mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-10-27 01:01:53 +03:00
treewide: fix various issues found by statix
This commit is contained in:
parent
c8592ab86c
commit
f5d8503be4
@ -310,7 +310,7 @@ let
|
|||||||
${optionalString cfg.listenWhitelisted
|
${optionalString cfg.listenWhitelisted
|
||||||
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
|
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
|
||||||
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
|
||||||
${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
|
${optionalString cfg.i2p "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
|
||||||
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
|
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
|
||||||
|
|
||||||
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
|
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
|
||||||
@ -364,7 +364,7 @@ in {
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.i2pd = mkIf (cfg.i2p != false) {
|
services.i2pd = mkIf cfg.i2p {
|
||||||
enable = true;
|
enable = true;
|
||||||
proto.sam.enable = true;
|
proto.sam.enable = true;
|
||||||
};
|
};
|
||||||
@ -435,28 +435,33 @@ in {
|
|||||||
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
users = {
|
||||||
isSystemUser = true;
|
users.${cfg.user} = {
|
||||||
group = cfg.group;
|
isSystemUser = true;
|
||||||
};
|
group = cfg.group;
|
||||||
users.groups.${cfg.group} = {};
|
};
|
||||||
users.groups.bitcoinrpc-public = {};
|
groups = {
|
||||||
|
${cfg.group} = {};
|
||||||
nix-bitcoin.operator.groups = [ cfg.group ];
|
bitcoinrpc-public = {};
|
||||||
|
|
||||||
nix-bitcoin.secrets = {
|
|
||||||
bitcoin-rpcpassword-privileged.user = cfg.user;
|
|
||||||
bitcoin-rpcpassword-public = {
|
|
||||||
user = cfg.user;
|
|
||||||
group = "bitcoinrpc-public";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
bitcoin-HMAC-privileged.user = cfg.user;
|
|
||||||
bitcoin-HMAC-public.user = cfg.user;
|
|
||||||
};
|
};
|
||||||
nix-bitcoin.generateSecretsCmds.bitcoind = ''
|
|
||||||
makeBitcoinRPCPassword privileged
|
nix-bitcoin = {
|
||||||
makeBitcoinRPCPassword public
|
operator.groups = [ cfg.group ];
|
||||||
'';
|
secrets = {
|
||||||
|
bitcoin-rpcpassword-privileged.user = cfg.user;
|
||||||
|
bitcoin-rpcpassword-public = {
|
||||||
|
user = cfg.user;
|
||||||
|
group = "bitcoinrpc-public";
|
||||||
|
};
|
||||||
|
|
||||||
|
bitcoin-HMAC-privileged.user = cfg.user;
|
||||||
|
bitcoin-HMAC-public.user = cfg.user;
|
||||||
|
};
|
||||||
|
generateSecretsCmds.bitcoind = ''
|
||||||
|
makeBitcoinRPCPassword privileged
|
||||||
|
makeBitcoinRPCPassword public
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -110,170 +110,188 @@ in {
|
|||||||
inherit options;
|
inherit options;
|
||||||
|
|
||||||
config = mkIf cfg.btcpayserver.enable {
|
config = mkIf cfg.btcpayserver.enable {
|
||||||
services.bitcoind = {
|
services = {
|
||||||
enable = true;
|
bitcoind = {
|
||||||
rpc.users.btcpayserver = {
|
enable = true;
|
||||||
passwordHMACFromFile = true;
|
rpc.users.btcpayserver = {
|
||||||
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
passwordHMACFromFile = true;
|
||||||
"setban"
|
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
|
||||||
"generatetoaddress"
|
"setban"
|
||||||
"getpeerinfo"
|
"generatetoaddress"
|
||||||
|
"getpeerinfo"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
listenWhitelisted = true;
|
||||||
|
};
|
||||||
|
clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
||||||
|
lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
||||||
|
enable = true;
|
||||||
|
macaroons.btcpayserver = {
|
||||||
|
inherit (cfg.btcpayserver) user;
|
||||||
|
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
liquidd = mkIf cfg.btcpayserver.lbtc {
|
||||||
|
enable = true;
|
||||||
|
listenWhitelisted = true;
|
||||||
|
};
|
||||||
|
postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{ name = cfg.btcpayserver.user; }
|
||||||
|
{ name = cfg.nbxplorer.user; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
listenWhitelisted = true;
|
|
||||||
};
|
};
|
||||||
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
|
|
||||||
services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
|
systemd = {
|
||||||
enable = true;
|
tmpfiles.rules = [
|
||||||
macaroons.btcpayserver = {
|
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
||||||
inherit (cfg.btcpayserver) user;
|
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
||||||
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.liquidd = mkIf cfg.btcpayserver.lbtc {
