nix-bitcoin/modules/presets/secure-node.nix

259 lines
7.3 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
2020-04-07 23:47:42 +03:00
cfg = config.services;
operatorName = config.nix-bitcoin.operatorName;
mkHiddenService = map: {
map = [ map ];
version = 3;
};
in {
imports = [
../modules.nix
../nodeinfo.nix
../nix-bitcoin-webindex.nix
];
2018-11-22 21:32:26 +03:00
options = {
services.clightning.onionport = mkOption {
2020-06-02 18:09:52 +03:00
type = types.port;
default = 9735;
description = "Port on which to listen for tor client connections.";
};
services.lnd.onionport = mkOption {
type = types.ints.u16;
default = 9735;
description = "Port on which to listen for tor client connections.";
};
nix-bitcoin.operatorName = mkOption {
type = types.str;
default = "operator";
description = "Less-privileged user's name.";
};
};
config = {
# For backwards compatibility only
nix-bitcoin.secretsDir = mkDefault "/secrets";
networking.firewall.enable = true;
nix-bitcoin.security.hideProcessInformation = true;
2018-11-22 21:32:26 +03:00
# Tor
2020-04-07 23:47:35 +03:00
services.tor = {
enable = true;
client.enable = true;
# LND uses ControlPort to create onion services
2020-04-07 23:47:42 +03:00
controlPort = mkIf cfg.lnd.enable 9051;
2018-11-22 21:32:26 +03:00
hiddenServices.sshd = mkHiddenService { port = 22; };
};
2018-12-28 00:22:52 +03:00
# netns-isolation
nix-bitcoin.netns-isolation = {
addressblock = 1;
};
2018-11-23 03:46:56 +03:00
# bitcoind
2020-04-07 23:47:35 +03:00
services.bitcoind = {
enable = true;
listen = true;
dataDirReadableByGroup = mkIf cfg.electrs.high-memory true;
2020-04-07 23:47:42 +03:00
proxy = cfg.tor.client.socksListenAddress;
2020-04-07 23:47:35 +03:00
enforceTor = true;
port = 8333;
assumevalid = "00000000000000000000e5abc3a74fe27dc0ead9c70ea1deb456f11c15fd7bc6";
addnodes = [ "ecoc5q34tmbq54wl.onion" ];
discover = false;
addresstype = "bech32";
dbCache = 1000;
2020-08-04 17:12:20 +03:00
# higher rpcthread count due to reports that lightning implementations fail
# under high bitcoind rpc load
rpcthreads = 16;
rpc.users.privileged = {
name = "bitcoinrpc";
# Placeholder to be sed'd out by bitcoind preStart
passwordHMAC = "bitcoin-HMAC-privileged";
};
rpc.users.public = {
name = "publicrpc";
# Placeholder to be sed'd out by bitcoind preStart
passwordHMAC = "bitcoin-HMAC-public";
rpcwhitelist = [
"echo"
"getinfo"
# Blockchain
"getbestblockhash"
"getblock"
"getblockchaininfo"
"getblockcount"
"getblockfilter"
"getblockhash"
"getblockheader"
"getblockstats"
"getchaintips"
"getchaintxstats"
"getdifficulty"
"getmempoolancestors"
"getmempooldescendants"
"getmempoolentry"
"getmempoolinfo"
"getrawmempool"
"gettxout"
"gettxoutproof"
"gettxoutsetinfo"
"scantxoutset"
"verifytxoutproof"
# Mining
"getblocktemplate"
"getmininginfo"
"getnetworkhashps"
# Network
"getnetworkinfo"
# Rawtransactions
"analyzepsbt"
"combinepsbt"
"combinerawtransaction"
"converttopsbt"
"createpsbt"
"createrawtransaction"
"decodepsbt"
"decoderawtransaction"
"decodescript"
"finalizepsbt"
"fundrawtransaction"
"getrawtransaction"
"joinpsbts"
"sendrawtransaction"
"signrawtransactionwithkey"
"testmempoolaccept"
"utxoupdatepsbt"
# Util
"createmultisig"
"deriveaddresses"
"estimatesmartfee"
"getdescriptorinfo"
"signmessagewithprivkey"
"validateaddress"
