Commit Graph

830 Commits

Author SHA1 Message Date
nixbitcoin
d99ccc8445
clightning: add bindport option 2020-08-04 12:42:57 +00:00
Jonas Nick
b6179639fe
Merge #215: Improve abstraction in test scenarios
4ece2da8db tests: move nginx check in scenarios lib (Jonas Nick)
5c0170c6b8 tests: add post-clightning extra tests to scenarios (Jonas Nick)
5fa0602a18 tests: add extra_tests argument to scenario lib run_tests() (Jonas Nick)
6f9349b0a4 tests: create run_tests() function in the scenario lib (Jonas Nick)
3d2b366156 tests: move common code in tests to lib (Jonas Nick)
e13c532dbf tests: move common code of scenarios python scripts to the top (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 4ece2da8db

Tree-SHA512: 72893ff186915dd1b1439f2a81bc75d3618f89ee21f1229448cabaced6ca10c244705a74e9f4e6f8825691df9cd351a6dc9e142ec87ecab8ee17a17e78c72292
2020-08-04 12:42:16 +00:00
Jonas Nick
4ece2da8db
tests: move nginx check in scenarios lib 2020-08-04 12:17:47 +00:00
Jonas Nick
5c0170c6b8
tests: add post-clightning extra tests to scenarios 2020-08-04 12:17:47 +00:00
Jonas Nick
5fa0602a18
tests: add extra_tests argument to scenario lib run_tests() 2020-08-04 12:17:47 +00:00
Jonas Nick
6f9349b0a4
tests: create run_tests() function in the scenario lib 2020-08-02 21:20:51 +00:00
Jonas Nick
3d2b366156
tests: move common code in tests to lib 2020-08-02 21:12:45 +00:00
Jonas Nick
e13c532dbf
tests: move common code of scenarios python scripts to the top 2020-08-02 20:59:11 +00:00
Jonas Nick
0baeb2acce
Merge #209: Lightning loop
e9204946d4 lightning-loop: add tests (nixbitcoin)
491d83a658 lightning-loop: add module (nixbitcoin)
8f3588b13f lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b lightning-loop: add pkg (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e9204946d4

Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
Jonas Nick
9e453bab86
Merge #202: RPC Whitelist
5086fc3234 bitcoin: drive-by prune fix (nixbitcoin)
21c0fb440d rpcwhitelist: add feature test (nixbitcoin)
1bf45a9547 bitcoind: add rpcwhitelist feature (nixbitcoin)
5a978a2836 bitcoind: switch from rpcpassword to rpcauth (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 5086fc3234

Tree-SHA512: f456f3409b3bc22dc9ad1296fa00f7e8a442b4072cd4deda067bf2f951eb7d4302283b816ebf769abaa7017e26b19b734f66604cd435d99b810ce535735f7c08
2020-07-28 17:38:07 +00:00
nixbitcoin
e9204946d4
lightning-loop: add tests 2020-07-28 15:55:54 +00:00
nixbitcoin
491d83a658
lightning-loop: add module 2020-07-28 15:55:52 +00:00
nixbitcoin
8f3588b13f
lnd: higher attempt limit for less-powerful machines
Opening main database sometimes takes longer than 50 ExecStartPost
restPort connection attempts.
2020-07-28 15:55:50 +00:00
nixbitcoin
1bb801ad7b
lightning-loop: add pkg 2020-07-28 15:55:48 +00:00
nixbitcoin
5086fc3234
bitcoin: drive-by prune fix 2020-07-28 14:32:54 +00:00
nixbitcoin
21c0fb440d
rpcwhitelist: add feature test 2020-07-28 14:32:52 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
Jonas Nick
272b8568e7
Merge #213: Fix systemd leak
6a8e29e016 tests: add dbus-hardening and hideProcessInformation (nixbitcoin)
0248e6493f systemd: lock down systemctl status (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 6a8e29e016

Tree-SHA512: 1ee8ce42f71e1a8977f5a84053b10f5f7f56da395d4f801447d2d344540640fc496ef0ff341cb32ca92ac064d43d04f118bf580c42d31022e6ed84815b8f72c6
2020-07-28 12:58:07 +00:00
nixbitcoin
6a8e29e016
tests: add dbus-hardening and hideProcessInformation 2020-07-28 11:37:16 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
Jonas Nick
6e694890eb
Merge #203: Remove electrs tls
6365412312 test-script: remove nginx tls proxy test (nixbitcoin)
4dbc348921 electrs: remove TLSProxy (nixbitcoin)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 079a0c892f8e25d6ba0267cc99022550f4cfe74bad3f9270733ecda09350595a11aec8d40b89df6e6ad7cca1e26b7e480a265bf6e2d01d0fe912ca3ece00f655
2020-07-21 15:04:22 +00:00
nixbitcoin
6365412312
test-script: remove nginx tls proxy test 2020-07-21 13:58:32 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
Jonas Nick
6856b8cb42
Merge #210: bitcoind: postStart wait until bitcoind can receive rpc calls
02853067a1 bitcoind: postStart wait until bitcoind can receive rpc calls (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 02853067a1

