Merge fort-nix/nix-bitcoin#450: Misc. improvements

d959d5b558 secure-node: don't set `nix-bitcoin.secretsDir` (Erik Arvstedt)
7b0c3d48c9 docs/services.md: link to clightning plugin list (Erik Arvstedt)
7402212263 examples/configuration.nix: disable `passwordAuthentication` (Erik Arvstedt)
e093bb64d9 examples/configuration.nix: fix links to `docs/services.md` (Erik Arvstedt)
d41a550355 fetch-release: export GNUPGHOME (Erik Arvstedt)
397b372cf3 bitcoind: improve option `rpc.users` (Erik Arvstedt)
679e7b6544 bitcoind: remove unneeded tmpfile rule (Erik Arvstedt)
98f419233f bitcoind: don't log timestamps (Erik Arvstedt)
6f8b4d9ebe flake: optimize nixpkgs importing (Erik Arvstedt)
16e2d4c8b7 flake: remove unneeded indirection in legacyPackages (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK d959d5b558

Tree-SHA512: e62fcf36ac77df62b9f86279d0ebac807525d188cbf1ee5c13cf1406b3caadad0f2df7527b0c8713259cbc6d5cdfa006f01e90d5377f974213f204a2f85a8ae6
This commit is contained in:
Jonas Nick 2022-02-06 17:00:40 +00:00
commit 0ac9d6f4c8
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
8 changed files with 64 additions and 42 deletions

View File

@ -250,9 +250,4 @@ following default values:
- If you're using the krops deployment method: `/var/src/secrets` - If you're using the krops deployment method: `/var/src/secrets`
- Otherwise: - Otherwise: `/etc/nix-bitcoin-secrets`
- `/secrets` (if you're using the `secure-node.nix` template)
- `/etc/nix-bitcoin-secrets` (otherwise)
`/secrets` only exists to provide backwards compatibility for users of the
`secure-node.nix` template.

View File

@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node
Otherwise, you can access it via Tor Browser at `http://<onion-address>`. Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
You can find the `<onion-address>` with command `nodeinfo`. You can find the `<onion-address>` with command `nodeinfo`.
The default password location is `/secrets/rtl-password`. The default password location is `$secretsDir/rtl-password`.
See: [Secrets dir](./configuration.md#secrets-dir)
# Connect to spark-wallet # Connect to spark-wallet
### Requirements ### Requirements
@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps:
Follow the on-screen instructions and write down your seed. Follow the on-screen instructions and write down your seed.
In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
from `/secrets/jm-wallet-password` and use the suggested default wallet name from `$secretsDir/jm-wallet-password` and use the suggested default wallet name
`wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply `wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
replace the password string in your local secrets directory. replace the password string in your local secrets directory.
See: [Secrets dir](./configuration.md#secrets-dir)
## Run the tumbler ## Run the tumbler
@ -391,15 +393,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master
# clightning # clightning
## Plugins ## Plugins
There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning.
See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list.
There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports: [1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins
- helpme
- monitor
- prometheus
- rebalance
- summary
- zmq
You can activate and configure these plugins like so: You can activate and configure these plugins like so:

View File

@ -51,7 +51,7 @@
# nix-bitcoin.onionServices.clightning.public = true; # nix-bitcoin.onionServices.clightning.public = true;
# #
# == Plugins # == Plugins
# See ../docs/usage.md for the list of available plugins. # See ../README.md (Features → clightning) for the list of available plugins.
# services.clightning.plugins.prometheus.enable = true; # services.clightning.plugins.prometheus.enable = true;
### LND ### LND
@ -154,7 +154,7 @@
# services.hardware-wallets.ledger = true; # services.hardware-wallets.ledger = true;
# #
# Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
# `docs/usage.md`. # `../docs/services.md`.
# services.hardware-wallets.trezor = true; # services.hardware-wallets.trezor = true;
### lightning-loop ### lightning-loop
@ -234,10 +234,15 @@
networking.hostName = "host"; networking.hostName = "host";
time.timeZone = "UTC"; time.timeZone = "UTC";
# FIXME: Add your SSH pubkey services.openssh = {
services.openssh.enable = true; enable = true;
passwordAuthentication = false;
};
users.users.root = { users.users.root = {
openssh.authorizedKeys.keys = [ "" ]; openssh.authorizedKeys.keys = [
# FIXME: Replace this with your SSH pubkey
"ssh-ed25519 AAAAC3..."
];
}; };
# FIXME: Uncomment this to allow the operator user to run # FIXME: Uncomment this to allow the operator user to run
@ -261,5 +266,5 @@
# The nix-bitcoin release version that your config is compatible with. # The nix-bitcoin release version that your config is compatible with.
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
# an error and provide hints for migrating your config to the new release. # an error and provide hints for migrating your config to the new release.
nix-bitcoin.configVersion = "0.0.57"; nix-bitcoin.configVersion = "0.0.65";
} }

