fort-nix/nix-bitcoin
1
1
Fork 0
mirror of https://github.com/fort-nix/nix-bitcoin.git synced 2024-10-27 01:01:53 +03:00
Code Issues Packages Projects Releases Wiki Activity

treewide: fix various issues found by statix

Browse Source
This commit is contained in:
Otto Sabart 2024-05-27 21:00:00 +02:00
parent c8592ab86c
commit f5d8503be4
No known key found for this signature in database
GPG Key ID: 823BAE99F8BE1E3C
20 changed files with 261 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
modules/bitcoind.nix
View File

@ -310,7 +310,7 @@ let
${optionalString cfg.listenWhitelisted ${optionalString cfg.listenWhitelisted
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"} "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"} ${optionalString cfg.i2p "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"} ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"} ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
@ -364,7 +364,7 @@ in {
} }
]; ];
services.i2pd = mkIf (cfg.i2p != false) { services.i2pd = mkIf cfg.i2p {
enable = true; enable = true;
proto.sam.enable = true; proto.sam.enable = true;
}; };
@ -435,28 +435,33 @@ in {
// optionalAttrs zmqServerEnabled nbLib.allowNetlink; // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
}; };
users.users.${cfg.user} = { users = {
isSystemUser = true; users.${cfg.user} = {
group = cfg.group; isSystemUser = true;
}; group = cfg.group;
users.groups.${cfg.group} = {}; };
users.groups.bitcoinrpc-public = {}; groups = {
${cfg.group} = {};
nix-bitcoin.operator.groups = [ cfg.group ]; bitcoinrpc-public = {};
nix-bitcoin.secrets = {
bitcoin-rpcpassword-privileged.user = cfg.user;
bitcoin-rpcpassword-public = {
user = cfg.user;
group = "bitcoinrpc-public";
}; };
bitcoin-HMAC-privileged.user = cfg.user;
bitcoin-HMAC-public.user = cfg.user;
}; };
nix-bitcoin.generateSecretsCmds.bitcoind = ''
makeBitcoinRPCPassword privileged nix-bitcoin = {
makeBitcoinRPCPassword public operator.groups = [ cfg.group ];
''; secrets = {
bitcoin-rpcpassword-privileged.user = cfg.user;
bitcoin-rpcpassword-public = {
user = cfg.user;
group = "bitcoinrpc-public";
};
bitcoin-HMAC-privileged.user = cfg.user;
bitcoin-HMAC-public.user = cfg.user;
};
generateSecretsCmds.bitcoind = ''
makeBitcoinRPCPassword privileged
makeBitcoinRPCPassword public
'';
};
}; };
} }