Tree-SHA512: 601b04957a26853c04d768b074006f0716edb131698afde2afb94cb0c862dddb745b93ef39ed014f95a01545eb60d370fd82201d0a898c7dac4c19622d25dafe
2020-07-21 13:26:51 +00:00
nixbitcoin
02853067a1
bitcoind: postStart wait until bitcoind can receive rpc calls 2020-07-21 13:23:07 +00:00
Jonas Nick
aad0fe6e45
Merge #187: Network Namespaces
681728294b tests: run scenarios as multiple Travis jobs (nixbitcoin)
43ce847e2b tests: allow running integration tests with different configurations (nixbitcoin)
8783f38fba tests: add netns to testing framework (nixbitcoin)
25adce29e5 secure-node: only mkHiddenServices if services are enabled (nixbitcoin)
c542b92e55 nginx: add netns (nixbitcoin)
ef89607704 recurring-donations: add netns (nixbitcoin)
582cb86d74 nanopos: add netns (nixbitcoin)
7369f0a7ec lightning-charge: add netns (nixbitcoin)
c4ab73d51f spark-wallet: add netns (nixbitcoin)
d6296acaba electrs: add netns (nixbitcoin)
c0b02ac93a liquid: add netns cli script (nixbitcoin)
672a416ede liquidd: add netns (nixbitcoin)
4b8ca52647 lnd: add netns cli script (nixbitcoin)
c55296433d lnd: add netns (nixbitcoin)
f3d2aaa5d4 lnd: prepare for netns and bring in line with clightning (nixbitcoin)
3c0c446547 clightning: add netns (nixbitcoin)
ae1230e13b clightning: remove bitcoin-rpcuser option (nixbitcoin)
65b5dab3d4 clightning: add announce-tor (nixbitcoin)
515aae2825 bitcoind: add netns and nonetns cli scripts (nixbitcoin)
75ca6f186c bitcoind: add netns (nixbitcoin)
e5e07b91f7 netns-isolation: netns architecture (nixbitcoin)
4a7199a3da netns-exec: add c program to execute commands in netns (Jonas Nick)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 681728294b

Tree-SHA512: 53083067dd94bfb38d06e9b7f0d2deaeb1b95067dc0c6e50d07073405ff5270de54fa56761e861d23eb0f0a9457f0e1e2c46ed71d732c0cfbaa09b6d425e0691
2020-07-21 12:05:50 +00:00
nixbitcoin
681728294b
tests: run scenarios as multiple Travis jobs 2020-07-21 09:39:01 +00:00
nixbitcoin
43ce847e2b
tests: allow running integration tests with different configurations 2020-07-21 09:38:59 +00:00
nixbitcoin
8783f38fba
tests: add netns to testing framework 2020-07-21 09:38:57 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled 2020-07-21 09:38:55 +00:00
nixbitcoin
c542b92e55
nginx: add netns
- Adds nginx to netns-isolation.services
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:53 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
  services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00
nixbitcoin
582cb86d74
nanopos: add netns
- Adds nanopos to netns-isolation.services
- Adds cfg.enforceTor and extraArgs to bring nanopos in line with other
  services
- Adds charged-url option to allow using nanopos with network
  namespaces.
- Modularizes nginx so webindex can be used without nanopos.
- Adds host option (defaults to localhost) as target of hidden service
- Removes unnecessary after
2020-07-21 09:38:49 +00:00
nixbitcoin
7369f0a7ec
lightning-charge: add netns
- Adds lightning-charge to netns-isolation.services
- Adds cfg.enforceTor to bring lightning-charge in line with other
  services
- Adds extraArgs option to allow using lightning-charge with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:47 +00:00
nixbitcoin
c4ab73d51f
spark-wallet: add netns
- Adds spark-wallet to netns-isolation.services
- Adds extraArgs option to allow using spark-wallet with network
  namespaces
- Adds host option (defaults to localhost) as target of hidden service
- Adds enforceTor option to bring in line with other services
2020-07-21 09:38:45 +00:00
nixbitcoin
d6296acaba
electrs: add netns
- Adds electrs to netns-isolation.services
- Adds daemonrpc option and specifies address option to allow using
  electrs with network namespaces
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:43 +00:00
nixbitcoin
c0b02ac93a
liquid: add netns cli script 2020-07-21 09:38:41 +00:00
nixbitcoin
672a416ede
liquidd: add netns
- Adds liquidd to netns-isolation.services
- Adds rpcbind, rpcallowip, and mainchainrpchost options to allow using
  liquidd with network namespaces
- Adds bind option (defaults to localhost) as target of hidden service
2020-07-21 09:38:39 +00:00
nixbitcoin
4b8ca52647
lnd: add netns cli script 2020-07-21 09:38:37 +00:00
nixbitcoin
c55296433d
lnd: add netns
- Adds lnd to netns-isolation.services
- Specifies listen option (defaults to localhost) as target of
  hiddenService.
- Amends hardcoded lnd ip to lnd-cert

