nix-bitcoin/modules/presets/secure-node.nix

{ config, lib, pkgs, ... }:

with lib;

let
  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };

  operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''
    mkdir -p ${config.users.users.operator.home}/.ssh
    if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then
      cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys
    fi
    if [ -e "/etc/ssh/authorized_keys.d/root" ]; then
      cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys
    fi
    chown -R operator ${config.users.users.operator.home}/.ssh
  '';
in {
  imports = [ ../modules.nix ];

  config =  {
    # For backwards compatibility only
    nix-bitcoin.secretsDir = mkDefault "/secrets";

    networking.firewall.enable = true;

    # Tor
    services.tor = {
      enable = true;
      client.enable = true;
      # LND uses ControlPort to create onion services
      controlPort = mkIf config.services.lnd.enable 9051;

      hiddenServices.sshd = mkHiddenService { port = 22; };
    };

    # bitcoind
    services.bitcoind = {
      enable = true;
      listen = true;
      sysperms = if config.services.electrs.enable then true else null;
      disablewallet = if config.services.electrs.enable then true else null;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      port = 8333;
      zmqpubrawblock = "tcp://127.0.0.1:28332";
      zmqpubrawtx = "tcp://127.0.0.1:28333";
      assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
      addnodes = [ "ecoc5q34tmbq54wl.onion" ];
      discover = false;
      addresstype = "bech32";
      prune = 0;
      dbCache = 1000;
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = config.services.bitcoind.port; };

    # clightning
    services.clightning = {
      bitcoin-rpcuser = config.services.bitcoind.rpcuser;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      always-use-proxy = true;
      bind-addr = "127.0.0.1:9735";
    };
    services.tor.hiddenServices.clightning = mkHiddenService { port = 9735; };

    # lnd
    services.lnd.enforceTor = true;

    # Create user operator which can use bitcoin-cli and lightning-cli
    users.users.operator = {
      isNormalUser = true;
      extraGroups = [ config.services.bitcoind.group ]
        ++ (if config.services.clightning.enable then [ "clightning" ] else [ ])
        ++ (if config.services.lnd.enable then [ "lnd" ] else [ ])
        ++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])
        ++ (if (config.services.hardware-wallets.ledger || config.services.hardware-wallets.trezor)
          then [ config.services.hardware-wallets.group ] else [ ]);
    };
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
    # https://github.com/ElementsProject/lightning/issues/1366
    security.sudo.configFile =
     (optionalString config.services.clightning.enable ''
       operator    ALL=(clightning) NOPASSWD: ALL
     '') +
     (optionalString config.services.lnd.enable ''
       operator    ALL=(lnd) NOPASSWD: ALL
     '');

    # Give root ssh access to the operator account
    systemd.services.copy-root-authorized-keys = {
      description = "Copy root authorized keys";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";
        user = "root";
        type = "oneshot";
      };
    };

    services.nix-bitcoin-webindex.enforceTor = true;

    services.liquidd = {
      rpcuser = "liquidrpc";
      prune = 1000;
      extraConfig = "
      mainchainrpcuser=${config.services.bitcoind.rpcuser}
      mainchainrpcport=8332
    ";
      validatepegin = true;
      listen = true;
      proxy = config.services.tor.client.socksListenAddress;
      enforceTor = true;
      port = 7042;
    };
    services.tor.hiddenServices.liquidd = mkHiddenService { port = config.services.liquidd.port; };

    services.spark-wallet.onion-service = true;

    services.electrs = {
      port = 50001;
      enforceTor = true;
      onionport = 50002;
      TLSProxy.enable = true;
      TLSProxy.port = 50003;
    };
    services.tor.hiddenServices.electrs = mkHiddenService {
      port = config.services.electrs.onionport;
      toPort = config.services.electrs.TLSProxy.port;
    };

