nix-bitcoin/examples/configuration.nix
Erik Arvstedt 03db1a61b1
lnd, joinmarket: don't write to secrets dir
Keeping the secrets dir read-only is more simple and robust.

- lnd seed mnemonic creation and joinmarket wallet creation can be
  run as the regular service user instead of root.

- It is easier to switch to a third-party secrets deployment
  method in the future.

Don't create a seed mnemonic for lnd when a wallet exists.
This avoids creating unused mnemonics and helps simplifying
the migration command in `versioning.nix`.
2021-03-15 18:50:15 +01:00

237 lines
10 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }: {
imports = [
<nix-bitcoin/modules/presets/secure-node.nix>
# FIXME: The hardened kernel profile improves security but
# decreases performance by ~50%.
# Turn it off when not needed.
<nix-bitcoin/modules/presets/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file.
#./hardware-configuration.nix
];
# FIXME: Enable modules by uncommenting their respective line. Disable
# modules by commenting out their respective line.
### BITCOIND
# Bitcoind is enabled by default if nix-bitcoin is enabled
#
# Enable this option to set pruning to a specified MiB value.
# clightning is compatible with pruning. See
# https://github.com/ElementsProject/lightning/#pruning for more information.
# LND and electrs are not compatible with pruning.
# services.bitcoind.prune = 100000;
#
# Set this to accounce the onion service address to peers.
# The onion service allows accepting incoming connections via Tor.
# nix-bitcoin.onionServices.bitcoind.public = true;
#
# You can add options that are not defined in modules/bitcoind.nix as follows
# services.bitcoind.extraConfig = ''
# maxorphantx=110
# '';
### CLIGHTNING
# Enable this module to use clightning, a Lightning Network implementation
# in C.
services.clightning.enable = true;
#
# Set this to create an onion service by which clightning can accept incoming connections
# via Tor.
# The onion service is automatically announced to peers.
# nix-bitcoin.onionServices.clightning.public = true;
#
# == Plugins
# See ../docs/usage.md for the list of available plugins.
# services.clightning.plugins.prometheus.enable = true;
### LND
# Uncomment the following line in order to enable lnd, a lightning
# implementation written in Go. In order to avoid collisions with clightning
# you must disable clightning or change the services.clightning.port or
# services.lnd.port to a port other than 9735.
# services.lnd.enable = true;
#
# Set this to create an onion service by which lnd can accept incoming connections
# via Tor.
# The onion service is automatically announced to peers.
# nix-bitcoin.onionServices.lnd.public = true;
#
# Set this to create an lnd REST onion service.
# Adds binary `lndconnect-rest-onion` to the system environment.
# This binary generates QR codes or URIs for connecting applications to lnd via the
# REST onion service.
# services.lnd.restOnionService.enable = true;
#
## WARNING
# If you use lnd, you should manually backup your wallet mnemonic
# seed. This will allow you to recover on-chain funds. You can run the
# following commands after the lnd service starts:
# mkdir -p ./backups/lnd/
# scp bitcoin-node:/var/lib/lnd/lnd-seed-mnemonic ./backups/lnd/
#
# You should also backup your channel state after opening new channels.
# This will allow you to recover off-chain funds, by force-closing channels.
# scp bitcoin-node:/var/lib/lnd/chain/bitcoin/mainnet/channel.backup ./backups/lnd/
### SPARK WALLET
# Enable this module to use spark-wallet, a minimalistic wallet GUI for
# c-lightning, accessible over the web or through mobile and desktop apps.
# Automatically enables clightning.
# services.spark-wallet.enable = true;
### ELECTRS
# Enable this module to use electrs, an efficient re-implementation of
# Electrum Server in Rust.
# services.electrs.enable = true;
# If you have more than 8GB memory, enable this option so electrs will
# sync faster. Only available if hardware wallets are disabled.
# services.electrs.high-memory = true;
### BTCPayServer
# Enable this module to use BTCPayServer, a self-hosted, open-source
# cryptocurrency payment processor.
# Privacy Warning: BTCPayServer currently looks up price rates without
# proxying them through Tor. This means an outside observer can correlate
# your BTCPayServer usage, like invoice creation times, with your IP address.
# services.btcpayserver.enable = true;
# Enable this option to connect BTCPayServer to clightning.
# services.btcpayserver.lightningBackend = "clightning";
# Enable this option to connect BTCPayServert to lnd.
# services.btcpayserver.lightningBackend = "lnd";
# The lightning backend service automatically enabled.
# Afterwards you need to go into Store > General Settings > Lightning Nodes
# and click to use "the internal lightning node of this BTCPay Server".
#
# Set this to create an onion service to make the btcpayserver web interface
# accessible via Tor.