"verifymessage"
# Zmq
"getzmqnotifications"
];
};
2020-04-07 23:47:35 +03:00
};
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
2018-11-22 21:32:26 +03:00
# clightning
2020-04-07 23:47:35 +03:00
services.clightning = {
2020-04-07 23:47:42 +03:00
proxy = cfg.tor.client.socksListenAddress;
2020-04-07 23:47:35 +03:00
enforceTor = true;
always-use-proxy = true;
};
services.tor.hiddenServices.clightning = mkIf cfg.clightning.enable (mkHiddenService {
port = cfg.clightning.onionport;
toHost = cfg.clightning.bind-addr;
toPort = cfg.clightning.bindport;
});
2018-12-01 23:48:58 +03:00
2019-08-05 11:44:38 +03:00
# lnd
services.lnd = {
tor-socks = cfg.tor.client.socksListenAddress;
enforceTor = true;
};
2020-08-04 10:45:02 +03:00
services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; });
2019-08-05 11:44:38 +03:00
2020-07-07 17:22:17 +03:00
# lightning-loop
services.lightning-loop = {
proxy = cfg.tor.client.socksListenAddress;
enforceTor = true;
};
# liquidd
2020-04-07 23:47:35 +03:00
services.liquidd = {
rpcuser = "liquidrpc";
prune = 1000;
2020-04-07 23:47:43 +03:00
extraConfig = ''
mainchainrpcuser=${config.services.bitcoind.rpc.users.public.name}
2020-04-07 23:47:43 +03:00
mainchainrpcport=8332
'';
2020-04-07 23:47:35 +03:00
validatepegin = true;
listen = true;
2020-04-07 23:47:42 +03:00
proxy = cfg.tor.client.socksListenAddress;
2020-04-07 23:47:35 +03:00
enforceTor = true;
port = 7042;
};
services.tor.hiddenServices.liquidd = mkIf cfg.liquidd.enable (mkHiddenService { port = cfg.liquidd.port; toHost = cfg.liquidd.bind; });
# electrs
2020-04-07 23:47:35 +03:00
services.electrs = {
port = 50001;
enforceTor = true;
};
services.tor.hiddenServices.electrs = mkIf cfg.electrs.enable (mkHiddenService {
port = cfg.electrs.port; toHost = cfg.electrs.address;
});
2020-04-07 23:47:35 +03:00
services.spark-wallet = {
onion-service = true;
enforceTor = true;
};
services.lightning-charge.enforceTor = true;
services.nanopos.enforceTor = true;
services.recurring-donations.enforceTor = true;
services.nix-bitcoin-webindex.enforceTor = true;
2020-06-11 14:39:17 +03:00
# Backups
services.backups = {
program = "duplicity";
frequency = "daily";
};
environment.systemPackages = with pkgs; [
tor
jq
2019-05-18 03:00:35 +03:00
qrencode
];
# Create operator user which can access the node's services
users.users.${operatorName} = {
isNormalUser = true;
extraGroups = [
"systemd-journal"
"proc" # Enable full /proc access and systemd-status
cfg.bitcoind.group
]
2020-04-07 23:47:42 +03:00
++ (optionals cfg.clightning.enable [ "clightning" ])
++ (optionals cfg.lnd.enable [ "lnd" ])
++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
[ cfg.hardware-wallets.group ]);
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
# Give operator access to onion hostnames
services.onion-chef.enable = true;
services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
security.sudo.configFile =
2020-04-07 23:47:42 +03:00
(optionalString cfg.lnd.enable ''
${operatorName} ALL=(lnd) NOPASSWD: ALL
'');
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
systemd.services.get-vbox-nixops-client-key =
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
postStart = ''
cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
'';
};
2018-11-20 03:22:16 +03:00
};
}