- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
hiddenService.
- Amends hardcoded lnd ip to lnd-cert
WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
- Adds bitcoind-host, and tor-socks options to allow using with
network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
instead of lnd to bring in line with clightning.
WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
enabled or not.
From the clightning manpage:
autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or announce-addr options are
specified. Setting this to false disables that.
We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.
For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
systems.
- Adds security wrapper for netns-exec which allows operator to exec
with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
addresses
56b6ce00afa1f930719e74c1f788b72d3d1c2c34 Missing folder added to path in example (Candle)
Pull request description:
ACKs for top commit:
nixbitcoin:
ACK 56b6ce00afa1f930719e74c1f788b72d3d1c2c34
Tree-SHA512: 1f32f7b528f63218e47285cfb0b899c935312d35bb0c01e6edac0820e2324eb05f1c6803a43692fde30310c8f31e56a39d7c9dddc6ef8014817606205f34c18c
The subkey used for signing releases recently expired (which is ignored when
verifying with gpg). The primary key would expire soon. Therefore this commit
adds a key with extended expiry date of both primary key and subkey.
Remove the possible null value for bitcoind.prune and set prune = 0 in
bitcoind as a default. Remove prune = 0 in secure-node.nix and the
mkForce in configuration.nix (bitcoind.prune = lib.mkForce ).
db48ab9b6946c0222810e7e516c2271803a0c5ab services: use 'port' option type (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK db48ab9b6946c0222810e7e516c2271803a0c5ab
Tree-SHA512: 24cf0c307b40652d1275575fdf4216696890b0f7786832e7bbee9e21cf6d23d3fc35480926c475fc98c17eba668f5ee2c8c0875689e725c8ad05f2fb6b9ecd20
ccc3a70344d6beb6eba5b9e13efcda721f244f7c service hardening: add more restrictions (nixbitcoin)
3fbfa986354054493a0770f25cd3792b83031edd service hardening: replace obtuse SystemCallFilter with @system-service (nixbitcoin)
e34d1c884ed6a26ffbab523087ad57f59688b9c8 service hardening: Add PrivateUsers (nixbitcoin)
1c75543f2f6683f72c550d09bb81418be124c73e clightning: add user and group options (nixbitcoin)
5f3f36245150ad0cb79c2ed3858d13839c7037dd lnd: add strict hardening (Erik Arvstedt)
a040e5285432452af613b4b72a65e852e63c31b6 All modules: ProtectSystem = strict (nixbitcoin)
adc71b892e07ee71cece4205068d8fedbc1e4612 Remove PermissionStartOnly where possible and replace with bitcoinrpc (nixbitcoin)
91b6b2c370f5a5c4ff711b345447decb7c5e3333 All modules with preStart: Use systemd.tmpfiles.rules (nixbitcoin)
423ebf862b2cf0731ee7602fe8a26697e06fbdb4 lnd: only enable bitcoind zmqpub if lnd.enable (nixbitcoin)
81a1c3f9088f57ae9125fa6e32a04240cafb9dd3 service hardening: Add CapabilityBoundingSets (nixbitcoin)
3cd61506e021df2df3f1a170724c6f11f0d54a88 webindex & onion-chef: Run non-network-facing services in PrivateNetwork (nixbitcoin)
7c70dd43acb1fdb75d43d0bcef570e3daffeb1e4 All modules: Give service config precedence over defaultHardening (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ccc3a70344d6beb6eba5b9e13efcda721f244f7c
jonasnick:
ACK ccc3a70344d6beb6eba5b9e13efcda721f244f7c very nice
Tree-SHA512: 069f74b11b46b17fd180e9da5328a3b9952aa90100b5077251d1e56a4d64f03ba64587adf153ddc6cf42f750c13a168f9f0fe43bc379bcd4a9f6709e635e512a
Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
b8e10afe1846548075136d953b7f01cf1fb0a45b recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101a94a4ceb8bdcaabe60f66652253a5a nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6a64b27fa834748b6fc695b7e8f4cec Remove bitcoinrpc group remnants (nixbitcoin)
563b2108356323e99d757a95ce50aca5fa2f45af spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca357677c3b186658379618c9eb2655f6167 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef14f27f196d519ff482f0d6a225f02b0 lightning-charge: add dedicated user (nixbitcoin)
e67a81829722bd6c16b1450371d13b681f6de532 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8027da906f84a1330bd11fc3ae1f0f0 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba6a128c21ebba20d83298c2c9cecbc8 clightning: remove config group read access (nixbitcoin)
04c6936ce9030e7e99aa9bfedf0a73810f550ac1 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c160adfdf64786d5e9e360967dfb678 electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db491b8eb2f128b85f69ede64bcb1531e electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d7778abf0957cbcaca443bdddb42dcce7 electrs: Make TLSProxy truly optional (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK b8e10afe1846548075136d953b7f01cf1fb0a45b
Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
