Commit Graph

108 Commits

Author SHA1 Message Date
Erik Arvstedt
acf5fe69ad
add standalone clightning-rest service
- Rename `services.rtl.cl-rest` to `services.clightning-rest`.
  `clightning-rest` is generally useful for connecting external REST clients
  to clightning.

- Add a dedicated network namespace in netns-isolation.

- Add nodeinfo entry.

- Add datadir (which contains REST auth data) to backups.
2022-05-06 16:26:40 +02:00
Erik Arvstedt
d959d5b558
secure-node: don't set nix-bitcoin.secretsDir
This simplifies the docs and the secure-node module.

This change doesn't affect users that deploy via krops.
2022-02-05 21:35:50 +01:00
Erik Arvstedt
2f0f1ec15a
hardened-extended: define kernelParams as separate strings
This is now checked by the modules.
2021-12-10 12:16:31 +00:00
Erik Arvstedt
6b539627ee
add presets/bitcoind-remote.nix
This simplifies integrating a remote bitcoind instance and
makes `bitcoin-cli` work with the remote node.

Add note regarding `whitelistedPort` to docs.
2021-12-07 15:35:33 +01:00
Erik Arvstedt
def64a73b8
treewide: use TODO-EXTERNAL
Use TODO-EXTERNAL for TODOs that depend on external factors like
upstream fixes.
2021-11-29 13:47:48 +01:00
Erik Arvstedt
9bda7305fd
services: add tor.* options
Split `enforceTor` into `tor.proxy` and `tor.enforce`.
By enabling `tor.proxy` without `tor.enforce`, a service can accept
incoming clearnet connections.
E.g., this allows setting up a Tor-proxied bitcoind node that accepts
RPC connections from LAN.
2021-11-29 13:22:43 +01:00
Erik Arvstedt
8aa28da110
remove recurring-donations module
This module has failed to evaluate for quite some time.
We might bring it back someday with bolt12 and LNURL support.
2021-11-28 21:18:39 +01:00
nixbitcoin
f569227410
rtl: add module 2021-11-09 14:13:42 +00:00
Jonas Nick
bac8518e7c
secure-node: stop pruning liquidd
There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
2021-10-31 14:37:56 +00:00
Jonas Nick
347a0f3aee
secure-node: add dummy option to determine if the preset is enabled
This is useful for versioning.nix.
2021-10-31 14:00:46 +00:00
Erik Arvstedt
75b89f3957
electrs: adapt to version 0.9.0
- `waitfornewblock` was previously not included in the public RPC
  whitelist because it's reserved for testing and marked as hidden
  in bitcoind.

- electrs changed its verbosity settings. `-vv` is now the best choice
  for normal usage.

- bitcoind option `dataDirReadableByGroup` is now unused.
  Because it can be valuable for other use cases and implementing
  it is intricate, we're keeping it for now.

- test: keep `nc` connection open because otherwise the electrs
  RPC server would now close the connection before sending a response.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
- `discover` is automatically disabled by bitcoind because we're
   setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Erik Arvstedt
35fe939cf8
security: update /proc restriction mechanism
NixOS option `security.hideProcessInformation` for globally restricting
access to /proc has been removed.
Use per-service restrictions via 'ProtectProc' instead.

Rename
`nix-bitcoin.security.hideProcessInformation` to
`nix-bitcoin.security.dbusHideProcessInformation`
because this option now only implements the dbus restriction.
2021-08-14 10:46:41 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options 2021-08-14 10:46:41 +02:00
Erik Arvstedt
a25ceecca5
update to NixOS 21.05 2021-08-12 11:18:26 +02:00
nixbitcoin
3b938a909f
add hardened-extended preset 2021-04-02 10:59:09 +00:00
Jonas Nick
a4dabc7390
Remove nixops examples and documentation 2021-03-15 12:42:47 +00:00
kon
eb21012745 pool: add pkg, module & tests 2021-03-01 10:59:35 +01:00
nixbitcoin
b1c9e13033
bitcoind: secure-node remove assumevalid 2021-02-23 11:04:31 +00:00
nixbitcoin
2ca92a34a5
services: use doas if enabled
- Remove sudo from recurring-donations path because it's not used by
  the service