|
|
||||||
enable = true;
|
|
||||||
listenWhitelisted = true;
|
|
||||||
};
|
|
||||||
services.postgresql = {
|
|
||||||
enable = true;
|
|
||||||
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
|
|
||||||
ensureUsers = [
|
|
||||||
{ name = cfg.btcpayserver.user; }
|
|
||||||
{ name = cfg.nbxplorer.user; }
|
|
||||||
];
|
];
|
||||||
};
|
|
||||||
systemd.services.postgresql.postStart = lib.mkAfter ''
|
|
||||||
$PSQL -tAc '
|
|
||||||
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
|
|
||||||
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
|
|
||||||
'
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
services = {
|
||||||
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
|
postgresql.postStart = lib.mkAfter ''
|
||||||
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
|
$PSQL -tAc '
|
||||||
];
|
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
|
||||||
|
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
|
||||||
systemd.services.nbxplorer = let
|
'
|
||||||
configFile = builtins.toFile "config" ''
|
|
||||||
network=${bitcoind.network}
|
|
||||||
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
|
|
||||||
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
|
|
||||||
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
|
|
||||||
bind=${cfg.nbxplorer.address}
|
|
||||||
port=${toString cfg.nbxplorer.port}
|
|
||||||
${optionalString cfg.btcpayserver.lbtc ''
|
|
||||||
chains=btc,lbtc
|
|
||||||
lbtcrpcuser=${liquidd.rpcuser}
|
|
||||||
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
|
|
||||||
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
|
|
||||||
''}
|
|
||||||
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
|
|
||||||
automigrate=1
|
|
||||||
'';
|
|
||||||
in rec {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
|
|
||||||
after = requires ++ [ "nix-bitcoin-secrets.target" ];
|
|
||||||
preStart = ''
|
|
||||||
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
|
|
||||||
{
|
|
||||||
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
|
|
||||||
${optionalString cfg.btcpayserver.lbtc ''
|
|
||||||
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
|
|
||||||
''}
|
|
||||||
} >> '${cfg.nbxplorer.dataDir}/settings.config'
|
|
||||||
'';
|
|
||||||
serviceConfig = nbLib.defaultHardening // {
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
|
|
||||||
--datadir=${cfg.nbxplorer.dataDir}
|
|
||||||
'';
|
'';
|
||||||
User = cfg.nbxplorer.user;
|
|
||||||
Restart = "on-failure";
|
|
||||||
RestartSec = "10s";
|
|
||||||
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
|
||||||
MemoryDenyWriteExecute = false;
|
|
||||||
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.btcpayserver = let
|
nbxplorer = let
|
||||||
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
|
configFile = builtins.toFile "config" ''
|
||||||
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
|
network=${bitcoind.network}
|
||||||
configFile = builtins.toFile "btcpayserver-config" (''
|
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
|
||||||
network=${bitcoind.network}
|
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
|
||||||
bind=${cfg.btcpayserver.address}
|
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
|
||||||
port=${toString cfg.btcpayserver.port}
|
bind=${cfg.nbxplorer.address}
|
||||||
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
|
port=${toString cfg.nbxplorer.port}
|
||||||
btcexplorerurl=${nbExplorerUrl}
|
${optionalString cfg.btcpayserver.lbtc ''
|
||||||
btcexplorercookiefile=${nbExplorerCookie}
|
chains=btc,lbtc
|
||||||
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
|
lbtcrpcuser=${liquidd.rpcuser}
|
||||||
'' + optionalString (cfg.btcpayserver.rootpath != null) ''
|
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
|
||||||
rootpath=${cfg.btcpayserver.rootpath}
|
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
|
||||||
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
|
''}
|
||||||
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
|
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
|
||||||
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
|
automigrate=1
|
||||||
(
|
'';
|
||||||
"btclightning=type=lnd-rest;" +
|
in rec {
|
||||||
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
|
wantedBy = [ "multi-user.target" ];
|
||||||
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
|
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
|
||||||