328
modules/btcpayserver.nix
View File

@ -110,170 +110,188 @@ in {
inherit options; inherit options;
config = mkIf cfg.btcpayserver.enable { config = mkIf cfg.btcpayserver.enable {
services.bitcoind = { services = {
enable = true; bitcoind = {
rpc.users.btcpayserver = { enable = true;
passwordHMACFromFile = true; rpc.users.btcpayserver = {
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ passwordHMACFromFile = true;
"setban" rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
"generatetoaddress" "setban"
"getpeerinfo" "generatetoaddress"
"getpeerinfo"
];
};
listenWhitelisted = true;
};
clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
enable = true;
macaroons.btcpayserver = {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
};
liquidd = mkIf cfg.btcpayserver.lbtc {
enable = true;
listenWhitelisted = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
ensureUsers = [
{ name = cfg.btcpayserver.user; }
{ name = cfg.nbxplorer.user; }
]; ];
}; };
listenWhitelisted = true;
}; };
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") { systemd = {
enable = true; tmpfiles.rules = [
macaroons.btcpayserver = { "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
inherit (cfg.btcpayserver) user; "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
};
services.liquidd = mkIf cfg.btcpayserver.lbtc {
enable = true;
listenWhitelisted = true;
};
services.postgresql = {
enable = true;
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
ensureUsers = [
{ name = cfg.btcpayserver.user; }
{ name = cfg.nbxplorer.user; }
]; ];
};
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL -tAc '
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
'
'';
systemd.tmpfiles.rules = [ services = {
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" postgresql.postStart = lib.mkAfter ''
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" $PSQL -tAc '
]; ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
systemd.services.nbxplorer = let '
configFile = builtins.toFile "config" ''
network=${bitcoind.network}
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
bind=${cfg.nbxplorer.address}
port=${toString cfg.nbxplorer.port}
${optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcrpcuser=${liquidd.rpcuser}
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
''}
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
automigrate=1
'';
in rec {
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
after = requires ++ [ "nix-bitcoin-secrets.target" ];
preStart = ''
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
{
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
${optionalString cfg.btcpayserver.lbtc ''
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
''}
} >> '${cfg.nbxplorer.dataDir}/settings.config'
'';
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
--datadir=${cfg.nbxplorer.dataDir}
''; '';
User = cfg.nbxplorer.user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
};
systemd.services.btcpayserver = let nbxplorer = let
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/"; configFile = builtins.toFile "config" ''
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie"; network=${bitcoind.network}
configFile = builtins.toFile "btcpayserver-config" ('' btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
network=${bitcoind.network} btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
bind=${cfg.btcpayserver.address} btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
port=${toString cfg.btcpayserver.port} bind=${cfg.nbxplorer.address}
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort} port=${toString cfg.nbxplorer.port}
btcexplorerurl=${nbExplorerUrl} ${optionalString cfg.btcpayserver.lbtc ''
btcexplorercookiefile=${nbExplorerCookie} chains=btc,lbtc
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb lbtcrpcuser=${liquidd.rpcuser}
'' + optionalString (cfg.btcpayserver.rootpath != null) '' lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
rootpath=${cfg.btcpayserver.rootpath} lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") '' ''}
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd") automigrate=1
( '';
"btclightning=type=lnd-rest;" + in rec {
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + wantedBy = [ "multi-user.target" ];
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
"certfilepath=${config.services.lnd.certPath}" + after = requires ++ [ "nix-bitcoin-secrets.target" ];
"\n" preStart = ''
) install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
+ optionalString cfg.btcpayserver.lbtc '' {
chains=btc,lbtc echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
lbtcexplorerurl=${nbExplorerUrl} ${optionalString cfg.btcpayserver.lbtc ''
lbtcexplorercookiefile=${nbExplorerCookie} echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
''); ''}
in let self = { } >> '${cfg.nbxplorer.dataDir}/settings.config'
wantedBy = [ "multi-user.target" ]; '';
requires = [ "nbxplorer.service" "postgresql.service" ] serviceConfig = nbLib.defaultHardening // {
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service"; ExecStart = ''
after = self.requires; ${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
serviceConfig = nbLib.defaultHardening // { --datadir=${cfg.nbxplorer.dataDir}
ExecStart = '' '';
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \ User = cfg.nbxplorer.user;
--datadir='${cfg.btcpayserver.dataDir}' Restart = "on-failure";
''; RestartSec = "10s";
User = cfg.btcpayserver.user; ReadWritePaths = [ cfg.nbxplorer.dataDir ];
# Also restart after the program has exited successfully. MemoryDenyWriteExecute = false;
# This is required to support restarting from the web interface after } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
# interactive plugin installation. };
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
}; in self;
users.users.${cfg.nbxplorer.user} = { btcpayserver = let
isSystemUser = true; nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
group = cfg.nbxplorer.group; nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
extraGroups = [ "bitcoinrpc-public" ] configFile = builtins.toFile "btcpayserver-config" (''
++ optional cfg.btcpayserver.lbtc liquidd.group; network=${bitcoind.network}
home = cfg.nbxplorer.dataDir; bind=${cfg.btcpayserver.address}
}; port=${toString cfg.btcpayserver.port}
users.groups.${cfg.nbxplorer.group} = {}; socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
users.users.${cfg.btcpayserver.user} = { btcexplorerurl=${nbExplorerUrl}
isSystemUser = true; btcexplorercookiefile=${nbExplorerCookie}
group = cfg.btcpayserver.group; postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
extraGroups = [ cfg.nbxplorer.group ] '' + optionalString (cfg.btcpayserver.rootpath != null) ''
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user; rootpath=${cfg.btcpayserver.rootpath}
home = cfg.btcpayserver.dataDir; '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
}; btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
users.groups.${cfg.btcpayserver.group} = {}; '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
(
nix-bitcoin.secrets = { "btclightning=type=lnd-rest;" +
bitcoin-rpcpassword-btcpayserver = { "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
user = cfg.bitcoind.user; "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
group = cfg.nbxplorer.group; "certfilepath=${config.services.lnd.certPath}" +
"\n"
)
+ optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcexplorerurl=${nbExplorerUrl}
lbtcexplorercookiefile=${nbExplorerCookie}
'');
serviceRequires = [ "nbxplorer.service" "postgresql.service" ]
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
in {
wantedBy = [ "multi-user.target" ];
requires = serviceRequires;
after = serviceRequires;
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
--datadir='${cfg.btcpayserver.dataDir}'
'';
User = cfg.btcpayserver.user;
# Also restart after the program has exited successfully.
# This is required to support restarting from the web interface after
# interactive plugin installation.
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
};
}; };
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
}; };
nix-bitcoin.generateSecretsCmds.btcpayserver = ''
makeBitcoinRPCPassword btcpayserver users = {
''; users = {
${cfg.nbxplorer.user} = {
isSystemUser = true;
inherit (cfg.nbxplorer) group;
extraGroups = [ "bitcoinrpc-public" ]
++ optional cfg.btcpayserver.lbtc liquidd.group;
home = cfg.nbxplorer.dataDir;
};
${cfg.btcpayserver.user} = {
isSystemUser = true;
inherit (cfg.btcpayserver) group;
extraGroups = [ cfg.nbxplorer.group ]
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
home = cfg.btcpayserver.dataDir;
};
};
groups = {
${cfg.nbxplorer.group} = {};
${cfg.btcpayserver.group} = {};
};
};
nix-bitcoin = {
secrets = {
bitcoin-rpcpassword-btcpayserver = {
inherit (cfg.bitcoind) user;
inherit (cfg.nbxplorer) group;
};
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
};
generateSecretsCmds.btcpayserver = ''
makeBitcoinRPCPassword btcpayserver
'';
};
}; };
} }

