Commit Graph

1276 Commits

Author SHA1 Message Date
Jonas Nick
bfe8ac972c
Merge fort-nix/nix-bitcoin#405: bitcoind: add separate p2p socket for tor connections
ec4a4dbe41 btcpayserver: fix whitelist security issue (Erik Arvstedt)
df2070b44a bitcoind: add separate p2p socket for tor connections (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ec4a4dbe41

Tree-SHA512: 457bfb5806dca65507261c1868ca89c86a39f63bd10833b7531fd74dd779816083270c8ccc95ad08a5306e9b31c440904e3cba35464d47c0d87418d0be3e732d
2021-10-21 12:17:17 +00:00
Erik Arvstedt
ec4a4dbe41
btcpayserver: fix whitelist security issue
Whitelisting localhost implicitly whitelists all inbound onion
connections. This prevents banning misbehaving inbound onion peers
and enables message `mempool` which can cause privacy leaks.

Instead, grant `download` as the single bitcoind whitelist permission, which
should be safe for onion peers.
Remove liquidd whitelisting because it doesn't support fine-grained permissions.

After a cursory glance at the nbxplorer code I think that nbxplorer
requires none of the other default whitelist permissions (noban, mempool,
relay).
Details: https://github.com/dgarage/NBXplorer/issues/344
2021-10-21 11:40:40 +02:00
Erik Arvstedt
df2070b44a
bitcoind: add separate p2p socket for tor connections
This re-enables onion tagging while still supporting untagged connections.

Onion sockets are not yet supported in the latest liquidd/elements
version 0.18.1.12 available on nixpkgs.
2021-10-21 11:40:40 +02:00
Jonas Nick
8b1b06311d
Merge fort-nix/nix-bitcoin#406: bitcoind: one-option i2p support
63836127c9 bitcoind: one-option i2p support (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 63836127c9
  jonasnick:
    utACK 63836127c9

Tree-SHA512: be7806657885ba455e7137dfc8c20ea4d58898b04db030a964aafbde1c505041a1f9e700654ad9c75ab2bb9267174bdbe84c9d7e4de63a09508b72fbd5c8f1a1
2021-10-15 11:02:09 +00:00
Jonas Nick
2250b9bcb7
Merge fort-nix/nix-bitcoin#408: joinmarket: 0.9.1 -> 0.9.2
3781a85c9b joinmarket: enable Agora as a third IRC server (nixbitcoin)
ced1637d07 joinmarket: share IRC server definitions between jm and ob-watcher (Erik Arvstedt)
59fc003ebd joinmarket: 0.9.1 -> 0.9.2 (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 3781a85c9b

Tree-SHA512: 5ec919d2291ecf96fb4ca880f3dbeabff13f2bab71822db893ebbaba1b95463666b098ccc1412a1b56f327a231e10c1f2d47feb0f520fce349ab243d398bf7b4
2021-10-15 10:58:01 +00:00
Jonas Nick
8f25bb72bd
Merge fort-nix/nix-bitcoin#407: lnd: Add TimoutStartSec
40ab4b368a add lnd TimoutSec (kon)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 40ab4b368a

Tree-SHA512: b6db4f2fd4b367c53c2a7a0b10140ac718ebf8b4d6b12e693ea1c2c3e5d2f4630d854d134268c1061c5d639169eba23b9ff3944f06bb2fa2f305838fdc617480
2021-10-15 10:57:04 +00:00
nixbitcoin
3781a85c9b
joinmarket: enable Agora as a third IRC server 2021-10-13 14:45:52 +02:00
Erik Arvstedt
ced1637d07
joinmarket: share IRC server definitions between jm and ob-watcher
Also add server name comments.
2021-10-13 14:44:36 +02:00
nixbitcoin
59fc003ebd
joinmarket: 0.9.1 -> 0.9.2
Remove "improve-genwallet" patch
2021-10-13 11:52:42 +00:00
kon
40ab4b368a add lnd TimoutSec 2021-10-12 21:56:59 +02:00
nixbitcoin
63836127c9
bitcoind: one-option i2p support 2021-10-12 10:22:09 +00:00
Jonas Nick
06a971dfa9
Merge fort-nix/nix-bitcoin#404: Electrs 0.9.0
8938eadf0c bitcoind: don't tag all incoming connections as 'Tor' (Erik Arvstedt)
b9301ce0d9 emergency fix: lnd: 0.13.1-beta -> 0.13.3-beta (Erik Arvstedt)
265fc1911d extra-container: pin to nixpkgs-unstable (Erik Arvstedt)
75b89f3957 electrs: adapt to version 0.9.0 (Erik Arvstedt)
6f42fa8181 update nixpkgs (electrs: 0.8.11 -> 0.9.0) (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 8938eadf0c
  jonasnick:
    ACK 8938eadf0c