"certfilepath=${config.services.lnd.certPath}" +
|
after = requires ++ [ "nix-bitcoin-secrets.target" ];
|
||||||
"\n"
|
preStart = ''
|
||||||
)
|
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
|
||||||
+ optionalString cfg.btcpayserver.lbtc ''
|
{
|
||||||
chains=btc,lbtc
|
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
|
||||||
lbtcexplorerurl=${nbExplorerUrl}
|
${optionalString cfg.btcpayserver.lbtc ''
|
||||||
lbtcexplorercookiefile=${nbExplorerCookie}
|
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
|
||||||
'');
|
''}
|
||||||
in let self = {
|
} >> '${cfg.nbxplorer.dataDir}/settings.config'
|
||||||
wantedBy = [ "multi-user.target" ];
|
'';
|
||||||
requires = [ "nbxplorer.service" "postgresql.service" ]
|
serviceConfig = nbLib.defaultHardening // {
|
||||||
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
|
ExecStart = ''
|
||||||
after = self.requires;
|
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
|
||||||
serviceConfig = nbLib.defaultHardening // {
|
--datadir=${cfg.nbxplorer.dataDir}
|
||||||
ExecStart = ''
|
'';
|
||||||
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
|
User = cfg.nbxplorer.user;
|
||||||
--datadir='${cfg.btcpayserver.dataDir}'
|
Restart = "on-failure";
|
||||||
'';
|
RestartSec = "10s";
|
||||||
User = cfg.btcpayserver.user;
|
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
|
||||||
# Also restart after the program has exited successfully.
|
MemoryDenyWriteExecute = false;
|
||||||
# This is required to support restarting from the web interface after
|
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
|
||||||
# interactive plugin installation.
|
};
|
||||||
# Restart rate limiting is implemented via the `startLimit*` options below.
|
|
||||||
Restart = "always";
|
|
||||||
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
|
||||||
MemoryDenyWriteExecute = false;
|
|
||||||
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
|
||||||
startLimitIntervalSec = 30;
|
|
||||||
startLimitBurst = 10;
|
|
||||||
}; in self;
|
|
||||||
|
|
||||||
users.users.${cfg.nbxplorer.user} = {
|
btcpayserver = let
|
||||||
isSystemUser = true;
|
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
|
||||||
group = cfg.nbxplorer.group;
|
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
|
||||||
extraGroups = [ "bitcoinrpc-public" ]
|
configFile = builtins.toFile "btcpayserver-config" (''
|
||||||
++ optional cfg.btcpayserver.lbtc liquidd.group;
|
network=${bitcoind.network}
|
||||||
home = cfg.nbxplorer.dataDir;
|
bind=${cfg.btcpayserver.address}
|
||||||
};
|
port=${toString cfg.btcpayserver.port}
|
||||||
users.groups.${cfg.nbxplorer.group} = {};
|
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
|
||||||
users.users.${cfg.btcpayserver.user} = {
|
btcexplorerurl=${nbExplorerUrl}
|
||||||
isSystemUser = true;
|
btcexplorercookiefile=${nbExplorerCookie}
|
||||||
group = cfg.btcpayserver.group;
|
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
|
||||||
extraGroups = [ cfg.nbxplorer.group ]
|
'' + optionalString (cfg.btcpayserver.rootpath != null) ''
|
||||||
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
|
rootpath=${cfg.btcpayserver.rootpath}
|
||||||
home = cfg.btcpayserver.dataDir;
|
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
|
||||||
};
|
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
|
||||||
users.groups.${cfg.btcpayserver.group} = {};
|
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
|
||||||
|
(
|
||||||
nix-bitcoin.secrets = {
|
"btclightning=type=lnd-rest;" +
|
||||||
bitcoin-rpcpassword-btcpayserver = {
|
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
|
||||||
user = cfg.bitcoind.user;
|
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
|
||||||
group = cfg.nbxplorer.group;
|
"certfilepath=${config.services.lnd.certPath}" +
|
||||||
|
"\n"
|
||||||
|
)
|
||||||
|
+ optionalString cfg.btcpayserver.lbtc ''
|
||||||
|
chains=btc,lbtc
|
||||||
|
lbtcexplorerurl=${nbExplorerUrl}
|
||||||
|
lbtcexplorercookiefile=${nbExplorerCookie}
|
||||||
|
'');
|
||||||
|
serviceRequires = [ "nbxplorer.service" "postgresql.service" ]
|
||||||
|
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
|
||||||
|
in {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = serviceRequires;
|
||||||
|
after = serviceRequires;
|
||||||
|
serviceConfig = nbLib.defaultHardening // {
|
||||||
|
ExecStart = ''
|
||||||
|
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
|
||||||
|
--datadir='${cfg.btcpayserver.dataDir}'
|
||||||
|
'';
|
||||||
|
User = cfg.btcpayserver.user;