    environment.systemPackages = with pkgs; with nix-bitcoin; let
      s = config.services;
    in
    [
      tor
      bitcoind
      (hiPrio s.bitcoind.cli)
      nodeinfo
      jq
      qrencode
    ]
    ++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]
    ++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]
    ++ optionals s.lightning-charge.enable [lightning-charge]
    ++ optionals s.nanopos.enable [nanopos]
    ++ optionals s.nix-bitcoin-webindex.enable [nginx]
    ++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]
    ++ optionals s.spark-wallet.enable [spark-wallet]
    ++ optionals s.electrs.enable [electrs]
    ++ optionals (s.hardware-wallets.ledger || s.hardware-wallets.trezor) [
        hwi
        # To allow debugging issues with lsusb
        usbutils
    ]
    ++ optionals s.hardware-wallets.trezor [
        python3.pkgs.trezor
    ];
  };
}
Add onion listening node with tor HS v3 2018-11-20 02:09:57 +03:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`mkHiddenService = map: {`
			`map = [ map ];`
			`version = 3;`
			`};`

rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-07 23:47:32 +03:00			`operatorCopySSH = pkgs.writeText "operator-copy-ssh.sh" ''`
Don't assume virtual box deployments when copying authorized keys 2018-12-11 02:11:44 +03:00			`mkdir -p ${config.users.users.operator.home}/.ssh`
			`if [ -e "${config.users.users.root.home}/.vbox-nixops-client-key" ]; then`
			`cp ${config.users.users.root.home}/.vbox-nixops-client-key ${config.users.users.operator.home}/.ssh/authorized_keys`
			`fi`
			`if [ -e "/etc/ssh/authorized_keys.d/root" ]; then`
			`cat /etc/ssh/authorized_keys.d/root >> ${config.users.users.operator.home}/.ssh/authorized_keys`
			`fi`
			`chown -R operator ${config.users.users.operator.home}/.ssh`
			`'';`
Add onion listening node with tor HS v3 2018-11-20 02:09:57 +03:00			`in {`
rename nix-bitcoin.nix -> presets/secure-node.nix 2020-04-07 23:47:32 +03:00			`imports = [ ../modules.nix ];`
add clightning 2018-11-22 21:32:26 +03:00
add nix-bitcoin.nix for backwards compatibility 2020-04-07 23:47:33 +03:00			`config = {`
			`# For backwards compatibility only`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 22:52:39 +03:00			`nix-bitcoin.secretsDir = mkDefault "/secrets";`

Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 22:16:24 +03:00			`networking.firewall.enable = true;`

add clightning 2018-11-22 21:32:26 +03:00			`# Tor`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00			`services.tor = {`
			`enable = true;`
			`client.enable = true;`
			`# LND uses ControlPort to create onion services`
use mkIf 2020-04-07 23:47:36 +03:00			`controlPort = mkIf config.services.lnd.enable 9051;`
add clightning 2018-11-22 21:32:26 +03:00
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`hiddenServices.sshd = mkHiddenService { port = 22; };`
Switch to stable channel but pull the bitcoind and clightning packages and the tor module from unstable 2019-01-01 22:16:24 +03:00			`};`
Add sshd onion service 2018-12-28 00:22:52 +03:00
Add Carl's bitcoind module 2018-11-23 03:46:56 +03:00			`# bitcoind`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00			`services.bitcoind = {`
			`enable = true;`
			`listen = true;`
			`sysperms = if config.services.electrs.enable then true else null;`
			`disablewallet = if config.services.electrs.enable then true else null;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`port = 8333;`
			`zmqpubrawblock = "tcp://127.0.0.1:28332";`
			`zmqpubrawtx = "tcp://127.0.0.1:28333";`
			`assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";`
			`addnodes = [ "ecoc5q34tmbq54wl.onion" ];`
			`discover = false;`
			`addresstype = "bech32";`
			`prune = 0;`
			`dbCache = 1000;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`services.tor.hiddenServices.bitcoind = mkHiddenService { port = config.services.bitcoind.port; };`
add clightning 2018-11-22 21:32:26 +03:00
			`# clightning`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00			`services.clightning = {`
			`bitcoin-rpcuser = config.services.bitcoind.rpcuser;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`always-use-proxy = true;`
			`bind-addr = "127.0.0.1:9735";`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`services.tor.hiddenServices.clightning = mkHiddenService { port = 9735; };`
Add index page with nginx 2018-12-01 23:48:58 +03:00
Add LND support 2019-08-05 11:44:38 +03:00			`# lnd`
			`services.lnd.enforceTor = true;`