Tree-SHA512: 4d5dcb451e5cb50ec66121b9f9bb69bc96e45c2b2160b92f6cbc76e18d8619483a06e14fe6fa9df85d3cf6a31254953b2055229902ae861e7c1031755bc82b51
2021-10-06 15:10:34 +00:00
Erik Arvstedt
8938eadf0c
bitcoind: don't tag all incoming connections as 'Tor'
We're also accepting local, non-Tor connections.
2021-10-06 16:55:41 +02:00
Erik Arvstedt
b9301ce0d9
emergency fix: lnd: 0.13.1-beta -> 0.13.3-beta
Fixes CVE-2021-41593.
Temporarily switch to nixpkgs/master.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
265fc1911d
extra-container: pin to nixpkgs-unstable
extra-container is now part of nixpkgs.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
75b89f3957
electrs: adapt to version 0.9.0
- `waitfornewblock` was previously not included in the public RPC
  whitelist because it's reserved for testing and marked as hidden
  in bitcoind.

- electrs changed its verbosity settings. `-vv` is now the best choice
  for normal usage.

- bitcoind option `dataDirReadableByGroup` is now unused.
  Because it can be valuable for other use cases and implementing
  it is intricate, we're keeping it for now.

- test: keep `nc` connection open because otherwise the electrs
  RPC server would now close the connection before sending a response.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
6f42fa8181
update nixpkgs (electrs: 0.8.11 -> 0.9.0) 2021-10-06 15:34:24 +02:00
Jonas Nick
693c646c49
Merge fort-nix/nix-bitcoin#402: Misc. improvements
6d694a6269 backups: allow extraFiles to override default settings (Erik Arvstedt)
0c45415c86 backups: exclude bitcoind, liquidd txindex data (Erik Arvstedt)
0853dedc43 tests/regtest: don't fail when restarting bitcoind (Erik Arvstedt)
b73c093d3d joinmarket-ob-watcher: require nix-bitcoin.service (Erik Arvstedt)
27905e2c3a tests: disable restarting joinmarket-ob-watcher (Erik Arvstedt)
c8251cdad7 onion-services: don't always enable Tor (Erik Arvstedt)
3c6a664b7b examples/configuration: show how to enable sudo/doas for `operator` (Erik Arvstedt)
4d5bc810eb secrets: fix setup-secrets in case of no secrets (Erik Arvstedt)
e61c743644 test: add option `extraTestScript` (Erik Arvstedt)
2cf12d8765 README: minor fixes (Erik Arvstedt)
e57ab83a51 docs/hardware: update (Erik Arvstedt)
1b597f92a6 docs/hardware: add line breaks (Erik Arvstedt)
a92d6a8e80 netns: expose bridgeIp as an option (Erik Arvstedt)
f36df8f563 secure-node: remove redundant bitcoind settings (Erik Arvstedt)
09169365d8 liquid: remove unused features (Erik Arvstedt)
82d910e937 nbxplorer: fix bitcoind, liquidd settings (Erik Arvstedt)
f61e928139 services: support 0.0.0.0/:: in `address` options (Erik Arvstedt)
1848c3dd98 btcpayserver: minor improvements (Erik Arvstedt)
e561637600 minor fixes (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 6d694a6269
  jonasnick:
    ACK 6d694a6269