|
||||||
|
# Also restart after the program has exited successfully.
|
||||||
|
# This is required to support restarting from the web interface after
|
||||||
|
# interactive plugin installation.
|
||||||
|
# Restart rate limiting is implemented via the `startLimit*` options below.
|
||||||
|
Restart = "always";
|
||||||
|
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
|
||||||
|
startLimitIntervalSec = 30;
|
||||||
|
startLimitBurst = 10;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
|
|
||||||
};
|
};
|
||||||
nix-bitcoin.generateSecretsCmds.btcpayserver = ''
|
|
||||||
makeBitcoinRPCPassword btcpayserver
|
users = {
|
||||||
'';
|
users = {
|
||||||
|
${cfg.nbxplorer.user} = {
|
||||||
|
isSystemUser = true;
|
||||||
|
inherit (cfg.nbxplorer) group;
|
||||||
|
extraGroups = [ "bitcoinrpc-public" ]
|
||||||
|
++ optional cfg.btcpayserver.lbtc liquidd.group;
|
||||||
|
home = cfg.nbxplorer.dataDir;
|
||||||
|
};
|
||||||
|
|
||||||
|
${cfg.btcpayserver.user} = {
|
||||||
|
isSystemUser = true;
|
||||||
|
inherit (cfg.btcpayserver) group;
|
||||||
|
extraGroups = [ cfg.nbxplorer.group ]
|
||||||
|
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
|
||||||
|
home = cfg.btcpayserver.dataDir;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
groups = {
|
||||||
|
${cfg.nbxplorer.group} = {};
|
||||||
|
${cfg.btcpayserver.group} = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nix-bitcoin = {
|
||||||
|
secrets = {
|
||||||
|
bitcoin-rpcpassword-btcpayserver = {
|
||||||
|
inherit (cfg.bitcoind) user;
|
||||||
|
inherit (cfg.nbxplorer) group;
|
||||||
|
};
|
||||||
|
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
|
||||||
|
};
|
||||||
|
generateSecretsCmds.btcpayserver = ''
|
||||||
|
makeBitcoinRPCPassword btcpayserver
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -90,7 +90,7 @@ in
|
|||||||
services.lnd = {
|
services.lnd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
macaroons.charge-lnd = {
|
macaroons.charge-lnd = {
|
||||||
user = user;
|
inherit user;
|
||||||
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}'';
|
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -134,7 +134,7 @@ in
|
|||||||
|
|
||||||
users.users.${user} = {
|
users.users.${user} = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = group;
|
inherit group;
|
||||||
};
|
};
|
||||||
users.groups.${group} = {};
|
users.groups.${group} = {};
|
||||||
};
|
};
|
||||||
|
@ -29,7 +29,7 @@ let cfg = config.services.clightning.plugins.trustedcoin; in
|
|||||||
tor.enforce = mkIf (!cfg.tor.proxy) false;
|
tor.enforce = mkIf (!cfg.tor.proxy) false;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.clightning.environment = mkIf (cfg.tor.proxy) {
|
systemd.services.clightning.environment = mkIf cfg.tor.proxy {
|
||||||
HTTPS_PROXY = let
|
HTTPS_PROXY = let
|
||||||
clnProxy = config.services.clightning.proxy;
|
clnProxy = config.services.clightning.proxy;
|
||||||
proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort;
|
proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort;
|
||||||
|
@ -209,7 +209,7 @@ in {
|
|||||||
nix-bitcoin = mkMerge [
|
nix-bitcoin = mkMerge [
|
||||||
(mkIf useSshfs {
|
(mkIf useSshfs {
|
||||||
secrets.clightning-replication-ssh-key = {
|
secrets.clightning-replication-ssh-key = {
|
||||||
user = user;
|
inherit user;
|
||||||
permissions = "400";
|
permissions = "400";
|
||||||
};
|
};
|
||||||
generateSecretsCmds.clightning-replication-ssh-key = ''
|
generateSecretsCmds.clightning-replication-ssh-key = ''
|
||||||
|
@ -33,7 +33,7 @@ in {
|
|||||||
config = mkMerge [
|
config = mkMerge [
|
||||||
(mkIf (cfg.ledger || cfg.trezor) {
|
(mkIf (cfg.ledger || cfg.trezor) {
|
||||||
assertions = [
|
assertions = [
|
||||||
{ assertion = (config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet);
|
{ assertion = config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet;
|
||||||
message = ''
|
message = ''
|
||||||
Hardware-Wallets are not compatible with bitcoind.disablewallet.