4
modules/charge-lnd.nix
View File

@ -90,7 +90,7 @@ in
services.lnd = { services.lnd = {
enable = true; enable = true;
macaroons.charge-lnd = { macaroons.charge-lnd = {
user = user; inherit user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}''; permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}'';
}; };
}; };
@ -134,7 +134,7 @@ in
users.users.${user} = { users.users.${user} = {
isSystemUser = true; isSystemUser = true;
group = group; inherit group;
}; };
users.groups.${group} = {}; users.groups.${group} = {};
}; };

2
modules/clightning-plugins/trustedcoin.nix
View File

@ -29,7 +29,7 @@ let cfg = config.services.clightning.plugins.trustedcoin; in
tor.enforce = mkIf (!cfg.tor.proxy) false; tor.enforce = mkIf (!cfg.tor.proxy) false;
}; };
systemd.services.clightning.environment = mkIf (cfg.tor.proxy) { systemd.services.clightning.environment = mkIf cfg.tor.proxy {
HTTPS_PROXY = let HTTPS_PROXY = let
clnProxy = config.services.clightning.proxy; clnProxy = config.services.clightning.proxy;
proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort; proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort;

2
modules/clightning-replication.nix
View File

@ -209,7 +209,7 @@ in {
nix-bitcoin = mkMerge [ nix-bitcoin = mkMerge [
(mkIf useSshfs { (mkIf useSshfs {
secrets.clightning-replication-ssh-key = { secrets.clightning-replication-ssh-key = {
user = user; inherit user;
permissions = "400"; permissions = "400";
}; };
generateSecretsCmds.clightning-replication-ssh-key = '' generateSecretsCmds.clightning-replication-ssh-key = ''

2
modules/hardware-wallets.nix
View File

@ -33,7 +33,7 @@ in {
config = mkMerge [ config = mkMerge [
(mkIf (cfg.ledger || cfg.trezor) { (mkIf (cfg.ledger || cfg.trezor) {
assertions = [ assertions = [
{ assertion = (config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet); { assertion = config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet;
message = '' message = ''
Hardware-Wallets are not compatible with bitcoind.disablewallet. Hardware-Wallets are not compatible with bitcoind.disablewallet.
''; '';