Clean up a bit 2018-12-02 01:00:39 +03:00			`# Create user operator which can use bitcoin-cli and lightning-cli`
Add operator user 2018-11-29 02:54:19 +03:00			`users.users.operator = {`
Add guest user with same ssh keys as root and fix nodeinfo not waiting for clightning to warm up 2018-11-23 18:49:13 +03:00			`isNormalUser = true;`
Stop assuming that clightning is always enabled 2019-04-05 16:49:38 +03:00			`extraGroups = [ config.services.bitcoind.group ]`
			`++ (if config.services.clightning.enable then [ "clightning" ] else [ ])`
Add LND support 2019-08-05 11:44:38 +03:00			`++ (if config.services.lnd.enable then [ "lnd" ] else [ ])`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 23:39:25 +03:00			`++ (if config.services.liquidd.enable then [ config.services.liquidd.group ] else [ ])`
			`++ (if (config.services.hardware-wallets.ledger \|\| config.services.hardware-wallets.trezor)`
			`then [ config.services.hardware-wallets.group ] else [ ]);`
Add guest user with same ssh keys as root and fix nodeinfo not waiting for clightning to warm up 2018-11-23 18:49:13 +03:00			`};`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 17:46:13 +03:00			`# Give operator access to onion hostnames`
			`services.onion-chef.enable = true;`
Remove lnd user from onion-chef 2019-08-25 03:11:45 +03:00			`services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];`
Give operator access to onion hostnames through new onion-manager module 2019-03-29 17:46:13 +03:00
Add operator user 2018-11-29 02:54:19 +03:00			`# Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket`
			`# https://github.com/ElementsProject/lightning/issues/1366`
support enabling clightning and lnd simultaneously Needed for testing. 2019-11-27 16:04:47 +03:00			`security.sudo.configFile =`
			`(optionalString config.services.clightning.enable ''`
			`operator ALL=(clightning) NOPASSWD: ALL`
			`'') +`
			`(optionalString config.services.lnd.enable ''`
			`operator ALL=(lnd) NOPASSWD: ALL`
			`'');`
Add operator user 2018-11-29 02:54:19 +03:00
			`# Give root ssh access to the operator account`
Add guest user with same ssh keys as root and fix nodeinfo not waiting for clightning to warm up 2018-11-23 18:49:13 +03:00			`systemd.services.copy-root-authorized-keys = {`
			`description = "Copy root authorized keys";`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
Don't assume virtual box deployments when copying authorized keys 2018-12-11 02:11:44 +03:00			`ExecStart = "${pkgs.bash}/bin/bash \"${operatorCopySSH}\"";`
cleanups 2018-11-21 01:21:45 +03:00			`user = "root";`
			`type = "oneshot";`
			`};`
			`};`
Add guest user with same ssh keys as root and fix nodeinfo not waiting for clightning to warm up 2018-11-23 18:49:13 +03:00
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-28 02:53:26 +03:00			`services.nix-bitcoin-webindex.enforceTor = true;`