|
Hardware-Wallets are not compatible with bitcoind.disablewallet.
|
||||||
'';
|
'';
|
||||||
|
@ -369,23 +369,26 @@ in {
|
|||||||
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
users = {
|
||||||
isSystemUser = true;
|
users.${cfg.user} = {
|
||||||
group = cfg.group;
|
isSystemUser = true;
|
||||||
home = cfg.dataDir;
|
group = cfg.group;
|
||||||
# Allow access to the tor control socket, needed for payjoin onion service creation
|
home = cfg.dataDir;
|
||||||
extraGroups = [ "tor" "bitcoin" ];
|
# Allow access to the tor control socket, needed for payjoin onion service creation
|
||||||
|
extraGroups = [ "tor" "bitcoin" ];
|
||||||
|
};
|
||||||
|
groups.${cfg.group} = {};
|
||||||
};
|
};
|
||||||
users.groups.${cfg.group} = {};
|
nix-bitcoin = {
|
||||||
nix-bitcoin.operator = {
|
operator = {
|
||||||
groups = [ cfg.group ];
|
groups = [ cfg.group ];
|
||||||
allowRunAsUsers = [ cfg.user ];
|
allowRunAsUsers = [ cfg.user ];
|
||||||
|
};
|
||||||
|
secrets.jm-wallet-password.user = cfg.user;
|
||||||
|
generateSecretsCmds.joinmarket = ''
|
||||||
|
makePasswordSecret jm-wallet-password
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
|
|
||||||
nix-bitcoin.generateSecretsCmds.joinmarket = ''
|
|
||||||
makePasswordSecret jm-wallet-password
|
|
||||||
'';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(mkIf cfg.yieldgenerator.enable {
|
(mkIf cfg.yieldgenerator.enable {
|
||||||
|
@ -237,7 +237,7 @@ in {
|
|||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
assertions = [
|
assertions = [
|
||||||
{ assertion = bitcoind.regtest -> cfg.validatepegin != true;
|
{ assertion = bitcoind.regtest -> !cfg.validatepegin;
|
||||||
message = "liquidd: `validatepegin` is incompatible with regtest.";
|
message = "liquidd: `validatepegin` is incompatible with regtest.";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -170,7 +170,7 @@ let
|
|||||||
bitcoin.active=1
|
bitcoin.active=1
|
||||||
bitcoin.node=bitcoind
|
bitcoin.node=bitcoind
|
||||||
|
|
||||||
${optionalString (cfg.tor.proxy) "tor.active=true"}
|
${optionalString cfg.tor.proxy "tor.active=true"}
|
||||||
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
|
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
|
||||||
|
|
||||||
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
|
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
|
||||||
|
@ -178,7 +178,7 @@ in {
|
|||||||
isClightning = true;
|
isClightning = true;
|
||||||
enableOnion = clightning-rest.lndconnect.onion;
|
enableOnion = clightning-rest.lndconnect.onion;
|
||||||
onionService = "${operatorName}/clightning-rest";
|
onionService = "${operatorName}/clightning-rest";
|
||||||
port = clightning-rest.port;
|
inherit (clightning-rest) port;
|
||||||
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
|
||||||
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
|
||||||
}
|
}
|
||||||
@ -193,7 +193,7 @@ in {
|
|||||||
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
relay.onionServices.clightning-rest = nbLib.mkOnionService {
|
||||||
target.addr = nbLib.address clightning-rest.address;
|
target.addr = nbLib.address clightning-rest.address;
|
||||||
target.port = clightning-rest.port;
|
target.port = clightning-rest.port;
|
||||||
port = clightning-rest.port;
|
inherit (clightning-rest) port;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# This also allows nodeinfo to show the clightning-rest onion address
|
# This also allows nodeinfo to show the clightning-rest onion address
|
||||||
|
@ -269,7 +269,7 @@ in {
|
|||||||
DATABASE = cfg.database.name;
|
DATABASE = cfg.database.name;
|
||||||
SOCKET = "/run/mysqld/mysqld.sock";
|
SOCKET = "/run/mysqld/mysqld.sock";
|
||||||
};
|
};
|
||||||
} // optionalAttrs (cfg.tor.proxy) {
|
} // optionalAttrs cfg.tor.proxy {
|
||||||
# Use Tor for rate fetching
|
# Use Tor for rate fetching
|
||||||
SOCKS5PROXY = {
|
SOCKS5PROXY = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
|
@ -35,23 +35,25 @@ in {
|
|||||||
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
|
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
|
||||||
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
|
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
|
||||||
|
|
||||||
services.bitcoind = {
|
|
||||||
enable = true;
|
|
||||||
listen = true;