- Use doas instead of sudo in secure-node.nix
2021-02-09 12:44:04 +00:00
Erik Arvstedt
a344ae95c9
move mkHiddenService to lib 2021-02-04 12:39:54 +00:00
nixbitcoin
8c125ec48c
joinmarket-obwatcher: add pkg & module 2021-01-17 17:40:12 +00:00
Erik Arvstedt
e2922eb4ce
move rpc thread count setting to lightning modules 2021-01-14 13:25:12 +01:00
Erik Arvstedt
757a66b9bd
liquid: move rpcuser definition to module 2021-01-14 13:25:11 +01:00
Erik Arvstedt
0e00c39d47
secure-node: improve layout 2021-01-14 13:25:11 +01:00
Erik Arvstedt
5f7a7962f7
backups: remove redundant option 'program'
Not needed until we support other backup backends.
2021-01-14 13:25:11 +01:00
Erik Arvstedt
04d8560f86
secure-node: remove qrencode, tor from systemPackages
Keep jq which is useful for analyzing service cli output.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
323a431aba
improve nodeinfo
- enable usage outside of secure-node.nix
- use json as the output format
- show ports
- also show local addresses, which is particularly useful when
  netns-isolation is enabled
- only show enabled services
2021-01-14 13:25:10 +01:00
Erik Arvstedt
f6b883a9ac
remove webindex
This module is outdated and incomplete. We can readd an improved version in
the future.

Move nanopos nginx proxy tests to the nanopos test.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver
In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
2021-01-14 13:25:09 +01:00
Erik Arvstedt
bd2a46cb73
spark-wallet: use onionServices
Also remove the unneeded definition of ReadWritePaths because the
service doesn't need write access to onion files.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
87fb9f246b
add 'enable-tor' preset
Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.

Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
93562f76dd
onionAddresses: remove redundant option 'enable'
The service can be disabled via `onion-addresses.access = mkForce {};`

Also remove redundant description.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses
This clarifies its function.
2021-01-14 13:25:05 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options 2021-01-14 13:25:05 +01:00
Erik Arvstedt
b5d76ba1b3
electrs: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
8fa32b7f91
btcpayserver: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
e78a609687
clightning: add consistent address options
Also remove option 'autolisten'. This option has no effect because
option 'bind-addr' is always set.
2021-01-14 13:25:04 +01:00
Erik Arvstedt
b41a720c28
lnd: add consistent address options
Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address.
2021-01-14 13:25:03 +01:00
Erik Arvstedt
dd4a0238f9
bitcoind: group rpc options under parent option 'rpc' 2021-01-14 13:25:03 +01:00
Erik Arvstedt
5b7e0d09b2
bitcoind: add consistent address options 2021-01-14 13:25:03 +01:00
Jonas Nick
79f4723cda
lightning-charge: remove package and module 2021-01-01 19:16:46 +00:00
Jonas Nick
58de79d401
nanopos: remove package and module 2021-01-01 17:37:30 +00:00
Erik Arvstedt
c8e73c959e
fix 'hardened' profile for NixOS 20.09
The 'scudo' memory allocator set by the 'hardened' profile breaks some
services on 20.09.
The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052)
is ineffective on 20.09.

As a workaround, add a custom 'hardened' preset that uses the default allocator.
2020-12-18 19:56:56 +01:00
nixbitcoin
f29f04c0c4
secure-node: LND no longer requires ControlPort
Onion service is now generated through mkHiddenService function.
2020-11-06 08:51:23 +00:00
Erik Arvstedt
e0675cb256
move enforceTor logic to service modules
This enables tor support for services without using secure-node.nix
2020-10-29 21:21:27 +01:00
Erik Arvstedt
5e0e16529c
netns: fix default addressblock value type
Also remove redundant definition in secure-node.nix
2020-10-20 18:21:37 +02:00
Erik Arvstedt
480d0d3959
liquid: fix bitcoin rpc settings
- Remove redundant option mainchainrpchost.
  This option is already provided by bitcoind.
- Set a working default for rpcport and rpcuser.
  Enables use without secure-node.
2020-10-16 16:46:55 +02:00
Erik Arvstedt
9aa19c3fdd
extract operator module 2020-10-16 16:46:55 +02:00