nix-bitcoin

Go to file

0a2c8e4864dc30b6d1ed86a16793d37699707650 run-tests: add option --copy-src (Erik Arvstedt)
803584a28889f27ebdc57bf165edff7cec9dfc6b backups: don't use hardcoded secrets dir (Erik Arvstedt)
c29d44b49a734b3268cf49811356ff4483fb6ed2 ci: use 'cachix watch-exec' (Erik Arvstedt)
6a32812412ccbd1912b97bae611c6788b2cb77f9 services: add names for systemd helper scripts (Erik Arvstedt)
69826996131d2d9169cffc2eeb019b2f43a42a9c services: use consistent layout (Erik Arvstedt)
a43534dda0c52c9d070aa30c4cc60ad3ef6a26d6 services: improve config file setup (Erik Arvstedt)
18f2002cf0a514f5fcbadb77e9318bcca7c49506 joinmarket-yieldgenerator: improve systemd journal output (Erik Arvstedt)
9d0b8c8f6fba676f9ecf61705e569e59ec16b3af joinmarket-ob-watcher: use DynamicUser (Erik Arvstedt)
e9c98f415cc164628d7ccdacf066b8decca95afd joinmarket: explain need for tor control socket (Erik Arvstedt)
d9c87b6a8f5f2649a8502e494cc2bc34397bd174 joinmarket: fix wallet creation (Erik Arvstedt)
745835010899aac6518a32dceaeace368ed2b327 treewide: remove deprecated types.loaOf (Erik Arvstedt)
9cf038939cc67f57ed11d270a8049483872a719b treewide: use mkEnableOption (Erik Arvstedt)
7a97304f13d2373c685243172b0cd2a10213f745 treewide: remove unit descriptions (Erik Arvstedt)
a942177ecf8fe7b28d4218e9fc80bd4c4a4e0341 treewide: remove user descriptions (Erik Arvstedt)
4f6ff408efef3f8550baa0a62a5a0e40570499a1 treewide: remove unneeded string literals (Erik Arvstedt)
e6a6c721c1d1e3b8ca85f1765edb9f1fa8df6be5 treewide: streamline 'extraConfig' descriptions (Erik Arvstedt)
e774c045de5e6c9934bc1410edd5f2bc9980da17 treewide: fix formatting (Erik Arvstedt)
0b5b29a2a3903122897badfb0b6841eef260a0f1 netns-isolation: simplify permission definition for netns-exec (Erik Arvstedt)
a587a2b02a9d611b092d76cfa0f8e225eb48e365 defaultHardening: explain where @system-service is defined (Erik Arvstedt)
bb3a69797e96eb06c222ac64cc82ce99e11e9072 README: minor improvements (Erik Arvstedt)
13fc9dfabfd16f164f2dc3124a752d68f79cb9ab examples: improve introductory comments (Erik Arvstedt)
af2040f4c46547fa4bfd2e03d0f964c4b656de07 netns-isolation: use 'true' for systemd option (Erik Arvstedt)
c246bbb36e700a42e452a3c486b2c3240fee0ef4 bitcoind, clightning, lnd: improve descriptions (Erik Arvstedt)
7533f12ef19733036e93923421859d3a8b055c61 bitcoind, clightning, run-tests: minor refactoring (Erik Arvstedt)
41fe9b0c1dfbee8cc304a0ba923c3dcb2b4c53a0 elementsd: minor refactoring (Erik Arvstedt)
f0850d3f2346ae2b7a05e96b8c79a44b5fc8376b btcpayserver: reorder config settings (Erik Arvstedt)
d1c0ea9f85d40d28a239f171947de1b9a1cb19ef btcpayserver: add missing systemd postgresql dependency (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 0a2c8e4864dc30b6d1ed86a16793d37699707650

Tree-SHA512: 5c81b36042fbb2f016c8e58ba9e05ef3389d5376b8df713d3258d2cd0b6a9239904531171aca8e49bea7039341d5fa91aa9474c6d98de849c25ede52deccc5a3

2021-02-08 20:32:03 +00:00

ci: use 'cachix watch-exec'