# Security WARNING: Create a btcpayserver administrator account before allowing
# public access to the web interface.
# nix-bitcoin.onionServices.btcpayserver.enable = true;
### LIQUIDD
# Enable this module to use Liquid, a sidechain for an inter-exchange
# settlement network linking together cryptocurrency exchanges and
# institutions around the world. Liquid is accessed with the elements-cli
# tool run as user operator.
# services.liquidd.enable = true;
### RECURRING-DONATIONS
# Enable this module to send recurring donations. This is EXPERIMENTAL; it's
# not guaranteed that payments are succeeding or that you will notice payment
# failure.
# Automatically enables clightning.
# services.recurring-donations.enable = true;
# Specify the receivers of the donations. By default donations are every
# Monday at a randomized time. Check `journalctl -eu recurring-donations` or
# `lightning-cli listpayments` for successful lightning donations.
# services.recurring-donations.tallycoin = {
# "<receiver name>" = <amount you wish to donate in sat>"
# "<additional receiver name>" = <amount you wish to donate in sat>;
# "djbooth007" = 1000;
# };
### Hardware wallets
# Enable this module to allow using hardware wallets. See https://github.com/bitcoin-core/HWI
# for more information. Only available if electrs.high-memory is disabled.
# Ledger must be initialized through the official ledger live app and the Bitcoin app must
# be installed and running on the device.
# services.hardware-wallets.ledger = true;
# Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
# `docs/usage.md`.
# services.hardware-wallets.trezor = true;
### netns-isolation (EXPERIMENTAL)
# Enable this module to use Network Namespace Isolation. This feature places
# every service in its own network namespace and only allows truly necessary
# connections between network namespaces, making sure services are isolated on
# a network-level as much as possible.
# nix-bitcoin.netns-isolation.enable = true;
### lightning-loop
# Enable this module to use lightninglab's non-custodial off/on chain bridge.
# loopd (lightning-loop daemon) will be started automatically. Users can
# interact with off/on chain bridge using `loop in` and `loop out`.
# Automatically enables lnd.
# services.lightning-loop.enable = true;
### lightning-pool
# Enable this module to use Lightning Lab's non-custodial batched uniform
# clearing-price auction for Lightning Channel Leases.
# Use the `pool` command to interact with the lightning-pool service.
# Automatically enables lnd.
# services.lightning-pool.enable = true;
#
# lightning-pool requires that lnd has a publicly reachable address.
# Set this to create a public onion service for lnd.
# nix-bitcoin.onionServices.lnd.public = true;
### Backups
# Enable this module to use nix-bitcoin's own backups module. By default, it
# uses duplicity to incrementally back up all important files in /var/lib to
# /var/lib/localBackups once a day.
# services.backups.enable = true;
# You can pull the localBackups folder with
# `scp bitcoin-node:/var/lib/localBackups /my-backup-path/`
# Alternatively, you can also set a remote target url, for example
# services.backups.destination = "sftp://user@host[:port]/[relative|/absolute]_path";
# Supply the sftp password by appending the FTP_PASSWORD environment variable
# to secrets/backup-encryption-env like so
# `echo "FTP_PASSWORD=<password>" >> secrets/backup-encryption-env`
# You many also need to set a ssh host and publickey with
# programs.ssh.knownHosts."host" = {
# hostNames = [ "host" ];
# publicKey = "<ssh public from `ssh-keyscan`>";
# };
# If you also want to backup bulk data like the Bitcoin & Liquid blockchains
# and electrs data directory, enable
# services.backups.with-bulk-data = true;
### JOINMARKET
# Enable this module to allow using JoinMarket's user interactive scripts (including
# tumbler.py).
# Note: JoinMarket has full access to bitcoind, including its wallet functionality.
# services.joinmarket.enable = true;
# Enable this option to enable the JoinMarket Yield Generator Bot. You will be able to
# earn sats by providing CoinJoin liquidity. This makes it impossible to use other
# scripts that access your wallet.
# services.joinmarket.yieldgenerator.enable = true;
# Enable this option to enable the JoinMarket order book watcher.
# services.joinmarket-ob-watcher.enable = true;
# FIXME: Define your hostname.
networking.hostName = "nix-bitcoin";
time.timeZone = "UTC";
# FIXME: Add your SSH pubkey
services.openssh.enable = true;
users.users.root = {
openssh.authorizedKeys.keys = [ "" ];
};
# FIXME: add packages you need in your system
environment.systemPackages = with pkgs; [
vim
];
# FIXME: Add custom options (like boot options, output of
# nixos-generate-config, etc.):
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
# The nix-bitcoin release version that your config is compatible with.
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
# an error and provide hints for migrating your config to the new release.
nix-bitcoin.configVersion = "0.0.41";
}