Commit Graph

118 Commits

Author SHA1 Message Date
Erik Arvstedt
5eaf104efe
secure-node: add sudo shell alias for doas
A convenience helper which allows running most `sudo` cmds while
`doas` is enabled.

This is safe because all args supported by both `sudo` and
`doas` that lead to command execution (like `-u <user>`)
have identical semantics.
2023-07-10 07:22:00 +02:00
Jonas Nick
75e54bbb90
spark-wallet: remove package and module 2023-06-02 10:50:11 +00:00
Erik Arvstedt
a4bfefd562
add presets/wireguard.nix
This allows using `lndconnect` via a direct WireGuard connection.
2023-03-11 20:10:54 +01:00
Erik Arvstedt
2af642f56a
improve comments
The comment in python-packackges was obsolete.
2023-01-26 11:17:02 +01:00
Erik Arvstedt
b616d7ac1b
profiles/hardened: support pure eval mode 2022-11-03 23:08:05 +01:00
Jonas Nick
34c4b61402
Merge fort-nix/nix-bitcoin#504: Add fulcrum module
7d7f2df006 fulcrum: add module (Erik Arvstedt)
edd8bd311c bitcoind-rpc-public-whitelist: add `ping`, `help` (Erik Arvstedt)
f946a7cd9b examples: use `mkDefault` for setting `system.stateVersion` (Erik Arvstedt)
79994d0bd2 tests: increase postgresql startup timeout (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 7d7f2df006

Tree-SHA512: 866f0a40bb81ceb2008e6efbd415eeee201b9e56aa5ebc60fd1bb4b6eda300155faaa2e6492d8145b3c6084b1e8ef5ec7d4e0ff694beb328d2e5ed755c9d04b4
2022-07-22 13:11:40 +00:00
Jonas Nick
d3664b09b4
Merge fort-nix/nix-bitcoin#511: Minor improvements
84b69dfb46 versioning: improve description wording (Erik Arvstedt)
9d20837b90 flake: remove `rec` (Erik Arvstedt)
c82e0ee294 clightning/plugins: format plugin defs, order alphabetically (Erik Arvstedt)
9ac3d93b27 improve comments, descriptions (Erik Arvstedt)
97b1a1d353 operator: improve descriptions (Erik Arvstedt)
27dd31ead5 clightning/feeadjuster: fix typo (Erik Arvstedt)
df5abd5eab lnd: move `wallet-unlock-password-file` setting to config (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 84b69dfb46

Tree-SHA512: e326ea37c4c4e766a634e90a069a441933dfac5a91e85c136e49dd17c16ee6e5e3fbfb15399f97321e412ab1624f1040116e2516e2635188f7e25454d5e9fe34
2022-07-17 19:48:40 +00:00
Otto Sabart
03b75a0254
bitcoind-remote: fix quotation marks in preStart script 2022-07-15 23:40:16 +02:00
Erik Arvstedt
9ac3d93b27
improve comments, descriptions 2022-07-15 01:50:11 +02:00
Erik Arvstedt
7d7f2df006
fulcrum: add module 2022-07-09 11:07:09 +02:00
Erik Arvstedt
acf5fe69ad
add standalone clightning-rest service
- Rename `services.rtl.cl-rest` to `services.clightning-rest`.
  `clightning-rest` is generally useful for connecting external REST clients
  to clightning.

- Add a dedicated network namespace in netns-isolation.

- Add nodeinfo entry.

- Add datadir (which contains REST auth data) to backups.
2022-05-06 16:26:40 +02:00
Erik Arvstedt
d959d5b558
secure-node: don't set nix-bitcoin.secretsDir
This simplifies the docs and the secure-node module.

This change doesn't affect users that deploy via krops.
2022-02-05 21:35:50 +01:00
Erik Arvstedt
2f0f1ec15a
hardened-extended: define kernelParams as separate strings
This is now checked by the modules.
2021-12-10 12:16:31 +00:00
Erik Arvstedt
6b539627ee
add presets/bitcoind-remote.nix
This simplifies integrating a remote bitcoind instance and
makes `bitcoin-cli` work with the remote node.

Add note regarding `whitelistedPort` to docs.
2021-12-07 15:35:33 +01:00
Erik Arvstedt
def64a73b8
treewide: use TODO-EXTERNAL
Use TODO-EXTERNAL for TODOs that depend on external factors like
upstream fixes.
2021-11-29 13:47:48 +01:00
Erik Arvstedt
9bda7305fd
services: add tor.* options
Split `enforceTor` into `tor.proxy` and `tor.enforce`.
By enabling `tor.proxy` without `tor.enforce`, a service can accept
incoming clearnet connections.
E.g., this allows setting up a Tor-proxied bitcoind node that accepts
RPC connections from LAN.
2021-11-29 13:22:43 +01:00
Erik Arvstedt
8aa28da110
remove recurring-donations module
This module has failed to evaluate for quite some time.
We might bring it back someday with bolt12 and LNURL support.
2021-11-28 21:18:39 +01:00
nixbitcoin
f569227410
rtl: add module 2021-11-09 14:13:42 +00:00
Jonas Nick
bac8518e7c
secure-node: stop pruning liquidd
There is no security reason why pruning should be enabled and therefore it
surprises users. Turning on pruning in the first place was simply a mistake.
2021-10-31 14:37:56 +00:00
Jonas Nick
347a0f3aee
secure-node: add dummy option to determine if the preset is enabled
This is useful for versioning.nix.
2021-10-31 14:00:46 +00:00
Erik Arvstedt
75b89f3957
electrs: adapt to version 0.9.0
- `waitfornewblock` was previously not included in the public RPC
  whitelist because it's reserved for testing and marked as hidden
  in bitcoind.

