greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ad23b508e3
nix-bitcoin/modules/nix-bitcoin.nix
Jonas Nick a985abcd21
Merge #133: Improve modularity, remove dependency on nixops, add modules test 
187ff884db add modules test (Erik Arvstedt)
826245484e make secrets dir location configurable (Erik Arvstedt)
b1e13e9415 simplify secrets file format (Erik Arvstedt)
314272a228 lnd, nanopos: move user and group definitions to the bottom (Erik Arvstedt)
766fa4f300 travis: cache all build outputs with cachix (Erik Arvstedt)
b0e759160d travis: set NIX_PATH as early as possible (Erik Arvstedt)
c51bbcf104 travis: move comment (Erik Arvstedt)
7092dce0c7 travis: remove use of deprecated statements (Erik Arvstedt)
190a92507c travis: split up scripts into statements (Erik Arvstedt)
10d6b04ac8 support enabling clightning and lnd simultaneously (Erik Arvstedt)
ad7a519284 bitcoind: wait until RPC port is open (Erik Arvstedt)
5536b64fb3 lnd: wait until wallet is created (Erik Arvstedt)
6f2a55d63c lnd: wait until RPC port is open (Erik Arvstedt)
1868bef462 lnd: add option 'rpcPort' (Erik Arvstedt)
120e3e8cfe lnd postStart: suppress curl response output (Erik Arvstedt)
3e86637327 lnd postStart: poll for REST service availability (Erik Arvstedt)
795c51dc01 lnd postStart: make more idiomatic (Erik Arvstedt)
6e58beae8a lnd: use postStart option for script (Erik Arvstedt)
86167c6e6d clightning: wait until the RPC socket appears (Erik Arvstedt)
60c732a6a1 onion-chef: set RemainAfterExit, fix tor dependency (Erik Arvstedt)
2b9b3ba1c5 systemPackages: improve readability with shorter service references (Erik Arvstedt)
14ecb5511a liquid: add cli option (Erik Arvstedt)
cd5ed39b9c lnd: add cli option (Erik Arvstedt)
1833b15888 clightning: add cli option (Erik Arvstedt)
b90bf6691b add generate-secrets.service (Erik Arvstedt)
6447694214 add generate-secrets pkg (Erik Arvstedt)
e34093a8ac generate_secrets.sh: add opensslConf option (Erik Arvstedt)
9d14d5ba64 generate_secrets.sh: write secrets to working directory (Erik Arvstedt)
51fb054001 generate_secrets.sh: extract makepw command (Erik Arvstedt)
e3b47ce18a add setup-secrets.service (Erik Arvstedt)
437b268433 extract make-secrets.nix (Erik Arvstedt)
f9c29b9318 simplify secret definitions (Erik Arvstedt)
cd0fd6926b don't copy secret files to store during nixops deployment (Erik Arvstedt)
f0a36fe0c7 add 'nix-bitcoin-services' option (Erik Arvstedt)
7aaf30501c nix-bitcoin-services: simplify formatting (Erik Arvstedt)
760da232e0 add nix-bitcoin pkgs namespace (Erik Arvstedt)
6def181dbc add modules.nix (Erik Arvstedt)
3b842e5fe7 add nix-bitcoin-secrets.target (Erik Arvstedt)
bbf2bbc04a network.nix: simplify import of main config (Erik Arvstedt)
7e021a2629 simplify overlay.nix (Erik Arvstedt)
07dc3e04ac move bitcoinrpc group definition to bitcoind (Erik Arvstedt)
d61b185c3a simplify user and group definitions (Erik Arvstedt)

Pull request description:

  The nix-bitcoin modules consist of three fundamental components:
  1. a set of bitcoin-related modules for general use.
  2. an opinionated configuration of these modules (`nix-bitcoin.nix`), to be deployed on a
     dedicated machine.
  3. machinery for nixops deployment.

  This PR removes dependencies that reach from top to bottom in the list.
  This means that 1. is now usable on its own and that 2. can be used without 3.