33
modules/joinmarket.nix
View File

@ -369,23 +369,26 @@ in {
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
}; };
users.users.${cfg.user} = { users = {
isSystemUser = true; users.${cfg.user} = {
group = cfg.group; isSystemUser = true;
home = cfg.dataDir; group = cfg.group;
# Allow access to the tor control socket, needed for payjoin onion service creation home = cfg.dataDir;
extraGroups = [ "tor" "bitcoin" ]; # Allow access to the tor control socket, needed for payjoin onion service creation
extraGroups = [ "tor" "bitcoin" ];
};
groups.${cfg.group} = {};
}; };
users.groups.${cfg.group} = {}; nix-bitcoin = {
nix-bitcoin.operator = { operator = {
groups = [ cfg.group ]; groups = [ cfg.group ];
allowRunAsUsers = [ cfg.user ]; allowRunAsUsers = [ cfg.user ];
};
secrets.jm-wallet-password.user = cfg.user;
generateSecretsCmds.joinmarket = ''
makePasswordSecret jm-wallet-password
'';
}; };
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
nix-bitcoin.generateSecretsCmds.joinmarket = ''
makePasswordSecret jm-wallet-password
'';
} }
(mkIf cfg.yieldgenerator.enable { (mkIf cfg.yieldgenerator.enable {

2
modules/liquid.nix
View File

@ -237,7 +237,7 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [ assertions = [
{ assertion = bitcoind.regtest -> cfg.validatepegin != true; { assertion = bitcoind.regtest -> !cfg.validatepegin;
message = "liquidd: `validatepegin` is incompatible with regtest."; message = "liquidd: `validatepegin` is incompatible with regtest.";
} }
]; ];

2
modules/lnd.nix
View File

@ -170,7 +170,7 @@ let
bitcoin.active=1 bitcoin.active=1
bitcoin.node=bitcoind bitcoin.node=bitcoind
${optionalString (cfg.tor.proxy) "tor.active=true"} ${optionalString cfg.tor.proxy "tor.active=true"}
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"} ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port} bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}

4
modules/lndconnect.nix
View File

@ -178,7 +178,7 @@ in {
isClightning = true; isClightning = true;
enableOnion = clightning-rest.lndconnect.onion; enableOnion = clightning-rest.lndconnect.onion;
onionService = "${operatorName}/clightning-rest"; onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port; inherit (clightning-rest) port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem"; certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon"; macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
} }
@ -193,7 +193,7 @@ in {
relay.onionServices.clightning-rest = nbLib.mkOnionService { relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address; target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port; target.port = clightning-rest.port;
port = clightning-rest.port; inherit (clightning-rest) port;
}; };
}; };
# This also allows nodeinfo to show the clightning-rest onion address # This also allows nodeinfo to show the clightning-rest onion address

2
modules/mempool.nix
View File

@ -269,7 +269,7 @@ in {
DATABASE = cfg.database.name; DATABASE = cfg.database.name;
SOCKET = "/run/mysqld/mysqld.sock"; SOCKET = "/run/mysqld/mysqld.sock";
}; };
} // optionalAttrs (cfg.tor.proxy) { } // optionalAttrs cfg.tor.proxy {
# Use Tor for rate fetching # Use Tor for rate fetching
SOCKS5PROXY = { SOCKS5PROXY = {
ENABLED = true; ENABLED = true;

32
modules/presets/secure-node.nix
View File

@ -35,23 +35,25 @@ in {
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; }; services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ]; nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
services.bitcoind = {
enable = true;
listen = true;
dbCache = 1000;
};
services.liquidd = {
# Enable `validatepegin` to verify that a transaction sending BTC into
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
# make the node accept a sidechain that is not fully backed.
validatepegin = true;
listen = true;
};
nix-bitcoin.nodeinfo.enable = true; nix-bitcoin.nodeinfo.enable = true;
services.backups.frequency = "daily"; services = {
bitcoind = {
enable = true;
listen = true;
dbCache = 1000;
};
liquidd = {
# Enable `validatepegin` to verify that a transaction sending BTC into
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
# make the node accept a sidechain that is not fully backed.
validatepegin = true;
listen = true;
};
backups.frequency = "daily";
};
# operator # operator
nix-bitcoin.operator.enable = true; nix-bitcoin.operator.enable = true;

6
modules/rtl.nix
View File

@ -106,8 +106,8 @@ let
cfg = config.services.rtl; cfg = config.services.rtl;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs; nbPkgs = config.nix-bitcoin.pkgs;
secretsDir = config.nix-bitcoin.secretsDir;
inherit (config.nix-bitcoin) secretsDir;
inherit (nbLib) optionalAttr; inherit (nbLib) optionalAttr;
node = { isLnd, index }: { node = { isLnd, index }: {
@ -149,7 +149,7 @@ let
rtlConfig = { rtlConfig = {
multiPass = "@multiPass@"; multiPass = "@multiPass@";
host = cfg.address; host = cfg.address;
port = cfg.port; inherit (cfg) port;
SSO.rtlSSO = 0; SSO.rtlSSO = 0;
inherit nodes; inherit nodes;
}; };
@ -216,7 +216,7 @@ in {
users.users.${cfg.user} = { users.users.${cfg.user} = {
isSystemUser = true; isSystemUser = true;
group = cfg.group; inherit (cfg) group;
extraGroups = extraGroups =
# Reads cert and macaroon from the clightning-rest datadir # Reads cert and macaroon from the clightning-rest datadir
optional cfg.nodes.clightning.enable clightning-rest.group ++ optional cfg.nodes.clightning.enable clightning-rest.group ++