View File

@ -18,8 +18,8 @@
lib = { lib = {
mkNbPkgs = { mkNbPkgs = {
system system
, pkgs ? import nixpkgs { inherit system; } , pkgs ? nixpkgs.legacyPackages.${system}
, pkgsUnstable ? import nixpkgsUnstable { inherit system; } , pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system}
}: }:
import ./pkgs { inherit pkgs pkgsUnstable; }; import ./pkgs { inherit pkgs pkgsUnstable; };
}; };
@ -65,7 +65,7 @@
} // (flake-utils.lib.eachSystem supportedSystems (system: } // (flake-utils.lib.eachSystem supportedSystems (system:
let let
pkgs = import nixpkgs { inherit system; }; pkgs = nixpkgs.legacyPackages.${system};
nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; }; nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; };
@ -111,7 +111,7 @@
# Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`) # Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`)
# via this flake. # via this flake.
# `packages` is not allowed to contain nested pkgs attrsets. # `packages` is not allowed to contain nested pkgs attrsets.
legacyPackages = { inherit nbPkgs; }; legacyPackages = nbPkgs;
defaultApp = apps.vm; defaultApp = apps.vm;

View File

@ -14,15 +14,15 @@ fi
TMPDIR=$(mktemp -d) TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT trap "rm -rf $TMPDIR" EXIT
GPG_HOME=$TMPDIR/gpg-home export GNUPGHOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GPG_HOME" mkdir -p -m 700 "$GNUPGHOME"
# Import key # Import key
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Check that exactly one key was imported # Check that exactly one key was imported
(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1)) (($(gpg --list-keys --with-colons | grep -c pub) == 1))
# Verify key fingerprint # Verify key fingerprint
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
# Fetch nar-hash of release # Fetch nar-hash of release
cd $TMPDIR cd $TMPDIR
@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
# Verify signature for nar-hash # Verify signature for nar-hash
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || { gpg --verify nar-hash.txt.asc &> /dev/null || {
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository." >&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
exit 1 exit 1
} }

View File

@ -101,9 +101,14 @@ let
}; };
users = mkOption { users = mkOption {
default = {}; default = {};
description = ''
Allowed users for JSON-RPC connections.
'';
example = { example = {
alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; alice = {
bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
};
}; };
type = with types; attrsOf (submodule ({ name, ... }: { type = with types; attrsOf (submodule ({ name, ... }: {
options = { options = {
@ -138,9 +143,6 @@ let
}; };
}; };
})); }));
description = ''
RPC user information for JSON-RPC connections.
'';
}; };
}; };
regtest = mkOption { regtest = mkOption {
@ -282,6 +284,7 @@ let
configFile = builtins.toFile "bitcoin.conf" '' configFile = builtins.toFile "bitcoin.conf" ''
# We're already logging via journald # We're already logging via journald
nodebuglogfile=1 nodebuglogfile=1
logtimestamps=0
startupnotify=/run/current-system/systemd/bin/systemd-notify --ready startupnotify=/run/current-system/systemd/bin/systemd-notify --ready
@ -366,7 +369,6 @@ in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
]; ];
systemd.services.bitcoind = { systemd.services.bitcoind = {
@ -386,7 +388,12 @@ in {
'' ''
) (builtins.attrNames cfg.rpc.users); ) (builtins.attrNames cfg.rpc.users);
in '' in ''
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"} ${optionalString cfg.dataDirReadableByGroup ''
if [[ -e '${cfg.dataDir}/blocks' ]]; then
chmod -R g+rX '${cfg.dataDir}/blocks'
fi
''}
cfg=$( cfg=$(
cat ${configFile} cat ${configFile}
${extraRpcauth} ${extraRpcauth}

View File

@ -18,9 +18,6 @@ in {
}; };
config = { config = {
# For backwards compatibility only
nix-bitcoin.secretsDir = mkDefault "/secrets";
networking.firewall.enable = true; networking.firewall.enable = true;
nix-bitcoin.security.dbusHideProcessInformation = true; nix-bitcoin.security.dbusHideProcessInformation = true;

View File

@ -181,6 +181,27 @@ let
once. once.
''; '';
} }
{
version = "0.0.65";
condition = config.nix-bitcoin ? secure-node-preset-enabled &&
config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets";
message = ''
The `secure-node.nix` preset does not set the secrets directory
to "/secrets" anymore.
Instead, the default location "/etc/nix-bitcoin-secrets" is used.
To upgrade, choose one of the following:
- Continue using "/secrets":
Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix.
- Move your secrets to the default location:
Run the following command as root on your node:
`rsync -a /secrets/ /etc/nix-bitcoin-secrets`.
You can delete the old "/secrets" directory after deploying the new system
config to your node.
'';
}
]; ];
mkOnionServiceChange = service: { mkOnionServiceChange = service: {