  Besides improving nix-bitcoin's general usefulness, this
  - simplifies testing. This PR includes a Travis-enabled modules test using the NixOS testing framework.
  - paves the way for krops deployment.
  - unlocks direct deployment in NixOS containers which allows for super fast experimentation.

  ### Details
  Here are the unnecessary inter-component dependencies and how they're resolved by the commits. I'm using the numbering from the list above.

  - `1. -> 3.` The modules (1.) use the nixops-specific (3.) `keys` group.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 3.` 1. requires nixops-specific key services.
    Resolved by `add nix-bitcoin-secrets.target`.

  - `1. -> 2.` bitcoind needs the bitcoinrpc group which is defined in `nix-bitcoin.nix` (2.).
    Resolved by `move bitcoinrpc group definition to bitcoind`.

  Further obstacles for standalone usage of 1.:

  - We can't easily import 1. as a standalone module set.
    Resolved by `add modules.nix`.

  - Users of 1. shouldn't be forced to import nix-bitcoin's packages as top-level items in the pkgs namespace.
    Resolved by `add nix-bitcoin pkgs namespace`.

  ### Non-nixops deployments
  Commit `add setup-secrets.service` simplifies non-nixops deployment methods like containers, NixOS VMs or krops.

  Secrets can now deployed as follows:
  1. create local secrets.
  2. transfer secrets to machine.
  3. on the machine, `setup-secrets.service` creates extra secrets from `secrets.nix` and sets owner and
     permissions for all secrets.

  As krops integrates step 2. we now have all ingredients for automatic krops deployment.

  The service is complicated by the creation of secrets like `bitcoin-rpcpassword` that are composed of attrs from `secrets.nix` instead of being simply backed by a file like `lnd_key`. We could simplify this by creating all secret files locally.

  Running nix-bitcoin in NixOS containers gives you faster rebuild cycles when developing. [Here's](https://gist.github.com/5db4fa7dd3f1137920b58e39647116f6) an example.

  ### Test
  The last commits starting with `clightning: add cli option` are testing-related and mostly fix non-critical bugs that were exposed by the test.

  All `STABLE=1` builds from the Travis build matrix are implicit in the modules test.
  Should we remove these individual builds?

  Regarding commit `travis: cache all build outputs with cachix`:
  To replace my cache with a cache that's owned by you (maybe named `nix-bitcoin-ci`), run
  ```
  nix-shell -p travis --run 'travis encrypt CACHIX_SIGNING_KEY=... -r fort-nix/nix-bitcoin'
  ```
  where `...` is the value of `secretKey` in `~/.config/cachix/cachix.dhall`. Let me know the travis secret and I'll fixup the commit.

  ### Docs
  If you like the proposed changes, I'll add another PR with updates to the docs regarding the project layout, non-nixops deployment, and how to use nix-bitcoin within a larger NixOS config.

ACKs for top commit:
  jonasnick:
    ACK 187ff884db

Tree-SHA512: f4be65215c592a4f41bb7fa991a6d8d7c463cf631b88bf53051ca57ba280e7a60b8b09d0d1521345d5b656f844daa2166fff5d00a3105077c9e263465eacfb0a
2020-01-13 08:22:17 +00:00

