nix-bitcoin/modules/presets/secure-node.nix
Jonas Nick bac8518e7c
secure-node: stop pruning liquidd
There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
2021-10-31 14:37:56 +00:00

65 lines
1.5 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services;
nbLib = config.nix-bitcoin.lib;
operatorName = config.nix-bitcoin.operator.name;
in {
imports = [
../modules.nix
./enable-tor.nix
];
options = {
# Used by ../versioning.nix
nix-bitcoin.secure-node-preset-enabled = {};
};
config = {
# For backwards compatibility only
nix-bitcoin.secretsDir = mkDefault "/secrets";
networking.firewall.enable = true;
nix-bitcoin.security.dbusHideProcessInformation = true;
# Use doas instead of sudo
security.doas.enable = true;
security.sudo.enable = false;
environment.systemPackages = with pkgs; [
jq
];
# sshd
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
services.bitcoind = {
enable = true;
listen = true;
dbCache = 1000;
};
services.liquidd = {
# Enable `validatepegin` to verify that a transaction sending BTC into
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
# make the node accept a sidechain that is not fully backed.
validatepegin = true;
listen = true;
};
nix-bitcoin.nodeinfo.enable = true;
services.backups.frequency = "daily";
# operator
nix-bitcoin.operator.enable = true;
users.users.${operatorName} = {
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
}