|
|
||||||
dbCache = 1000;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.liquidd = {
|
|
||||||
# Enable `validatepegin` to verify that a transaction sending BTC into
|
|
||||||
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
|
|
||||||
# make the node accept a sidechain that is not fully backed.
|
|
||||||
validatepegin = true;
|
|
||||||
listen = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
nix-bitcoin.nodeinfo.enable = true;
|
nix-bitcoin.nodeinfo.enable = true;
|
||||||
|
|
||||||
services.backups.frequency = "daily";
|
services = {
|
||||||
|
bitcoind = {
|
||||||
|
enable = true;
|
||||||
|
listen = true;
|
||||||
|
dbCache = 1000;
|
||||||
|
};
|
||||||
|
|
||||||
|
liquidd = {
|
||||||
|
# Enable `validatepegin` to verify that a transaction sending BTC into
|
||||||
|
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
|
||||||
|
# make the node accept a sidechain that is not fully backed.
|
||||||
|
validatepegin = true;
|
||||||
|
listen = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
backups.frequency = "daily";
|
||||||
|
};
|
||||||
|
|
||||||
# operator
|
# operator
|
||||||
nix-bitcoin.operator.enable = true;
|
nix-bitcoin.operator.enable = true;
|
||||||
|
@ -106,8 +106,8 @@ let
|
|||||||
cfg = config.services.rtl;
|
cfg = config.services.rtl;
|
||||||
nbLib = config.nix-bitcoin.lib;
|
nbLib = config.nix-bitcoin.lib;
|
||||||
nbPkgs = config.nix-bitcoin.pkgs;
|
nbPkgs = config.nix-bitcoin.pkgs;
|
||||||
secretsDir = config.nix-bitcoin.secretsDir;
|
|
||||||
|
|
||||||
|
inherit (config.nix-bitcoin) secretsDir;
|
||||||
inherit (nbLib) optionalAttr;
|
inherit (nbLib) optionalAttr;
|
||||||
|
|
||||||
node = { isLnd, index }: {
|
node = { isLnd, index }: {
|
||||||
@ -149,7 +149,7 @@ let
|
|||||||
rtlConfig = {
|
rtlConfig = {
|
||||||
multiPass = "@multiPass@";
|
multiPass = "@multiPass@";
|
||||||
host = cfg.address;
|
host = cfg.address;
|
||||||
port = cfg.port;
|
inherit (cfg) port;
|
||||||
SSO.rtlSSO = 0;
|
SSO.rtlSSO = 0;
|
||||||
inherit nodes;
|
inherit nodes;
|
||||||
};
|
};
|
||||||
@ -216,7 +216,7 @@ in {
|
|||||||
|
|
||||||
users.users.${cfg.user} = {
|
users.users.${cfg.user} = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
group = cfg.group;
|
inherit (cfg) group;
|
||||||
extraGroups =
|
extraGroups =
|
||||||
# Reads cert and macaroon from the clightning-rest datadir
|
# Reads cert and macaroon from the clightning-rest datadir
|
||||||
optional cfg.nodes.clightning.enable clightning-rest.group ++
|
optional cfg.nodes.clightning.enable clightning-rest.group ++
|
||||||
|
@ -16,7 +16,7 @@ stdenvNoCC.mkDerivation ({
|
|||||||
name = "${src.name}-node_modules";
|
name = "${src.name}-node_modules";
|
||||||
nativeBuildInputs = [
|
nativeBuildInputs = [
|
||||||
makeWrapper
|
makeWrapper
|
||||||
(if args ? nodejs then args.nodejs else nodejs)
|
(args.nodejs or nodejs)
|
||||||
];
|
];
|
||||||
|
|
||||||
outputHashMode = "recursive";
|
outputHashMode = "recursive";
|
||||||
|
@ -42,7 +42,7 @@ let
|
|||||||
nixopsRelease = import "${src}/release.nix" {
|
nixopsRelease = import "${src}/release.nix" {
|
||||||
nixpkgs = pkgs.path;
|
nixpkgs = pkgs.path;
|