Tree-SHA512: 9a409e05e75284a27b94ef489ab0bce8bf49b50fa01e31c7c3430e388e273e7186f74794b979b625db9cd7ec2861e9933cc93e4c54139314f7f9d54d9b5f39f2
2021-10-06 13:21:56 +00:00
Erik Arvstedt
6d694a6269
backups: allow extraFiles to override default settings
By moving them to the top they take precedence over the remaining
filelist entries.
2021-10-06 11:27:52 +02:00
Erik Arvstedt
0c45415c86
backups: exclude bitcoind, liquidd txindex data 2021-10-06 11:27:52 +02:00
Erik Arvstedt
0853dedc43
tests/regtest: don't fail when restarting bitcoind 2021-10-06 11:27:52 +02:00
Erik Arvstedt
b73c093d3d
joinmarket-ob-watcher: require nix-bitcoin.service
This caused failures in the tests which were ignored because
ob-watcher was expected to fail for other reasons.
2021-10-06 11:27:47 +02:00
Erik Arvstedt
27905e2c3a
tests: disable restarting joinmarket-ob-watcher
This removes the repeated failure messages from the test log.
2021-10-05 16:45:00 +02:00
Erik Arvstedt
c8251cdad7
onion-services: don't always enable Tor
Previously, Tor was always enabled because `cfg` was always nonempty
(via definitions at `Set sensible defaults for some services`).
Now only enable Tor if there are active onion services.

Also rename var `services` -> `onionServices` to improve readability in
section `Set getPublicAddressCmd ...` where the same name is also used for
option `config.services`.
2021-10-05 15:11:41 +02:00
Erik Arvstedt
3c6a664b7b
examples/configuration: show how to enable sudo/doas for operator
This was brought up by a user on IRC.
2021-10-04 00:33:27 +02:00
Erik Arvstedt
4d5bc810eb
secrets: fix setup-secrets in case of no secrets
Previously, the glob (*) returned '*' when no files existed in the
secrets dir, leading to error `chown: cannot access '*'`.

Now `unprocessedFiles` is empty when there are no secrets.

Also remove the unneeded sorting of `unprocessedFiles` and
remove redundant leading zero in the default mode.
2021-10-04 00:33:27 +02:00
Erik Arvstedt
e61c743644
test: add option extraTestScript
This allows extending tests.py.
2021-10-04 00:33:27 +02:00
Erik Arvstedt
2cf12d8765
README: minor fixes
- `packages and dependencies are pinned`
  Reworded and moved to `Integrity`
- `most packages are built from the NixOS stable channel...`
  Removed because this is false
- `builds happen in a sandboxed environment`
  Removed because this depends on the user's local nix configuration
  and cannot be enforced by nix-bitcoin
2021-10-04 00:33:27 +02:00
Erik Arvstedt
e57ab83a51
docs/hardware: update
- Update pruning info
- Add Raspberry Pi 4
  Mentioned here: https://github.com/fort-nix/nix-bitcoin/issues/39#issuecomment-917418830
2021-10-04 00:33:27 +02:00
Erik Arvstedt
1b597f92a6
docs/hardware: add line breaks 2021-10-04 00:33:27 +02:00
Erik Arvstedt
a92d6a8e80
netns: expose bridgeIp as an option
Previously, this variable was not accessible to other modules.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
- `discover` is automatically disabled by bitcoind because we're
   setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Erik Arvstedt
09169365d8
liquid: remove unused features
- `hexStr` is unused
- Simplify ExecStart options
- Quote `dataDir`
- Remove unneeded `pidFile` setting
2021-10-04 00:33:26 +02:00
Erik Arvstedt
82d910e937
nbxplorer: fix bitcoind, liquidd settings
- Add nbxplorer to whitelists.
  This is recommended by the nbxplorer docs and guarantees that nbxplorer
  can always p2p-connect to bitcoind/liquidd.

- Enable bitcoind/liquidd p2p servers via `listen`.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
f61e928139
services: support 0.0.0.0/:: in address options
Previously, client services didn't decode these special INADDR_ANY
addresses and failed to connect.
2021-10-04 00:33:26 +02:00
Erik Arvstedt
1848c3dd98
btcpayserver: minor improvements
- Quote datadir
- Extract liquidd service variable
- Move btcpayserver below liquid in modules list because it depends
  on liquid
2021-10-01 11:52:57 +02:00
Erik Arvstedt
e561637600
minor fixes
- bitcoind: Remove obsolete defaultText
- clightning: Fix description
  Option `address` can't be used to specify a socket path because it's
  used explicitly as an IP address in many places.
- lnd: Break up overlong line
  This is required by commit `services: support 0.0.0.0/:: in `address` options`
- nix-bitcoin.nix: Formatting
- secrets: Improve descriptions
2021-10-01 11:52:56 +02:00
Jonas Nick
e86d1ff0ff
Merge fort-nix/nix-bitcoin#399: examples: Fix shell on non-Linux systems
46af0b1a8d examples: fix shell on non-Linux systems (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 46af0b1a8d

