d959d5b558
This simplifies the docs and the secure-node module. This change doesn't affect users that deploy via krops.
62 lines
1.4 KiB
Nix
62 lines
1.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services;
|
|
nbLib = config.nix-bitcoin.lib;
|
|
operatorName = config.nix-bitcoin.operator.name;
|
|
in {
|
|
imports = [
|
|
../modules.nix
|
|
./enable-tor.nix
|
|
];
|
|
|
|
options = {
|
|
# Used by ../versioning.nix
|
|
nix-bitcoin.secure-node-preset-enabled = {};
|
|
};
|
|
|
|
config = {
|
|
networking.firewall.enable = true;
|
|
|
|
nix-bitcoin.security.dbusHideProcessInformation = true;
|
|
|
|
# Use doas instead of sudo
|
|
security.doas.enable = true;
|
|
security.sudo.enable = false;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
jq
|
|
];
|
|
|
|
# sshd
|
|
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
|
|
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
|
|
|
|
services.bitcoind = {
|
|
enable = true;
|
|
listen = true;
|
|
dbCache = 1000;
|
|
};
|
|
|
|
services.liquidd = {
|
|
# Enable `validatepegin` to verify that a transaction sending BTC into
|
|
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
|
|
# make the node accept a sidechain that is not fully backed.
|
|
validatepegin = true;
|
|
listen = true;
|
|
};
|
|
|
|
nix-bitcoin.nodeinfo.enable = true;
|
|
|
|
services.backups.frequency = "daily";
|
|
|
|
# operator
|
|
nix-bitcoin.operator.enable = true;
|
|
users.users.${operatorName} = {
|
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
|
};
|
|
};
|
|
}
|