826245484e
Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config.
187 lines
6.3 KiB
Nix
187 lines
6.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.nix-bitcoin;
|
|
operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''
|
|
mkdir -p ${config.users.users.operator.home}/.ssh
|
|
if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
|
|
cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
|
|
fi
|
|
if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
|
|
cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
|
|
fi
|
|
chown -R operator ${config.users.users.operator.home}/.ssh
|
|
'';
|
|
in {
|
|
imports = [ ./modules.nix ];
|
|
|
|
options.services.nix-bitcoin = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
If enabled, the nix-bitcoin service will be installed.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
nix-bitcoin.secretsDir = mkDefault "/secrets";
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
# Tor
|
|
services.tor.enable = true;
|
|
services.tor.client.enable = true;
|
|
# LND uses ControlPort to create onion services
|
|
services.tor.controlPort = if config.services.lnd.enable then 9051 else null;
|
|
|
|
# Tor SSH service
|
|
services.tor.hiddenServices.sshd = {
|
|
map = [{
|
|
port = 22;
|
|
}];
|
|
version = 3;
|
|
};
|
|
|
|
# bitcoind
|
|
services.bitcoind.enable = true;
|
|
services.bitcoind.listen = true;
|
|
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
|
|
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
|
|
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
|
|
services.bitcoind.enforceTor = true;
|
|
services.bitcoind.port = 8333;
|
|
services.bitcoind.rpcuser = "bitcoinrpc";
|
|
services.bitcoind.zmqpubrawblock = "tcp://127.0.0.1:28332";
|
|
services.bitcoind.zmqpubrawtx = "tcp://127.0.0.1:28333";
|
|
services.bitcoind.extraConfig = ''
|
|
assumevalid=0000000000000000000726d186d6298b5054b9a5c49639752294b322a305d240
|
|
addnode=ecoc5q34tmbq54wl.onion
|
|
discover=0
|
|
addresstype=bech32
|
|
changetype=bech32
|
|
'';
|
|
services.bitcoind.prune = 0;
|
|
services.bitcoind.dbCache = 1000;
|
|
services.tor.hiddenServices.bitcoind = {
|
|
map = [{
|
|
port = config.services.bitcoind.port;
|
|
}];
|
|
version = 3;
|
|
};
|
|
|
|
# clightning
|
|
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
|
|
services.clightning.proxy = config.services.tor.client.socksListenAddress;
|
|
services.clightning.enforceTor = true;
|
|
services.clightning.always-use-proxy = true;
|
|
services.clightning.bind-addr = "127.0.0.1:9735";
|
|
services.tor.hiddenServices.clightning = {
|
|
map = [{
|
|
port = 9735; toPort = 9735;
|
|
}];
|
|
version = 3;
|
|
};
|
|
|
|
# lnd
|
|
services.lnd.enforceTor = true;
|
|
|
|
# Create user operator which can use bitcoin-cli and lightning-cli
|
|
users.users.operator = {
|
|
isNormalUser = true;
|
|
extraGroups = [ config.services.bitcoind.group ]
|
|
++ (if config.services.clightning.enable then [ "clightning" ] else [ ])
|
|
++ (if config.services.lnd.enable then [ "lnd" ] else [ ])
|
|
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])
|
|
++ (if (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
|
|
then [ config.services.hardware-wallets.group ] else [ ]);
|
|
};
|
|
# Give operator access to onion hostnames
|
|
services.onion-chef.enable = true;
|
|
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
|
|
|
|
# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
|
|
# https://github.com/ElementsProject/lightning/issues/1366
|
|
security.sudo.configFile =
|
|
(optionalString config.services.clightning.enable ''
|
|
operator ALL=(clightning) NOPASSWD: ALL
|
|
'') +
|
|
(optionalString config.services.lnd.enable ''
|
|
operator ALL=(lnd) NOPASSWD: ALL
|
|
'');
|
|
|
|
# Give root ssh access to the operator account
|
|
systemd.services.copy-root-authorized-keys = {
|
|
description = "Copy root authorized keys";
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
|
|
user = "root";
|
|
type = "oneshot";
|
|
};
|
|
};
|
|
|
|
services.nix-bitcoin-webindex.enforceTor = true;
|
|
|
|
services.liquidd.rpcuser = "liquidrpc";
|
|
services.liquidd.prune = 1000;
|
|
services.liquidd.extraConfig = "
|
|
mainchainrpcuser=${config.services.bitcoind.rpcuser}
|
|
mainchainrpcport=8332
|
|
";
|
|
services.liquidd.validatepegin = true;
|
|
services.liquidd.listen = true;
|
|
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
|
|
services.liquidd.enforceTor = true;
|
|
services.liquidd.port = 7042;
|
|
services.tor.hiddenServices.liquidd = {
|
|
map = [{
|
|
port = config.services.liquidd.port; toPort = config.services.liquidd.port;
|
|
}];
|
|
version = 3;
|
|
};
|
|
|
|
services.spark-wallet.onion-service = true;
|
|
services.electrs.port = 50001;
|
|
services.electrs.enforceTor = true;
|
|
services.electrs.onionport = 50002;
|
|
services.electrs.nginxport = 50003;
|
|
services.tor.hiddenServices.electrs = {
|
|
map = [{
|
|
port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport;
|
|
}];
|
|
version = 3;
|
|
};
|
|
environment.systemPackages = with pkgs; with nix-bitcoin; let
|
|
s = config.services;
|
|
in
|
|
[
|
|
tor
|
|
bitcoind
|
|
(hiPrio s.bitcoind.cli)
|
|
nodeinfo
|
|
jq
|
|
qrencode
|
|
]
|
|
++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
|
|
++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
|
|
++ optionals s.lightning-charge.enable [lightning-charge]
|
|
++ optionals s.nanopos.enable [nanopos]
|
|
++ optionals s.nix-bitcoin-webindex.enable [nginx]
|
|
++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
|
|
++ optionals s.spark-wallet.enable [spark-wallet]
|
|
++ optionals s.electrs.enable [electrs]
|
|
++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
|
|
hwi
|
|
# To allow debugging issues with lsusb
|
|
usbutils
|
|
]
|
|
++ optionals s.hardware-wallets.trezor [
|
|
python3.pkgs.trezor
|
|
];
|
|
};
|
|
}
|