Tree-SHA512: bc3c24c75b2d26a30f9f4f88700da8a78d8276802b47ddaf3d52097ba6ed16a7b7ca662085e2775a2cd1654b07c1759c36918ee0ab05eb90fbfeac3265576510
2021-09-27 09:14:44 +00:00
Jonas Nick
a4ac735cd3
Merge fort-nix/nix-bitcoin#396: examples: add importable-configuration.nix
2a16db6919 readme: add 'Get started' section (Erik Arvstedt)
d713e7b15c examples: add importable-configuration.nix (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 2a16db6919

Tree-SHA512: 76338cbd852503df2fa316d4fd6833ad423f166aed4ac556c6917bdf6b39610f8a62323e6bd7c9d191238bb6f6dce9e918b0b303dc80a6534497eb89cb7ec344
2021-09-27 09:11:21 +00:00
Erik Arvstedt
46af0b1a8d
examples: fix shell on non-Linux systems
extra-container is not supported on these systems.

Also mention that VM examples require Linux.
2021-09-26 23:58:46 +02:00
Erik Arvstedt
2a16db6919
readme: add 'Get started' section
Also, shorten the overview a bit by removing some redundancy:
- Remove sentence 'A Bitcoin node verifies ... network.' because
  its content is implied by the use cases (wallet, public infrastructure) mentioned in the
  following sentence.

- 'second layer public infrastructure' -> 'public infrastructure',
  because we're also serving the first layer.
2021-09-26 22:34:39 +02:00
Erik Arvstedt
d713e7b15c
examples: add importable-configuration.nix
This replaces minimal-configuration.nix.
importable-configuration.nix can be directly added to an existing
NixOS configuration. This makes it easy for users to get started quickly.
2021-09-26 22:34:39 +02:00
Jonas Nick
5626558222
Merge fort-nix/nix-bitcoin#397: backups: make extraFiles list of strings
c483f1694d examples: correct localBackups scp command (nixbitcoin)
cb54891484 backups: make extraFiles list of strings (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK c483f1694d

Tree-SHA512: cb178382655e70aaf85f5930ec7a2c631c28e4c447d0b5d02d973eb73e3bd902ab091cc496d79efbfba5355b9574cb5ba6dd5a4d395b0cda4e3da715fd88d9c5
2021-09-25 10:34:51 +00:00
nixbitcoin
c483f1694d
examples: correct localBackups scp command 2021-09-24 11:51:33 +00:00
nixbitcoin
cb54891484
backups: make extraFiles list of strings 2021-09-24 11:38:47 +00:00
Jonas Nick
c72f6b0a31
Merge fort-nix/nix-bitcoin#393: Update nixpkgs
e94e071ad6 update nixpkgs (Jonas Nick)
0c31130ac8 secure-node: remove default bitcoin addnode (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK e94e071ad6
  nixbitcoin:
    ACK e94e071ad6

Tree-SHA512: 26ece3c295db0086198aedb50ccef9689c87b7d9860ca5a09e2c8247dd259a9be6eb8e22bed17798cb901abc7de361f0d660ddebed4c2fb69a6b1f4b999d78e0
2021-09-20 15:48:56 +00:00
Jonas Nick
e94e071ad6
update nixpkgs
bitcoin: 0.21.1 -> 22.0
bitcoind: 0.21.1 -> 22.0
electrs: 0.8.10 -> 0.8.11
2021-09-19 20:07:55 +00:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Jonas Nick
020d9486dd
Merge fort-nix/nix-bitcoin#388: Modules formatting
9114ec669a lnd: improve options formatting (Erik Arvstedt)
c8774375d3 modules: use consistent service variables (Erik Arvstedt)
ad97c268c6 modules: move user/group options to bottom (Erik Arvstedt)
27c45b82cc modules: move options to the top (Erik Arvstedt)
731cf647ff modules: remove unneeded use of `options` module arg (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 9114ec669a

Tree-SHA512: 7817b33d00459b31cacedc365ec067c8162200d46d13a3c2a405eba61e014373d6be8de4cb3c270886da8b1555f86bc7909023ce20d33d3f7ec5429f5eae9d8b
2021-09-19 11:28:17 +00:00
Erik Arvstedt
9114ec669a
lnd: improve options formatting 2021-09-16 12:51:00 +02:00