- electrs changed its verbosity settings. `-vv` is now the best choice
  for normal usage.

- bitcoind option `dataDirReadableByGroup` is now unused.
  Because it can be valuable for other use cases and implementing
  it is intricate, we're keeping it for now.

- test: keep `nc` connection open because otherwise the electrs
  RPC server would now close the connection before sending a response.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
f36df8f563
secure-node: remove redundant bitcoind settings
- `discover` is automatically disabled by bitcoind because we're
   setting `externalip` via the `nix-bitcoin.onionServices` mechanism
- `bech32` is bitcoind's default addresstype
2021-10-04 00:33:26 +02:00
Jonas Nick
0c31130ac8
secure-node: remove default bitcoin addnode
Onion v2 addresses are incompatible with the upcoming bitcoind version.
2021-09-19 20:03:40 +00:00
Erik Arvstedt
35fe939cf8
security: update /proc restriction mechanism
NixOS option `security.hideProcessInformation` for globally restricting
access to /proc has been removed.
Use per-service restrictions via 'ProtectProc' instead.

Rename
`nix-bitcoin.security.hideProcessInformation` to
`nix-bitcoin.security.dbusHideProcessInformation`
because this option now only implements the dbus restriction.
2021-08-14 10:46:41 +02:00
Erik Arvstedt
178a0dcf8f
services: use new 'tor' options 2021-08-14 10:46:41 +02:00
Erik Arvstedt
a25ceecca5
update to NixOS 21.05 2021-08-12 11:18:26 +02:00
nixbitcoin
3b938a909f
add hardened-extended preset 2021-04-02 10:59:09 +00:00
Jonas Nick
a4dabc7390
Remove nixops examples and documentation 2021-03-15 12:42:47 +00:00
kon
eb21012745 pool: add pkg, module & tests 2021-03-01 10:59:35 +01:00
nixbitcoin
b1c9e13033
bitcoind: secure-node remove assumevalid 2021-02-23 11:04:31 +00:00
nixbitcoin
2ca92a34a5
services: use doas if enabled
- Remove sudo from recurring-donations path because it's not used by
  the service

- Use doas instead of sudo in secure-node.nix
2021-02-09 12:44:04 +00:00
Erik Arvstedt
a344ae95c9
move mkHiddenService to lib 2021-02-04 12:39:54 +00:00
nixbitcoin
8c125ec48c
joinmarket-obwatcher: add pkg & module 2021-01-17 17:40:12 +00:00
Erik Arvstedt
e2922eb4ce
move rpc thread count setting to lightning modules 2021-01-14 13:25:12 +01:00
Erik Arvstedt
757a66b9bd
liquid: move rpcuser definition to module 2021-01-14 13:25:11 +01:00
Erik Arvstedt
0e00c39d47
secure-node: improve layout 2021-01-14 13:25:11 +01:00
Erik Arvstedt
5f7a7962f7
backups: remove redundant option 'program'
Not needed until we support other backup backends.
2021-01-14 13:25:11 +01:00
Erik Arvstedt
04d8560f86
secure-node: remove qrencode, tor from systemPackages
Keep jq which is useful for analyzing service cli output.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
323a431aba
improve nodeinfo
- enable usage outside of secure-node.nix
- use json as the output format
- show ports
- also show local addresses, which is particularly useful when
  netns-isolation is enabled
- only show enabled services
2021-01-14 13:25:10 +01:00
Erik Arvstedt
f6b883a9ac
remove webindex
This module is outdated and incomplete. We can readd an improved version in
the future.

Move nanopos nginx proxy tests to the nanopos test.
2021-01-14 13:25:10 +01:00
Erik Arvstedt
2a240d6f4a
enable-tor: disable default onion services for clightning, lnd, btcpayserver
In case of btcpayserver the default onion service is a security risk
because any visitor can register an admin account on a freshly setup node.
2021-01-14 13:25:09 +01:00
Erik Arvstedt
bd2a46cb73
spark-wallet: use onionServices
Also remove the unneeded definition of ReadWritePaths because the
service doesn't need write access to onion files.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
87fb9f246b
add 'enable-tor' preset
Move 'enforceTor' and onion-service definitions from secure-node.nix.
Use the onionServices module to define onion services.

Onion services now automatically work for services that bind to an INADDR_ANY (`0.0.0.0`) address.
2021-01-14 13:25:08 +01:00
Erik Arvstedt
93562f76dd
onionAddresses: remove redundant option 'enable'
The service can be disabled via `onion-addresses.access = mkForce {};`

Also remove redundant description.
2021-01-14 13:25:06 +01:00
Erik Arvstedt
5c6977b006
rename onion-chef -> nix-bitcoin.onionAddresses
This clarifies its function.
2021-01-14 13:25:05 +01:00
Erik Arvstedt
39f16c0b4a
liquidd: add consistent address options 2021-01-14 13:25:05 +01:00
Erik Arvstedt
b5d76ba1b3
electrs: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
8fa32b7f91
btcpayserver: add consistent address options 2021-01-14 13:25:04 +01:00
Erik Arvstedt
e78a609687
clightning: add consistent address options
Also remove option 'autolisten'. This option has no effect because
option 'bind-addr' is always set.
2021-01-14 13:25:04 +01:00
Erik Arvstedt
b41a720c28
lnd: add consistent address options
Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address.
2021-01-14 13:25:03 +01:00