2021-02-07 22:45:37 +01:00

docs

docs: add zeus usage instructions

2021-02-05 09:17:15 +01:00

examples

Merge #312 : Refactorings, cleanups

2021-02-08 20:32:03 +00:00

helper

Fetch from the nixpkgs repo instead of nixpkgs-channels

2020-12-06 21:42:20 +00:00

modules

backups: don't use hardcoded secrets dir

2021-02-07 22:45:38 +01:00

pkgs

Merge #312 : Refactorings, cleanups

2021-02-08 20:32:03 +00:00

test

Merge #312 : Refactorings, cleanups

2021-02-08 20:32:03 +00:00

.cirrus.yml

fix build-to-cachix

2021-01-30 11:38:47 +01:00

.gitignore

Fix typo in gitignore

2020-11-24 18:25:12 +01:00

default.nix

simplify overlay.nix

2020-01-09 10:43:29 +01:00

LICENSE

Add license

2019-01-02 14:03:52 +00:00

overlay.nix

simplify overlay.nix

2020-01-09 10:43:29 +01:00

README.md

README: minor improvements

2021-02-07 22:39:06 +01:00

shell.nix

Clean up development shell.nix

2020-03-30 10:49:15 +02:00

README.md

nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing full-featured Bitcoin nodes with an emphasis on security.

Overview

A Bitcoin node verifies the Bitcoin protocol and provides ways of interacting with the Bitcoin network. nix-bitcoin nodes are used for a variety of purposes and can serve as personal or merchant wallets, second layer public infrastructure and as backends for Bitcoin applications. In all cases, the aim is to provide security and privacy by default. However, while nix-bitcoin is used in production today, it is still considered experimental.

A full installation of nix-bitcoin is usually deployed either on a dedicated (virtual) machine or runs in a container and is online 24/7. Alternatively, the Nix packages, NixOS modules and configurations can be used independently and combined freely.

nix-bitcoin is built on top of Nix and NixOS which provide powerful abstractions to keep it highly customizable and maintainable. Testament to this are nix-bitcoin's robust security features and its potent test framework. However, running nix-bitcoin does not require any previous experience with the Nix ecosystem.

Examples

See here for examples.

Features

A configuration preset for setting up a secure node

All applications use Tor for outbound connections and support accepting inbound connections via onion services.

NixOS modules

Application services
- bitcoind, with a default banlist against spy nodes
- clightning with support for announcing an onion service
  Available plugins:
  - clboss: automated C-Lightning Node Manager
  - helpme: walks you through setting up a fresh c-lightning node
  - monitor: helps you analyze the health of your peers and channels
  - prometheus: lightning node exporter for the prometheus timeseries server
  - rebalance: keeps your channels balanced
  - summary: print a nice summary of the node status
  - zmq: publishes notifications via ZeroMQ to configured endpoints
- lnd with support for announcing an onion service
  - lndconnect via a REST onion service
- spark-wallet
- electrs
- btcpayserver
- liquid
- Lightning Loop
- JoinMarket
  - JoinMarket Orderbook Watcher
- recurring-donations: for periodic lightning payments
- bitcoin-core-hwi
Helper
- netns-isolation: isolates applications on the network-level via network namespaces
- nodeinfo: script which prints info about the node's services
- backups: duplicity backups of all your node's important files
- operator: adds non-root user operator who has access to client tools (e.g. bitcoin-cli, lightning-cli)

Security

Simplicity: Only services you select in configuration.nix and their dependencies are installed, packages and dependencies are pinned, most packages are built from the NixOS stable channel, with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a sandboxed environment, code is continuously reviewed and refined.
Integrity: Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
Principle of Least Privilege: Services operate with least privileges; they each have their own user and are restricted further with systemd options, RPC whitelisting, and netns-isolation. There's a non-root user operator to interact with the various services.
Defense-in-depth: nix-bitcoin is built with a hardened kernel by default, services are confined through discretionary access control, Linux namespaces, dbus firewall and seccomp-bpf with continuous improvements.

Note that if the machine you're deploying from is insecure, there is nothing nix-bitcoin can do to protect itself.

Docs

Troubleshooting

If you are having problems with nix-bitcoin check the FAQ or submit an issue. There's also a #nix-bitcoin IRC channel on freenode. We are always happy to help.