2
pkgs/build-support/fetch-node-modules.nix
View File

@ -16,7 +16,7 @@ stdenvNoCC.mkDerivation ({
name = "${src.name}-node_modules"; name = "${src.name}-node_modules";
nativeBuildInputs = [ nativeBuildInputs = [
makeWrapper makeWrapper
(if args ? nodejs then args.nodejs else nodejs) (args.nodejs or nodejs)
]; ];
outputHashMode = "recursive"; outputHashMode = "recursive";

2
pkgs/nixops/default.nix
View File

@ -42,7 +42,7 @@ let
nixopsRelease = import "${src}/release.nix" { nixopsRelease = import "${src}/release.nix" {
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
inherit pluginData; inherit pluginData;
p = (p: with p; [ aws hetzner vbox ]); p = p: with p; [ aws hetzner vbox ];
}; };
in in
nixopsRelease.build.${builtins.currentSystem} nixopsRelease.build.${builtins.currentSystem}

4
pkgs/python-packages/pyln-client/default.nix
View File

@ -2,11 +2,9 @@
buildPythonPackageWithDepsCheck rec { buildPythonPackageWithDepsCheck rec {
pname = "pyln-client"; pname = "pyln-client";
version = clightning.version; inherit (clightning) src version;
format = "pyproject"; format = "pyproject";
inherit (clightning) src;
nativeBuildInputs = [ poetry-core ]; nativeBuildInputs = [ poetry-core ];
propagatedBuildInputs = [ propagatedBuildInputs = [

4
pkgs/python-packages/pyln-proto/default.nix
View File

@ -11,11 +11,9 @@
buildPythonPackageWithDepsCheck rec { buildPythonPackageWithDepsCheck rec {
pname = "pyln-proto"; pname = "pyln-proto";
version = clightning.version; inherit (clightning) src version;
format = "pyproject"; format = "pyproject";
inherit (clightning) src;
nativeBuildInputs = [ poetry-core ]; nativeBuildInputs = [ poetry-core ];
propagatedBuildInputs = [ propagatedBuildInputs = [

2
pkgs/python-packages/txzmq/default.nix
View File

@ -24,7 +24,7 @@ buildPythonPackage rec {
meta = with lib; { meta = with lib; {
description = "Twisted bindings for ZeroMQ"; description = "Twisted bindings for ZeroMQ";
homepage = https://github.com/smira/txZMQ; homepage = "https://github.com/smira/txZMQ";
license = licenses.gpl2; license = licenses.gpl2;
}; };
} }

4
test/lib/shellcheck-services.nix
View File

@ -52,9 +52,9 @@ let
isMatching = lib.hasPrefix sourcePrefix file; isMatching = lib.hasPrefix sourcePrefix file;
in in
# Nix has no boolean XOR, so use `if` # Nix has no boolean XOR, so use `if`
lib.optionals (if shouldMatch then isMatching else !isMatching) ( lib.optionals (if shouldMatch then isMatching else !isMatching)
(map (service: { name = service; value = true; }) (builtins.attrNames services)) (map (service: { name = service; value = true; }) (builtins.attrNames services))
)
) systemdServices.definitionsWithLocations)); ) systemdServices.definitionsWithLocations));
in in
# Calculate set difference: matchingServices - nonMatchingServices # Calculate set difference: matchingServices - nonMatchingServices

8
test/tests.nix
View File

@ -12,9 +12,11 @@ let
nixBitcoinModule nixBitcoinModule
{ {
# Features required by the Python test suite # Features required by the Python test suite
nix-bitcoin.secretsDir = "/secrets"; nix-bitcoin = {
nix-bitcoin.generateSecrets = true; secretsDir = "/secrets";
nix-bitcoin.operator.enable = true; generateSecrets = true;
operator.enable = true;
};
environment.systemPackages = with pkgs; [ jq ]; environment.systemPackages = with pkgs; [ jq ];
} }
]; ];