WARNING: Breaking changes for lnd cert. lnd-key and lnd-cert will have
to be deleted and redeployed.
2020-07-21 09:38:35 +00:00
nixbitcoin
f3d2aaa5d4
lnd: prepare for netns and bring in line with clightning
- Adds bitcoind-host, and tor-socks options to allow using with
  network namespaces.
- Adds listen, rpclisten, and restlisten option to specify host on which
  to listen on for peer, rpc and rest connections respectively
- Adds announce-tor option and generates Tor Hidden Service with nix
  instead of lnd to bring in line with clightning.

WARNING: Breaking changes for Tor Hidden Service. Manual migration
necessary.
2020-07-21 09:38:32 +00:00
nixbitcoin
3c0c446547
clightning: add netns
- Adds clightning to netns-isolation.services
- Adds bitcoin-rpcconnect option to allow using clightning with network
  namespaces
- Uses bind-addr option (defaults to localhost) as target of hidden service
- Adds different bind-addr options depending on if netns-isolation is
  enabled or not.
2020-07-21 09:38:30 +00:00
nixbitcoin
ae1230e13b
clightning: remove bitcoin-rpcuser option
Simplifies the clightning module.
2020-07-21 09:38:28 +00:00
nixbitcoin
65b5dab3d4
clightning: add announce-tor
From the clightning manpage:

autolisten=BOOL By default, we bind (and maybe announce) on IPv4 and
IPv6 interfaces if no addr, bind-addr or  announce-addr options  are
specified. Setting this to false disables that.

We already set bind-addr by default, so autolisten had no effect.
Therefore, this commit replaces autolisten with the more granular
announce-addr option.

For now we are Tor-only, so we only need to announce our hidden service
to accept incoming connections. In the future, we can add clearnet
connectivity with `addr` and route connections into our netns with NAT.
2020-07-21 09:38:26 +00:00
nixbitcoin
515aae2825
bitcoind: add netns and nonetns cli scripts
nonetns script needed for bitcoind-import-banlist
2020-07-21 09:38:24 +00:00
nixbitcoin
75ca6f186c
bitcoind: add netns
- Adds bitcoind to netns-isolation.services
- Adds rpcbind and rpcallowip options to allow using bitcoind with
  network namespaces
- Adds bind option (defaults to localhost), used as target of hidden service
- Makes bitcoind-import-banlist run in netns
2020-07-21 09:38:22 +00:00
nixbitcoin
e5e07b91f7
netns-isolation: netns architecture
- Adds network namespace instantiation and routing architecture.
- netns-isolation disabled by default. Can be enabled with
  configuration.nix FIXME.
- Uses mkMerge to toggle certain options for non netns and netns
  systems.
- Adds security wrapper for netns-exec which allows operator to exec
  with cap_sys_admin
- User can select the 169.254.N.0/24 addressblock netns's are created in.
- nix-bitcoin-services IpAddressAllow is amended with link-local
  addresses
2020-07-21 09:38:20 +00:00
Jonas Nick
4a7199a3da
netns-exec: add c program to execute commands in netns
c program allows executing commands in nb-bitcoind, nb-lnd, nb-liquidd
(the netns's needed for operator cli scripts).
2020-07-21 09:38:16 +00:00
Jonas Nick
5bb9aa5d6d
Merge #201: Update: nixpkgs and elementsd
ae364a68ad hwi: 1.0.3 -> 1.1.2 (nixbitcoin)
fe6e118bb3 elementsd: 0.18.1.3 -> 0.18.1.8 (nixbitcoin)
5ca58a2a26 nixpkgs: update stable and unstable (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK ae364a68ad

Tree-SHA512: b8eb4be1ae6496586acb3d0635d6dea676f029a85f17512dccab280aaf3135fccf0455feaf17517e54af85aa5bf92d13df3194ba8893d7c7631d089b9b208b8d
2020-07-19 19:27:11 +00:00