187 lines
6.3 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nix-bitcoin;
operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''
mkdir -p ${config.users.users.operator.home}/.ssh
if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
fi
if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
fi
chown -R operator ${config.users.users.operator.home}/.ssh
'';
in {
imports = [ ./modules.nix ];
options.services.nix-bitcoin = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, the nix-bitcoin service will be installed.
'';
};
};
config = mkIf cfg.enable {
nix-bitcoin.secretsDir = mkDefault "/secrets";
networking.firewall.enable = true;
# Tor
services.tor.enable = true;
services.tor.client.enable = true;
# LND uses ControlPort to create onion services
services.tor.controlPort = if config.services.lnd.enable then 9051 else null;
# Tor SSH service
services.tor.hiddenServices.sshd = {
map = [{
port = 22;
}];
version = 3;
};
# bitcoind
services.bitcoind.enable = true;
services.bitcoind.listen = true;
services.bitcoind.sysperms = if config.services.electrs.enable then true else null;
services.bitcoind.disablewallet = if config.services.electrs.enable then true else null;
services.bitcoind.proxy = config.services.tor.client.socksListenAddress;
services.bitcoind.enforceTor = true;
services.bitcoind.port = 8333;
services.bitcoind.rpcuser = "bitcoinrpc";
services.bitcoind.zmqpubrawblock = "tcp://127.0.0.1:28332";
services.bitcoind.zmqpubrawtx = "tcp://127.0.0.1:28333";
services.bitcoind.extraConfig = ''
assumevalid=00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6
addnode=ecoc5q34tmbq54wl.onion
discover=0
addresstype=bech32
changetype=bech32
'';
services.bitcoind.prune = 0;
services.bitcoind.dbCache = 1000;
services.tor.hiddenServices.bitcoind = {
map = [{
port = config.services.bitcoind.port;
}];
version = 3;
};
# clightning
services.clightning.bitcoin-rpcuser = config.services.bitcoind.rpcuser;
services.clightning.proxy = config.services.tor.client.socksListenAddress;
services.clightning.enforceTor = true;
services.clightning.always-use-proxy = true;
services.clightning.bind-addr = "127.0.0.1:9735";
services.tor.hiddenServices.clightning = {
map = [{
port = 9735; toPort = 9735;
}];
version = 3;
};
# lnd
services.lnd.enforceTor = true;
# Create user operator which can use bitcoin-cli and lightning-cli
users.users.operator = {
isNormalUser = true;
extraGroups = [ config.services.bitcoind.group ]
++ (if config.services.clightning.enable then [ "clightning" ] else [ ])
++ (if config.services.lnd.enable then [ "lnd" ] else [ ])
++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])
++ (if (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
then [ config.services.hardware-wallets.group ] else [ ]);
};
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
# https://github.com/ElementsProject/lightning/issues/1366
security.sudo.configFile =
(optionalString config.services.clightning.enable ''
operator ALL=(clightning) NOPASSWD: ALL
'') +
(optionalString config.services.lnd.enable ''
operator ALL=(lnd) NOPASSWD: ALL
'');
# Give root ssh access to the operator account
systemd.services.copy-root-authorized-keys = {
description = "Copy root authorized keys";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
user = "root";
type = "oneshot";
};
};
services.nix-bitcoin-webindex.enforceTor = true;
services.liquidd.rpcuser = "liquidrpc";
services.liquidd.prune = 1000;
services.liquidd.extraConfig = "
mainchainrpcuser=${config.services.bitcoind.rpcuser}
mainchainrpcport=8332
";
services.liquidd.validatepegin = true;
services.liquidd.listen = true;
services.liquidd.proxy = config.services.tor.client.socksListenAddress;
services.liquidd.enforceTor = true;
services.liquidd.port = 7042;
services.tor.hiddenServices.liquidd = {
map = [{
port = config.services.liquidd.port; toPort = config.services.liquidd.port;
}];
version = 3;
};
services.spark-wallet.onion-service = true;
services.electrs.port = 50001;
services.electrs.enforceTor = true;
services.electrs.onionport = 50002;
services.electrs.nginxport = 50003;
services.tor.hiddenServices.electrs = {
map = [{
port = config.services.electrs.onionport; toPort = config.services.electrs.nginxport;
}];
version = 3;
};
environment.systemPackages = with pkgs; with nix-bitcoin; let
s = config.services;
in
[
tor
bitcoind
(hiPrio s.bitcoind.cli)
nodeinfo
jq
qrencode
]
++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
++ optionals s.lightning-charge.enable [lightning-charge]
++ optionals s.nanopos.enable [nanopos]
++ optionals s.nix-bitcoin-webindex.enable [nginx]
++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
++ optionals s.spark-wallet.enable [spark-wallet]
++ optionals s.electrs.enable [electrs]
++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
hwi
# To allow debugging issues with lsusb
usbutils
]
++ optionals s.hardware-wallets.trezor [
python3.pkgs.trezor
];
};
}
Reference in New Issue View Git Blame Copy Permalink