||||||
inherit pluginData;
|
inherit pluginData;
|
||||||
p = (p: with p; [ aws hetzner vbox ]);
|
p = p: with p; [ aws hetzner vbox ];
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
nixopsRelease.build.${builtins.currentSystem}
|
nixopsRelease.build.${builtins.currentSystem}
|
||||||
|
@ -2,11 +2,9 @@
|
|||||||
|
|
||||||
buildPythonPackageWithDepsCheck rec {
|
buildPythonPackageWithDepsCheck rec {
|
||||||
pname = "pyln-client";
|
pname = "pyln-client";
|
||||||
version = clightning.version;
|
inherit (clightning) src version;
|
||||||
format = "pyproject";
|
format = "pyproject";
|
||||||
|
|
||||||
inherit (clightning) src;
|
|
||||||
|
|
||||||
nativeBuildInputs = [ poetry-core ];
|
nativeBuildInputs = [ poetry-core ];
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -11,11 +11,9 @@
|
|||||||
|
|
||||||
buildPythonPackageWithDepsCheck rec {
|
buildPythonPackageWithDepsCheck rec {
|
||||||
pname = "pyln-proto";
|
pname = "pyln-proto";
|
||||||
version = clightning.version;
|
inherit (clightning) src version;
|
||||||
format = "pyproject";
|
format = "pyproject";
|
||||||
|
|
||||||
inherit (clightning) src;
|
|
||||||
|
|
||||||
nativeBuildInputs = [ poetry-core ];
|
nativeBuildInputs = [ poetry-core ];
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
|
@ -24,7 +24,7 @@ buildPythonPackage rec {
|
|||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
description = "Twisted bindings for ZeroMQ";
|
description = "Twisted bindings for ZeroMQ";
|
||||||
homepage = https://github.com/smira/txZMQ;
|
homepage = "https://github.com/smira/txZMQ";
|
||||||
license = licenses.gpl2;
|
license = licenses.gpl2;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -52,9 +52,9 @@ let
|
|||||||
isMatching = lib.hasPrefix sourcePrefix file;
|
isMatching = lib.hasPrefix sourcePrefix file;
|
||||||
in
|
in
|
||||||
# Nix has no boolean XOR, so use `if`
|
# Nix has no boolean XOR, so use `if`
|
||||||
lib.optionals (if shouldMatch then isMatching else !isMatching) (
|
lib.optionals (if shouldMatch then isMatching else !isMatching)
|
||||||
(map (service: { name = service; value = true; }) (builtins.attrNames services))
|
(map (service: { name = service; value = true; }) (builtins.attrNames services))
|
||||||
)
|
|
||||||
) systemdServices.definitionsWithLocations));
|
) systemdServices.definitionsWithLocations));
|
||||||
in
|
in
|
||||||
# Calculate set difference: matchingServices - nonMatchingServices
|
# Calculate set difference: matchingServices - nonMatchingServices
|
||||||
|
@ -12,9 +12,11 @@ let
|
|||||||
nixBitcoinModule
|
nixBitcoinModule
|
||||||
{
|
{
|
||||||
# Features required by the Python test suite
|
# Features required by the Python test suite
|
||||||
nix-bitcoin.secretsDir = "/secrets";
|
nix-bitcoin = {
|
||||||
nix-bitcoin.generateSecrets = true;
|
secretsDir = "/secrets";
|
||||||
nix-bitcoin.operator.enable = true;
|
generateSecrets = true;
|
||||||
|
operator.enable = true;
|
||||||
|
};
|
||||||
environment.systemPackages = with pkgs; [ jq ];
|
environment.systemPackages = with pkgs; [ jq ];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
Loading…
Reference in New Issue
Block a user