improve grouping of suboptions 2020-04-07 23:47:35 +03:00			`services.liquidd = {`
			`rpcuser = "liquidrpc";`
			`prune = 1000;`
			`extraConfig = "`
Enable validatepegin in liquid module 2019-02-11 11:02:11 +03:00			`mainchainrpcuser=${config.services.bitcoind.rpcuser}`
			`mainchainrpcport=8332`
			`";`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00			`validatepegin = true;`
			`listen = true;`
			`proxy = config.services.tor.client.socksListenAddress;`
			`enforceTor = true;`
			`port = 7042;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`services.tor.hiddenServices.liquidd = mkHiddenService { port = config.services.liquidd.port; };`
Use IPAddress{Allow,Deny} by default for systemd services 2019-04-28 02:53:26 +03:00
Fix spark wallet QR code display by providing the onion hostname as public url 2019-03-27 03:49:54 +03:00			`services.spark-wallet.onion-service = true;`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00
			`services.electrs = {`
			`port = 50001;`
			`enforceTor = true;`
			`onionport = 50002;`
			`TLSProxy.enable = true;`
			`TLSProxy.port = 50003;`
			`};`
extract 'mkHiddenService' toPort equals port by default. 2020-04-07 23:47:37 +03:00			`services.tor.hiddenServices.electrs = mkHiddenService {`
			`port = config.services.electrs.onionport;`
			`toPort = config.services.electrs.TLSProxy.port;`
Fix electrs and add electrs hidden service 2019-02-25 19:00:50 +03:00			`};`
improve grouping of suboptions 2020-04-07 23:47:35 +03:00
systemPackages: improve readability with shorter service references 2019-11-27 16:04:36 +03:00			`environment.systemPackages = with pkgs; with nix-bitcoin; let`
			`s = config.services;`
			`in`
			`[`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 17:50:30 +03:00			`tor`
add nix-bitcoin pkgs namespace Not polluting the main pkgs namespace with internal pkgs makes it easier to integrate the nix-bitcoin modules into a larger config. Also, by overriding the nix-bitcoin namespace, users can now easily set the packages used by services that offer no explicit `package` option, like `clightning`. 2019-11-27 16:04:21 +03:00			`bitcoind`
systemPackages: improve readability with shorter service references 2019-11-27 16:04:36 +03:00			`(hiPrio s.bitcoind.cli)`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 17:50:30 +03:00			`nodeinfo`
			`jq`
Add qrencode package 2019-05-18 03:00:35 +03:00			`qrencode`
Remove profiles and replace with options to enable/disable each module separately in configuration.nix 2019-04-06 17:50:30 +03:00			`]`
systemPackages: improve readability with shorter service references 2019-11-27 16:04:36 +03:00			`++ optionals s.clightning.enable [clightning (hiPrio s.clightning.cli)]`
			`++ optionals s.lnd.enable [lnd (hiPrio s.lnd.cli)]`
			`++ optionals s.lightning-charge.enable [lightning-charge]`
			`++ optionals s.nanopos.enable [nanopos]`
			`++ optionals s.nix-bitcoin-webindex.enable [nginx]`
			`++ optionals s.liquidd.enable [elementsd (hiPrio s.liquidd.cli) (hiPrio s.liquidd.swap-cli)]`
			`++ optionals s.spark-wallet.enable [spark-wallet]`
			`++ optionals s.electrs.enable [electrs]`
			`++ optionals (s.hardware-wallets.ledger \|\| s.hardware-wallets.trezor) [`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 23:39:25 +03:00			`hwi`
systemPackages: improve readability with shorter service references 2019-11-27 16:04:36 +03:00			`# To allow debugging issues with lsusb`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 23:39:25 +03:00			`usbutils`
			`]`
systemPackages: improve readability with shorter service references 2019-11-27 16:04:36 +03:00			`++ optionals s.hardware-wallets.trezor [`
Switch from python 3.5 to python 3.x for trezor 2019-10-27 22:52:56 +03:00			`python3.pkgs.trezor`
Add support for ledger and trezor with bitcoin-core/HWI 2019-04-29 23:39:25 +03:00			`];`
Add bitcoind onion service 2018-11-20 03:22:16 +03:00			`};`
Add onion listening node with tor HS v3 2018-11-20 02:09:57 +03:00			`}`