removed because nanopos is
the only module that depends on it.
2020-09-22 14:05:51 +00:00
nixbitcoin
d0701f518c
joinmarket: automatically generate wallet
2020-09-22 13:50:49 +00:00
nixbitcoin
cce27da2ec
backups: add joinmarket datadir to includelist
2020-09-22 13:50:43 +00:00
nixbitcoin
173891fa5b
joinmarket: add module
2020-09-22 13:50:37 +00:00
nixbitcoin
263525d724
nix-bitcoin-services: add nb-services.privileged helper
2020-09-22 13:43:15 +00:00
nixbitcoin
3cfb9d074b
btcpayserver: sqlite -> postgresql
2020-09-17 10:17:33 +00:00
nixbitcoin
f93c3c8405
backups: add nbxplorer and btcpayserver datadir to includelist
2020-09-15 12:09:33 +00:00
nixbitcoin
605b37c16e
nodeinfo: add btcpayserver onion
2020-09-15 12:09:31 +00:00
nixbitcoin
15b574faa7
nbxplorer/btcpayserver: add module
2020-09-15 12:09:12 +00:00
nixbitcoin
46d681a17e
lnd: generate custom macaroons
...
Create new `macaroon` option that allows any module to place its own
custom macaroon in the lnd RuntimeDirectory `/run/lnd`.
2020-09-15 12:09:02 +00:00
Erik Arvstedt
6f032e3c40
lnd: fix mnemonic file access vulnerability
...
Previously, the file was readable by 'other' for a short time after
creation.
2020-09-15 12:09:00 +00:00
nixbitcoin
b97584f5cb
netns: allow return traffic to outgoing connections
2020-09-15 12:08:58 +00:00
Erik Arvstedt
9d610991be
bitcoind: remove custom rpc user names
...
Simpler.
We've just removed option 'bitcoind.rpcuser', so we can also remove the
old name 'bitcoinrpc'.
2020-08-27 11:39:26 +02:00
Erik Arvstedt
1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled
...
It's not immediately clear why rpcuser/rpcpassword are needed in addition to the rpcauth
config entries.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
4790c601a1
bitcoind: move rpc user config to bitcoind
...
This enables modules-only usage.
The privileged user is needed by bitcoind (cli), the public user is
needed by other services.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile'
...
This allows adding additional rpc users without the need for
user-specific code in preStart.
2020-08-26 22:52:47 +02:00
Erik Arvstedt
59434e79f0
bitcoind: simplify default rpc user name config
2020-08-26 21:16:32 +02:00
Erik Arvstedt
205829b91f
bitcoind: remove whitespace
2020-08-26 21:16:32 +02:00
Erik Arvstedt
91ebc2d517
netns-exec: simplify installation
2020-08-25 14:53:12 +02:00
Erik Arvstedt
809e754851
netns: improve bridge setup
...
- Explain why we don't use option `networking.bridges`
- Make the bridge setup service part of NixOS' network-setup.service.
This yields no noticable functional changes for now, but it's
conceptually cleaner to finish the network setup before network.target
becomes active.
- Add 'nb-' prefix to service name
2020-08-25 14:53:12 +02:00
Erik Arvstedt
b7450877a0
netns: rename bridge peer devices br-nb-veth* -> nb-veth-br*
...
This ensures a consistent 'nb-' namespace and simplifies the
dhcpcd.denyInterfaces rules.
Also rename vethName -> veth.
2020-08-25 14:53:12 +02:00
Erik Arvstedt
8bfb7bb2f8
netns: rename bridge br0 -> nb-br
...
br0 has a high risk of name clashes when nix-bitcoin used as part of a
larger config.
Use a more specific name.
2020-08-25 14:53:08 +02:00
Erik Arvstedt
32e70a7516
netns: move webindex config for modules-only usage
...
webindex is only available in secure-node.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
121301337b
netns: add option 'allowedUser' for modules-only usage
...
The dependency on secure-node.nix prevented using nix-bitcoin by just
importing modules.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
9715134f06
netns: don't repeat cli definitions
...
1. Saves some code.
2. Guarantees that the netns and no-netns cli defs are always in sync.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
e385c73256
netns: separate implementation and service configs
...
This greatly improves clarity.
Especially the bitcoind-import-banlist.serviceConfig definition was out
of place.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
d0b8d77de2
netns: remove conditionals for service settings
...
Going without the conditionals (like in secure-node.nix) adds
readability and doesn't reduce evaluation performance (in fact, it
even slightly improves performance due to implementation details
of mkIf).
To avoid errors, remove use of disabled services in secure-node.nix and
nix-bitcoin-webindex.nix.
2020-08-25 11:40:27 +02:00
Erik Arvstedt
0f0f6ddbb9
netns: add comment about undesirable algorithmic complexity
...
We don't want to be Accidentally Quadratic™
2020-08-25 11:40:26 +02:00
Erik Arvstedt
a3ae8668e6
netns: use map instead of concatMap
2020-08-25 11:40:26 +02:00
Erik Arvstedt
b7fc819be5
netns: consistent var naming
...
n is used elsewhere in similar contexts.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
5a81693ef3
netns: add range check for netns ids
2020-08-25 11:40:26 +02:00
Erik Arvstedt
74f1610668
netns: clarify addressblock description
2020-08-25 11:40:26 +02:00
Erik Arvstedt
4eb92df08c
netns: remove redundant filter
...
The 'availableNetns' connection matrix only consists of enabled entries,
so no extra filtering is needed.
Reason: availableNetns starts with the filtered 'base' and is then symmetrised.
2020-08-25 11:40:26 +02:00
Erik Arvstedt
50de54aef1
netns: remove empty connections defs
...
Like in the netns defintion for bitcoind.
2020-08-25 11:40:26 +02:00
Jonas Nick
0f1f105948
Merge #225 : Fix process info restriction
...
44de5064cda36789b468588a0b240596ea2e671c343e026030736744676144de5064cd
2020-08-24 14:56:05 +00:00
Jonas Nick
322ba5bfff
Add nix-bitcoin.lib for utility functions and types
2020-08-20 21:31:24 +00:00
Erik Arvstedt
44de5064cd
security: don't restrict process info by default for module users
2020-08-20 13:12:07 +02:00
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
...
Previously, systemd-status was broken for all users except root.
Use a 'default' deny policy, which is overridden for group 'proc'.
Add operator to group 'proc'.
Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
...
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.
Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.
Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
...
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00
nixbitcoin
e4fb7a52de
backups: add module
2020-08-04 15:25:37 +00:00
